Merge pull request #5049 from erik-krogh/singleQuote

Approved by esbena
2026-04-27 17:55:19 +02:00 · 2021-02-02 13:48:42 -08:00
parent 047cd2b706 ca435763b0
commit 209fe8d7e5
6 changed files with 118 additions and 35 deletions
--- a/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
+++ b/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
@@ -23,7 +23,9 @@ abstract class IncompleteBlacklistSanitizer extends DataFlow::Node {
 * Describes the characters represented by `rep`.
 */
 string describeCharacters(string rep) {
-  rep = "\"" and result = "quotes"
+  rep = "\"" and result = "double quotes"
+  or
+  rep = "'" and result = "single quotes"
  or
  rep = "&" and result = "ampersands"
  or
@@ -86,6 +88,12 @@ module HtmlSanitization {
      chain.getAReplacementString() = "&#34;"
    )
    or
+    result = "'" and
+    (
+      chain.getAReplacedString() = result or
+      chain.getAReplacementString() = "&#39;"
+    )
+    or
    result = "&" and
    (
      chain.getAReplacedString() = result or
@@ -123,11 +131,7 @@ module HtmlSanitization {
        // replaces `<` and `>`
        getALikelyReplacedCharacter(chain) = "<" and
        getALikelyReplacedCharacter(chain) = ">" and
-        (
-          unsanitized = "\""
-          or
-          unsanitized = "&"
-        )
+        unsanitized = ["\"", "'", "&"]
        or
        // replaces '&' and either `<` or `>`
        getALikelyReplacedCharacter(chain) = "&" and
--- a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitization.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitization.qll
@@ -14,7 +14,7 @@ module IncompleteHtmlAttributeSanitization {

  private module Label {
    class Quote extends DataFlow::FlowLabel {
-      Quote() { this = "\"" }
+      Quote() { this = ["\"", "'"] }
    }

    class Ampersand extends DataFlow::FlowLabel {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -49,11 +49,15 @@ module IncompleteHtmlAttributeSanitization {
   */
  class HtmlAttributeConcatenation extends StringOps::ConcatenationLeaf {
    string lhs;
+    string quote;

    HtmlAttributeConcatenation() {
-      lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(?s)(.*)=\"[^\"]*", 1) and
+      quote = ["\"", "'"] and
+      exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
+        lhs = prev.regexpCapture("(?s)(.*)=" + quote + "[^" + quote + "=<>]*", 1)
+      ) and
      (
-        this.getNextLeaf().getStringValue().regexpMatch(".*\".*") or
+        this.getNextLeaf().getStringValue().regexpMatch(".*" + quote + ".*") or
        this instanceof StringOps::HtmlConcatenationLeaf
      )
    }
@@ -62,6 +66,11 @@ module IncompleteHtmlAttributeSanitization {
     * Holds if the attribute value is interpreted as JavaScript source code.
     */
    predicate isInterpretedAsJavaScript() { lhs.regexpMatch("(?i)(.* )?on[a-z]+") }
+
+    /**
+     * Gets the quote symbol (" or ') that is used to mark the attribute value.
+     */
+    string getQuote() { result = quote }
  }

  /**
@@ -74,7 +83,7 @@ module IncompleteHtmlAttributeSanitization {
    override string getADangerousCharacter() {
      isInterpretedAsJavaScript() and result = "&"
      or
-      result = "\""
+      result = getQuote()
    }
  }