add navigation.navigate as an XSS / URL sink

2026-05-02 04:05:14 +02:00 · 2022-06-29 14:56:20 +02:00
parent 8988a02806
commit 0e4954a68c
4 changed files with 24 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -106,6 +106,10 @@ module ClientSideUrlRedirect {
      ) and
      xss = true
      or
+      // A call to `navigation.navigate`
+      this = DataFlow::globalVarRef("navigation").getAMethodCall("navigate").getArgument(0) and
+      xss = true
+      or
      // An assignment to `location`
      exists(Assignment assgn | isLocation(assgn.getTarget()) and astNode = assgn.getRhs()) and
      xss = true