From 1c7383b606cb69b3d04bb5dd71e8a4bc0796b6ed Mon Sep 17 00:00:00 2001 From: Esben Sparre Andreasen Date: Tue, 6 Oct 2020 13:11:35 +0200 Subject: [PATCH] Remove 2020 sinks from Xss.ql --- javascript/ql/lib/semmle/javascript/DOM.qll | 29 ------------------- .../semmle/javascript/frameworks/jQuery.qll | 8 ----- .../javascript/security/dataflow/Xss.qll | 11 ------- 3 files changed, 48 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/DOM.qll b/javascript/ql/lib/semmle/javascript/DOM.qll index 67f75ce7fa9..ec958b89aa7 100644 --- a/javascript/ql/lib/semmle/javascript/DOM.qll +++ b/javascript/ql/lib/semmle/javascript/DOM.qll @@ -354,35 +354,6 @@ module DOM { call.getNumArgument() = 1 and unique(InferredType t | t = getArgumentTypeFromJQueryMethodGet(call)) = TTNumber() ) - or - // A `this` node from a callback given to a `$().each(callback)` call. - // purposely not using JQuery::MethodCall to avoid `jquery.each()`. - exists(DataFlow::CallNode eachCall | eachCall = JQuery::objectRef().getAMethodCall("each") | - this = DataFlow::thisNode(eachCall.getCallback(0).getFunction()) or - this = eachCall.getABoundCallbackParameter(0, 1) - ) - or - // A read of an array-element from a JQuery object. E.g. `$("#foo")[0]` - exists(DataFlow::PropRead read | - read = this and read = JQuery::objectRef().getAPropertyRead() - | - unique(InferredType t | t = read.getPropertyNameExpr().analyze().getAType()) = TTNumber() - ) - or - // A receiver node of an event handler on a DOM node - exists(DataFlow::SourceNode domNode, DataFlow::FunctionNode eventHandler | - // NOTE: we do not use `getABoundFunctionValue()`, since bound functions tend to have - // a different receiver anyway - eventHandler = domNode.getAPropertySource(any(string n | n.matches("on%"))) - or - eventHandler = - domNode.getAMethodCall("addEventListener").getArgument(1).getAFunctionValue() - | - domNode = domValueRef() and - this = eventHandler.getReceiver() - ) - or - this = DataFlow::thisNode(any(EventHandlerCode evt)) } } } diff --git a/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll index 28a01dba7ab..e65f6d70dcf 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll @@ -463,14 +463,6 @@ module JQuery { } } - /** - * A `this` node in a JQuery plugin function, which is a JQuery object. - */ - private class JQueryPluginThisObject extends Range { - JQueryPluginThisObject() { - this = DataFlow::thisNode(any(JQueryPluginMethod method).getFunction()) - } - } } /** Gets a source of jQuery objects from the AST-based `JQueryObject` class. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll index 501eed347c5..53047a18dab 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll @@ -183,17 +183,6 @@ module DomBasedXss { this = any(Typeahead::TypeaheadSuggestionFunction f).getAReturn() or this = any(Handlebars::SafeString s).getAnArgument() - or - this = any(JQuery::MethodCall call | call.getMethodName() = "jGrowl").getArgument(0) - or - // A construction of a JSDOM object (server side DOM), where scripts are allowed. - exists(DataFlow::NewNode instance | - instance = API::moduleImport("jsdom").getMember("JSDOM").getInstance().getAnImmediateUse() and - this = instance.getArgument(0) and - instance.getOptionArgument(1, "runScripts").mayHaveStringValue("dangerously") - ) - or - MooTools::interpretsNodeAsHtml(this) } }