hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

make query parameters in ServerSideProps and next/router

Browse Source 
as a RemoteFlowSource
This commit is contained in:
tyage
2022-10-26 14:41:07 +09:00
parent 1f4fc7fc2d
commit 232893aafa
3 changed files with 92 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/lib/semmle/javascript/frameworks/Next.qll
View File

@@ -53,6 +53,15 @@ module NextJS {
.getAFunctionValue()
.getParameter(0)
.getAPropertyRead("params")
or
exists(DataFlow::ParameterNode params |
params = getServerSidePropsFunction(_).getParameter(0)
|
this = params.getAPropertyRead("params") or
this = params.getAPropertyRead("query")
)
or
this = nextRouter().getAPropertyRead("query")
}
override string getSourceType() { result = "Next request parameter" }

67
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -504,6 +504,38 @@ nodes
| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
| optionalSanitizer.js:45:41:45:46 | target |
| optionalSanitizer.js:45:51:45:56 | target |
| pages/[id].jsx:5:9:5:14 | { id } |
| pages/[id].jsx:5:9:5:14 | { id } |
| pages/[id].jsx:5:9:5:29 | id |
| pages/[id].jsx:5:9:5:29 | id |
| pages/[id].jsx:5:11:5:12 | id |
| pages/[id].jsx:5:11:5:12 | id |
| pages/[id].jsx:5:18:5:29 | router.query |
| pages/[id].jsx:5:18:5:29 | router.query |
| pages/[id].jsx:5:18:5:29 | router.query |
| pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:16:44:16:51 | params.q |
| pages/[id].jsx:16:44:16:51 | params.q |
| pages/[id].jsx:16:44:16:51 | params.q |
| pages/[id].jsx:25:11:25:24 | context.params |
| pages/[id].jsx:25:11:25:24 | context.params |
| pages/[id].jsx:25:11:25:24 | context.params |
| pages/[id].jsx:25:11:25:27 | context.params.id |
| pages/[id].jsx:25:11:25:27 | context.params.id |
| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
| pages/[id].jsx:26:10:26:22 | context.query |
| pages/[id].jsx:26:10:26:22 | context.query |
| pages/[id].jsx:26:10:26:22 | context.query |
| pages/[id].jsx:26:10:26:30 | context ... .foobar |
| pages/[id].jsx:26:10:26:30 | context ... .foobar |
| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
@@ -1604,6 +1636,38 @@ edges
| optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ... target |
| pages/[id].jsx:5:9:5:14 | { id } | pages/[id].jsx:5:11:5:12 | id |
| pages/[id].jsx:5:9:5:14 | { id } | pages/[id].jsx:5:11:5:12 | id |
| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
| pages/[id].jsx:5:11:5:12 | id | pages/[id].jsx:5:9:5:29 | id |
| pages/[id].jsx:5:11:5:12 | id | pages/[id].jsx:5:9:5:29 | id |
| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
| pages/[id].jsx:25:11:25:27 | context.params.id | pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
| pages/[id].jsx:25:11:25:27 | context.params.id | pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
| pages/[id].jsx:26:10:26:30 | context ... .foobar | pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
| pages/[id].jsx:26:10:26:30 | context ... .foobar | pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
@@ -2287,6 +2351,9 @@ edges
| optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value |
| optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value |
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:45:18:45:56 | sanitiz ... target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value |
| pages/[id].jsx:10:44:10:45 | id | pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:10:44:10:45 | id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:5:18:5:29 | router.query | user-provided value |
| pages/[id].jsx:13:44:13:52 | params.id | pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:13:44:13:52 | params.id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:25:11:25:24 | context.params | user-provided value |
| pages/[id].jsx:16:44:16:51 | params.q | pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:16:44:16:51 | params.q | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:26:10:26:22 | context.query | user-provided value |
| react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
| react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:10:22:10:32 | window.name | user-provided value |

20
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx
View File

@@ -1,8 +1,20 @@
export default function Post({ id, q }) {
import { useRouter } from 'next/router'
export default function Post(params) {
const router = useRouter()
const { id } = router.query
return (
<>
<div dangerouslySetInnerHTML={{__html: id }} />
<div dangerouslySetInnerHTML={{__html: q }} />
<div
dangerouslySetInnerHTML={{ __html: id }} // NOT OK
/>
<div
dangerouslySetInnerHTML={{ __html: params.id }} // NOT OK
/>
<div
dangerouslySetInnerHTML={{ __html: params.q }} // NOT OK
/>
</>
)
}
@@ -10,7 +22,7 @@ export default function Post({ id, q }) {
export async function getServerSideProps(context) {
return {
props: {
id: context.params?.id || "",
id: context.params.id || "",
q: context.query?.foobar || "",
}
}