included JavaScript drag and drop API Xss sources

javascript/ql/lib/javascript.qll

@@ -88,6 +88,7 @@ import semmle.javascript.frameworks.D3
 import semmle.javascript.frameworks.data.ModelsAsData
 import semmle.javascript.frameworks.DateFunctions
 import semmle.javascript.frameworks.DigitalOcean
+import semmle.javascript.frameworks.DragAndDrop
 import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files

javascript/ql/lib/semmle/javascript/frameworks/DragAndDrop.qll

@@ -0,0 +1,63 @@
+/**
+ * Provides predicates for reasoning about dragAndDrop data.
+ */
+
+import javascript
+
+/**
+ * Gets a jQuery "drop" event.
+ * E.g. `e` in `$("#foo").on("drop", function(e) { ... })`.
+ */
+private DataFlow::SourceNode jQueryDropEvent(DataFlow::TypeTracker t) {
+  t.start() and
+  exists(DataFlow::CallNode call |
+    call = JQuery::objectRef().getAMethodCall(["bind", "on", "live", "one", "delegate"]) and
+    call.getArgument(0).mayHaveStringValue("drop")
+  |
+    result = call.getCallback(call.getNumArgument() - 1).getParameter(0)
+  )
+  or
+  exists(DataFlow::TypeTracker t2 | result = jQueryDropEvent(t2).track(t2, t))
+}
+
+/**
+ * Gets a DOM "drop" event.
+ * E.g. `e` in `document.addEventListener("drop", e => { ... })`.
+ */
+private DataFlow::SourceNode dropEvent(DataFlow::TypeTracker t) {
+  t.start() and
+  exists(DataFlow::CallNode call | call = DOM::domValueRef().getAMemberCall("addEventListener") |
+    call.getArgument(0).mayHaveStringValue("drop") and
+    result = call.getCallback(1).getParameter(0)
+  )
+  or
+  t.start() and
+  result = jQueryDropEvent(DataFlow::TypeTracker::end()).getAPropertyRead("originalEvent")
+  or
+  exists(DataFlow::TypeTracker t2 | result = dropEvent(t2).track(t2, t))
+}
+
+/**
+ * Gets a reference to the dragAndDropData DataTransfer object.
+ * https://developer.mozilla.org/docs/Web/API/HTML_Drag_and_Drop_API
+ */
+private DataFlow::SourceNode dragAndDropDataTransferSource(DataFlow::TypeTracker t) {
+  t.start() and
+  exists(DataFlow::PropRead read | read = result |
+    read.getPropertyName() = "dataTransfer" and
+    read.getBase().getALocalSource() = dropEvent(DataFlow::TypeTracker::end())
+  )
+  or
+  exists(DataFlow::TypeTracker t2 | result = dragAndDropDataTransferSource(t2).track(t2, t))
+}
+
+/**
+ * A reference to data from the dragAndDrop. Seen as a source for DOM-based XSS.
+ */
+private class DragAndDropSource extends RemoteFlowSource {
+  DragAndDropSource() {
+    this = dragAndDropDataTransferSource(DataFlow::TypeTracker::end()).getAMethodCall("getData")
+  }
+
+  override string getSourceType() { result = "DragAndDrop data" }
+}

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -295,6 +295,26 @@ nodes
 | dates.js:61:42:61:86 | dayjs.s ... (taint) |
 | dates.js:61:81:61:85 | taint |
 | dates.js:61:81:61:85 | taint |
+| dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
+| dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1318,6 +1338,17 @@ edges
 | dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
 | dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
 | dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -2082,6 +2113,10 @@ edges
 | dates.js:57:31:57:101 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:57:31:57:101 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
 | dates.js:59:31:59:87 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:59:31:59:87 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
 | dates.js:61:31:61:88 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:61:31:61:88 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
+| dragAndDrop.ts:15:25:15:28 | html | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | user-provided value |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | user-provided value |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | user-provided value |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -295,6 +295,26 @@ nodes
 | dates.js:61:42:61:86 | dayjs.s ... (taint) |
 | dates.js:61:81:61:85 | taint |
 | dates.js:61:81:61:85 | taint |
+| dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
+| dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1368,6 +1388,17 @@ edges
 | dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
 | dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
 | dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
+| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
+| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
+| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts

@@ -0,0 +1,34 @@
+$("#foo").on("drop", drop);
+
+function drop(e) {
+    const { dataTransfer } = e.originalEvent;
+    if (!dataTransfer) return;
+
+    const text = dataTransfer.getData('text/plain');
+    const html = dataTransfer.getData('text/html');
+    if (!text && !html) return;
+
+    e.preventDefault();
+
+    const div = document.createElement('div');
+    if (html) {
+        div.innerHTML = html; // NOT OK
+    } else {
+        div.textContent = text;
+    }
+    document.body.append(div);
+}
+
+export function install(el: HTMLElement): void {
+    el.addEventListener('drop', (e) => {
+        $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK    
+    })
+}
+
+document.addEventListener('drop', (e) => {
+    $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK
+});
+
+$("#foo").bind('drop', (e) => {
+    $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // NOT OK
+});