New remote source - reading from an @Input() decorated class member

2026-04-25 00:35:20 +02:00 · 2025-01-03 16:34:15 +00:00
parent 09e4c78b0f
commit 0f64822356
1 changed files with 33 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -184,3 +184,36 @@ private class ExternalRemoteFlowSource extends RemoteFlowSource {

  override string getSourceType() { result = ap.getSourceType() }
 }
+
+// Angular @Input() decorator on a member declaration.
+class InputMember extends MemberDeclaration {
+  InputMember() {
+    exists(Decorator decorator, Expr expr |
+        decorator.getElement() = this
+        and decorator.getExpression() = expr
+        and expr.(CallExpr).getCallee().(VarRef).getName() = "Input"
+    )
+  }
+}
+
+// Use of an Angular @Input() member.
+class InputMemberUse extends DataFlow::Node {
+    InputMemberUse() {
+        exists(InputMember member, string memberName, ThisExpr ta, FieldAccess fa |
+            memberName = member.getName()
+            and fa.getBase() = ta
+            and fa.getPropertyName() = memberName
+            and this.asExpr() = fa
+        )
+    }
+}
+
+private class AngularInputUse extends RemoteFlowSource {
+  AngularInputUse() {
+    exists(  InputMemberUse inputUse |
+      this = inputUse
+    )
+  }
+
+  override string getSourceType() { result = "Angular @Input()" }
+}