detect DOM nodes from event callbacks

2026-05-03 04:39:29 +02:00 · 2021-02-08 16:00:50 +01:00
parent be9636491b
commit 101d4358a9
3 changed files with 30 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -361,9 +361,19 @@ module DOM {
   * Gets a reference to a DOM event.
   */
  private DataFlow::SourceNode domEventSource() {
+    // e.g. <form onSubmit={e => e.target}/>
    exists(JSXAttribute attr | attr.getName().matches("on%") |
      result = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
    )
+    or
+    // node.addEventListener("submit", e => e.target)
+    result = domValueRef().getAMethodCall("addEventListener").getABoundCallbackParameter(1, 0)
+    or
+    // node.onSubmit = (e => e.target);
+    exists(DataFlow::PropWrite write | write = domValueRef().getAPropertyWrite() |
+      write.getPropertyName().matches("on%") and
+      result = write.getRhs().getAFunctionValue().getParameter(0)
+    )
  }

  /** Gets a data flow node that refers directly to a value from the DOM. */
@@ -377,7 +387,6 @@ module DOM {
    t.start() and
    result = domValueRef().getAMethodCall(["item", "namedItem"])
    or
-    // e.g. <form onSubmit={e => e.target}/>
    t.startInProp("target") and
    result = domEventSource()
    or
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -44,6 +44,12 @@ nodes
 | forms.js:93:25:93:30 | values |
 | forms.js:93:25:93:35 | values.name |
 | forms.js:93:25:93:35 | values.name |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -130,6 +136,8 @@ edges
 | forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
 | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
 | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
+| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -159,6 +167,8 @@ edges
 | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text |
 | forms.js:72:19:72:27 | data.name | forms.js:71:21:71:24 | data | forms.js:72:19:72:27 | data.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:71:21:71:24 | data | DOM text |
 | forms.js:93:25:93:35 | values.name | forms.js:92:26:92:36 | getValues() | forms.js:93:25:93:35 | values.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:92:26:92:36 | getValues() | DOM text |
+| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:103:23:103:36 | e.target.value | DOM text |
+| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:107:23:107:36 | e.target.value | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -97,4 +97,13 @@ function HookForm2() {
    </form>
  );
 }
-  
+
+function vanillaJS() {
+    document.querySelector("form.myform").addEventListener("submit", e => {
+        $("#id").html(e.target.value); // NOT OK
+    });
+
+    document.querySelector("form.myform").onsubmit = function (e) {
+        $("#id").html(e.target.value); // NOT OK
+    }
+}