changes based on review

2026-05-09 07:31:37 +02:00 · 2020-01-30 14:04:04 +01:00
parent 7637ebcc03
commit 162c19c348
6 changed files with 70 additions and 42 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -17,7 +17,7 @@ abstract class LoggerCall extends DataFlow::CallNode {
 /**
 * Gets a log level name that is used in RFC5424, `npm`, `console`.
 */
-private string getAStandardLoggerMethodName() {
+string getAStandardLoggerMethodName() {
  result = "crit" or
  result = "debug" or
  result = "error" or
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
@@ -16,27 +16,21 @@ module ExceptionXss {
   * Gets the name of a method that does not leak taint from its arguments if an exception is thrown by the method.
   */
  private string getAnUnlikelyToThrowMethodName() {
-    result = "getElementById" or
-    result = "indexOf" or
-    result = "stringify" or
-    result = "assign" or
-    // fs methods. (The callback argument to the async functions are vulnerable, but its unlikely that the callback is the user-controlled part).
-    result = "existsSync" or
-    result = "exists" or
-    result = "writeFileSync" or
-    result = "writeFile" or
-    result = "appendFile" or
-    result = "appendFileSync" or
-    result = "pick" or
-    // log.info etc.
-    result = "info" or
-    result = "warn" or
-    result = "error" or
-    result = "join" or
+    result = "getElementById" or // document.getElementById
+    result = "indexOf" or // String.prototype.indexOf
+    result = "assign" or // Object.assign
+    result = "pick" or // _.pick
+    result = getAStandardLoggerMethodName() or // log.info etc.
    result = "val" or // $.val
    result = "parse" or // JSON.parse
-    result = "push" or // Array.prototype.push
-    result = "test" // RegExp.prototype.test
+    result = "stringify" or // JSON.stringify
+    result = "test" or // RegExp.prototype.test
+    result = "setItem" or // localStorage.setItem
+    result = "existsSync" or
+    // the "fs" methods are a mix of "this is safe" and "you have bigger problems".
+    exists(ExternalMemberDecl decl | decl.hasQualifiedName("fs", result)) or
+    // Array methods are generally exception safe.
+    exists(ExternalMemberDecl decl | decl.hasQualifiedName("Array", result))
  }

  /**
@@ -104,7 +98,7 @@ module ExceptionXss {
    }

    /**
-     * Get the parameter in the callback that contains an error.
+     * Gets the parameter in the callback that contains an error.
     * In the current implementation this is always the first parameter.
     */
    DataFlow::Node getErrorParam() { result = errorParameter }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -51,24 +51,6 @@ module Shared {
      )
    }
  }
-  
-  /**
-   * A property read from a safe property is considered a sanitizer.
-   */
-  class SafePropertyReadSanitizer extends Sanitizer, DataFlow::Node {
-    SafePropertyReadSanitizer() {
-      exists(PropAccess pacc | pacc = this.asExpr() |
-        isSafeLocationProperty(pacc)
-        or
-        // `$(location.hash)` is a fairly common and safe idiom
-        // (because `location.hash` always starts with `#`),
-        // so we mark `hash` as safe for the purposes of this query
-        pacc.getPropertyName() = "hash"
-        or
-        pacc.getPropertyName() = "length"
-      )
-    }
-  }
 }

 /** Provides classes and predicates for the DOM-based XSS query. */
@@ -277,6 +259,24 @@ module DomBasedXss {
    }
  }

+  /**
+   * A property read from a safe property is considered a sanitizer.
+   */
+  class SafePropertyReadSanitizer extends Sanitizer, DataFlow::Node {
+    SafePropertyReadSanitizer() {
+      exists(PropAccess pacc | pacc = this.asExpr() |
+        isSafeLocationProperty(pacc)
+        or
+        // `$(location.hash)` is a fairly common and safe idiom
+        // (because `location.hash` always starts with `#`),
+        // so we mark `hash` as safe for the purposes of this query
+        pacc.getPropertyName() = "hash"
+        or
+        pacc.getPropertyName() = "length"
+      )
+    }
+  }
+
  /**
   * A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
   * XSS vulnerabilities.
@@ -287,8 +287,6 @@ module DomBasedXss {
  private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }

  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
-  
-  private class SafePropertyReadSanitizer extends Sanitizer, Shared::SafePropertyReadSanitizer {}
 }

 /** Provides classes and predicates for the reflected XSS query. */