add utility predicate to get client-side remote-flow-sources that contain a URL query/fragment

2026-05-03 04:39:29 +02:00 · 2022-03-01 16:09:50 +01:00
parent 67e6a4c716
commit 2576e1f655
1 changed files with 11 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll
+++ b/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll
@@ -26,6 +26,17 @@ module TaintedUrlSuffix {
   */
  FlowLabel label() { result instanceof TaintedUrlSuffixLabel }

+  /**
+   * Gets a remote flow source that is a tainted URL query or fragment part.
+   */
+  ClientSideRemoteFlowSource source() {
+    result.getKind().isFragment()
+    or
+    result.getKind().isQuery()
+    or
+    result.getKind().isUrl()
+  }
+
  /** Holds for `pred -> succ` is a step of form `x -> x.p` */
  private predicate isSafeLocationProp(DataFlow::PropRead read) {
    // Ignore properties that refer to the scheme, domain, port, auth, or path.