JS: add RemoteFlowSource.isThirdPartyControllable()

Use it in ReflectedXSS and ServerSideURrlRedirect
2026-04-29 18:55:14 +02:00 · 2018-09-26 11:41:01 +01:00
parent b35f450b01
commit 271b2f3ce3
4 changed files with 24 additions and 7 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -399,6 +399,13 @@ module HTTP {
     * Note that this predicate is functional.
     */
    abstract string getKind();
+
+    override predicate isThirdPartyControllable() {
+      exists (string kind | kind = getKind() |
+        kind = "parameter" or
+        kind = "url" or
+        kind = "body")
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
@@ -46,10 +46,7 @@ module ReflectedXss {
  /** A source of remote user input, considered as a flow source for reflected XSS. */
  class RemoteFlowSourceAsSource extends Source {
    RemoteFlowSourceAsSource() {
-      this instanceof RemoteFlowSource and
-      // cookies cannot be controlled by a third-party attacker, and hence are
-      // not relevant for reflected XSS
-      not this.(RemoteFlowSource).getSourceType() = "Server request cookie"
+      this.(RemoteFlowSource).isThirdPartyControllable()
    }
  }

--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -10,8 +10,19 @@ import semmle.javascript.security.dataflow.DOM
 abstract class RemoteFlowSource extends DataFlow::Node {
  /** Gets a string that describes the type of this remote flow source. */
  abstract string getSourceType();
-}

+  /**
+   * Holds if this flow source comes from an incoming request, and this part of the
+   * request can be controlled by a third party, that is, an actor other than the one
+   * sending the request.
+   *
+   * Any web site can redirect the visitor's browser to any other domain, and in doing so control
+   * the entire URL and POST body. In this scenario, these values are technically sent by the
+   * user's browser, but the user is not in direct control of these values, so they are considered
+   * third-party controllable.
+   */
+  predicate isThirdPartyControllable() { none() }
+}

 /**
 * An access to `document.cookie`, viewed as a source of remote user input.
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll
@@ -90,9 +90,11 @@ module ServerSideUrlRedirect {

  }

-  /** A source of remote user input, considered as a flow source for URL redirects. */
+  /** A source of third-party user input, considered as a flow source for URL redirects. */
  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+    RemoteFlowSourceAsSource() {
+      this.(RemoteFlowSource).isThirdPartyControllable()
+    }
  }

  /**