hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add taint-step for serialize-javascript

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-06-06 22:48:53 +02:00
parent e276e2684e
commit 0adc001df0
8 changed files with 61 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/semmle/javascript/JsonParsers.qll
View File

@@ -29,7 +29,8 @@ private class PlainJsonParserCall extends JsonParserCall {
callee = DataFlow::moduleImport("parse-json") or
callee = DataFlow::moduleImport("json-parse-better-errors") or
callee = DataFlow::moduleImport("json-safe-parse") or
callee = AngularJS::angular().getAPropertyRead("fromJson")
callee = AngularJS::angular().getAPropertyRead("fromJson") or
callee = DataFlow::moduleImport("serialize-javascript")
)
}

20
javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -55,6 +55,17 @@ module Shared {
}
}
/**
* A call to `serialize-javascript`, which prevents XSS vulnerabilities unless
* the `unsafe` option is set.t
*/
class SerializeJavascriptSanitizer extends Sanitizer, DataFlow::CallNode {
SerializeJavascriptSanitizer() {
this = DataFlow::moduleImport("serialize-javascript").getACall() and
not this.getOptionArgument(1, "unsafe").mayHaveBooleanValue(true)
}
}
private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHTML
/**
@@ -359,6 +370,9 @@ module DomBasedXss {
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
}
private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
@@ -497,6 +511,9 @@ module ReflectedXss {
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
}
private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
@@ -534,6 +551,9 @@ module StoredXss {
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
}
private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }