JS: Add source to XssThroughDom

2026-04-27 17:55:19 +02:00 · 2021-03-11 09:31:37 +00:00
parent 18cfe72e99
commit 0c6e161277
1 changed files with 26 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -27,6 +27,13 @@ module XssThroughDom {
    result = ["name", "value", "title", "alt"]
  }

+  /**
+   * Gets a DOM property name that could store user-controlled data.
+   */
+  string unsafeDomPropertyName() {
+    result = ["innerText", "textContent", "value", "name"]
+  }
+
  /**
   * A source for text from the DOM from a JQuery method call.
   */
@@ -51,6 +58,24 @@ module XssThroughDom {
    }
  }

+  /**
+   * A source for text from the DOM from a `d3` method call.
+   */
+  class D3TextSource extends Source {
+    D3TextSource() {
+      exists(DataFlow::MethodCallNode call, string methodName, string argValue |
+        this = call and
+        call = D3::d3Selection().getMember(methodName).getACall() and
+        call.getNumArgument() = 1 and
+        call.getArgument(0).mayHaveStringValue(argValue)
+      |
+        methodName = "attr" and argValue = unsafeAttributeName()
+        or
+        methodName = "property" and argValue = unsafeDomPropertyName()
+      )
+    }
+  }
+
  /**
   * A source for text from the DOM from a DOM property read or call to `getAttribute()`.
   */
@@ -58,7 +83,7 @@ module XssThroughDom {
    DOMTextSource() {
      exists(DataFlow::PropRead read | read = this |
        read.getBase().getALocalSource() = DOM::domValueRef() and
-        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
+        read.mayHavePropertyName(unsafeDomPropertyName())
      )
      or
      exists(DataFlow::MethodCallNode mcn | mcn = this |