hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 15:55:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'change/adjust-extracted-files-diagnostics' of https://github.com/sidshank/codeql into change/adjust-extracted-files-diagnostics

Browse Source
This commit is contained in:
Sid Shankar
2024-01-17 14:32:36 +00:00
parent 0824ab77e9 59098be8c4
commit 2c683c910f
598 changed files with 207550 additions and 24866 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
javascript/extractor/lib/typescript/src/type_table.ts
View File

@@ -421,16 +421,42 @@ export class TypeTable {
return id;
}
/**
* Caches the result of `getId`: `type -> [id (not unfolded), id (unfolded)]`.
*
* A value of `undefined` means the value is not yet computed,
* and `number | null` corresponds to the return value of `getId`.
*/
private idCache = new WeakMap<ts.Type, [number | null | undefined, number | null | undefined]>();
/**
* Gets the canonical ID for the given type, generating a fresh ID if necessary.
*
* Returns `null` if we do not support extraction of this type.
*/
public getId(type: ts.Type, unfoldAlias: boolean): number | null {
let cached = this.idCache.get(type) ?? [undefined, undefined];
let cachedValue = cached[unfoldAlias ? 1 : 0];
if (cachedValue !== undefined) return cachedValue;
let result = this.getIdRaw(type, unfoldAlias);
cached[unfoldAlias ? 1 : 0] = result;
return result;
}
/**
* Gets the canonical ID for the given type, generating a fresh ID if necessary.
*
* Returns `null` if we do not support extraction of this type.
*/
public getIdRaw(type: ts.Type, unfoldAlias: boolean): number | null {
if (this.typeRecursionDepth > 100) {
// Ignore infinitely nested anonymous types, such as `{x: {x: {x: ... }}}`.
// Such a type can't be written directly with TypeScript syntax (as it would need to be named),
// but it can occur rarely as a result of type inference.
// Caching this value is technically incorrect, as a type might be seen at depth 101 and then we cache the fact that it can't be extracted.
// Then later the type is seen at a lower depth and could be extracted, but then we immediately give up because of the cached failure.
return null;
}
// Replace very long string literal types with `string`.

2
javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
View File

@@ -153,7 +153,7 @@ import com.semmle.util.trap.TrapWriter;
* <li>All JavaScript files, that is, files with one of the extensions supported by {@link
* FileType#JS} (currently ".js", ".jsx", ".mjs", ".cjs", ".es6", ".es").
* <li>All HTML files, that is, files with with one of the extensions supported by {@link
* FileType#HTML} (currently ".htm", ".html", ".xhtm", ".xhtml", ".vue", ".html.erb", ".jsp").
* FileType#HTML} (currently ".htm", ".html", ".xhtm", ".xhtml", ".vue", ".html.erb", ".html.dot", ".jsp").
* <li>All YAML files, that is, files with one of the extensions supported by {@link
* FileType#YAML} (currently ".raml", ".yaml", ".yml").
* <li>Files with base name "package.json" or "tsconfig.json", and files whose base name

8
javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
View File

@@ -103,7 +103,7 @@ public class FileExtractor {
/** Information about supported file types. */
public static enum FileType {
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb", ".jsp") {
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb", ".jsp", ".dot") {
@Override
public IExtractor mkExtractor(ExtractorConfig config, ExtractorState state) {
return new HTMLExtractor(config, state);
@@ -125,6 +125,12 @@ public class FileExtractor {
return false;
}
}
// for DOT files we are only interrested in `.html.dot` files
if (FileUtil.extension(f).equalsIgnoreCase(".dot")) {
if (!f.getName().toLowerCase().endsWith(".html.dot")) {
return false;
}
}
return super.contains(f, lcExt, config);
}
},

4
javascript/extractor/src/com/semmle/js/extractor/TemplateEngines.java
View File

@@ -8,13 +8,13 @@ import com.semmle.util.trap.TrapWriter.Label;
public class TemplateEngines {
private static final String MUSTACHE_TAG_TRIPLE = "\\{\\{\\{[~]?(.*?)[~]?\\}\\}\\}"; // {{{ x }}}
private static final String MUSTACHE_TAG_DOUBLE = "\\{\\{(?!\\{)[~&]?(.*?)[~]?\\}\\}"; // {{ x }}}
private static final String MUSTACHE_TAG_DOUBLE = "\\{\\{(?!\\{)[~&!=]?(.*?)[~]?\\}\\}"; // {{ x }}}
private static final String MUSTACHE_TAG_PERCENT = "\\{%(?!>)(.*?)%\\}"; // {% x %}
private static final String EJS_TAG = "<%(?![%<>}])[-=]?(.*?)[_-]?%>"; // <% x %>
/** Pattern for a template tag whose contents should be parsed as an expression */
public static final Pattern TEMPLATE_EXPR_OPENING_TAG =
Pattern.compile("^(?:\\{\\{\\{?|<%[-=])"); // {{, {{{, <%=, <%-
Pattern.compile("^(?:\\{\\{[{!]?|<%[-=])"); // {{, {{{, {{!, <%=, <%-
/**
* Pattern matching a template tag from a supported template engine.

4
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.8.6
No user-facing changes.
## 0.8.5
No user-facing changes.

3
javascript/ql/lib/change-notes/released/0.8.6.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.8.6
No user-facing changes.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.5
lastReleaseVersion: 0.8.6

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.8.6-dev
version: 0.8.7-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

8
javascript/ql/lib/semmle/javascript/frameworks/React.qll
View File

@@ -852,13 +852,13 @@ private class StateTaintStep extends TaintTracking::SharedTaintStep {
}
/**
* A taint propagating data flow edge for assignments of the form `c1.props.p = v`,
* A data propagating data flow edge for assignments of the form `c1.props.p = v`,
* where `c1` is an instance of React component `C`; in this case, we consider
* taint to flow from `v` to any read of `c2.props.p`, where `c2`
* data to flow from `v` to any read of `c2.props.p`, where `c2`
* also is an instance of `C`.
*/
private class PropsTaintStep extends TaintTracking::SharedTaintStep {
override predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
private class PropsFlowStep extends PreCallGraphStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(ReactComponent c, string name, DataFlow::PropRead prn |
prn = c.getAPropRead(name) or
prn = c.getAPreviousPropsSource().getAPropertyRead(name)

16
javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
View File

@@ -580,6 +580,22 @@ module Templating {
override string getAPackageName() { result = "ejs" }
}
/**
* doT-style syntax, using `{{! }}` for safe interpolation, and `{{= }}` for
* unsafe interpolation.
*/
private class DotStyleSyntax extends TemplateSyntax {
DotStyleSyntax() { this = "dot" }
override string getRawInterpolationRegexp() { result = "(?s)\\{\\{!(.*?)\\}\\}" }
override string getEscapingInterpolationRegexp() { result = "(?s)\\{\\{=(.*?)\\}\\}" }
override string getAFileExtension() { result = "dot" }
override string getAPackageName() { result = "dot" }
}
private TemplateSyntax getOwnTemplateSyntaxInFolder(Folder f) {
exists(PackageDependencies deps |
deps.getADependency(result.getAPackageName(), _) and

4
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
View File

@@ -48,6 +48,8 @@ predicate parseTypeString(string rawType, string package, string qualifiedName)
predicate isPackageUsed(string package) {
exists(DataFlow::moduleImport(package))
or
exists(JS::PackageJson json | json.getPackageName() = package)
or
package = "global"
or
any(DataFlow::SourceNode sn).hasUnderlyingType(package, _)
@@ -124,7 +126,7 @@ API::Node getExtraNodeFromType(string type) {
parseRelevantTypeString(type, package, qualifiedName)
|
qualifiedName = "" and
result = API::moduleImport(package)
result = [API::moduleImport(package), API::moduleExport(package)]
or
// Access instance of a type based on type annotations
result = API::Internal::getANodeOfTypeRaw(package, qualifiedName)

4
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.8.6
No user-facing changes.
## 0.8.5
No user-facing changes.

4
javascript/ql/src/change-notes/2023-12-18-dot-templates.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for [doT](https://github.com/olado/doT) templates.

3
javascript/ql/src/change-notes/released/0.8.6.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.8.6
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.5
lastReleaseVersion: 0.8.6

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.8.6-dev
version: 0.8.7-dev
groups:
- javascript
- queries

1
javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
View File

@@ -70,6 +70,7 @@
| getters-and-setters.js:79:20:79:27 | source() | getters-and-setters.js:92:14:92:16 | c.x |
| getters-and-setters.js:79:20:79:27 | source() | getters-and-setters.js:100:10:100:22 | getX(new C()) |
| getters-and-setters.js:89:17:89:24 | source() | getters-and-setters.js:82:18:82:22 | value |
| importedReactComponent.jsx:4:40:4:47 | source() | exportedReactComponent.jsx:2:10:2:19 | props.text |
| indexOf.js:4:11:4:18 | source() | indexOf.js:9:10:9:10 | x |
| indexOf.js:4:11:4:18 | source() | indexOf.js:13:10:13:10 | x |
| nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |

17
javascript/ql/test/library-tests/frameworks/Templating/Xss.expected
View File

@@ -50,6 +50,9 @@ nodes
| app.js:66:18:66:34 | req.query.rawHtml |
| app.js:66:18:66:34 | req.query.rawHtml |
| app.js:66:18:66:34 | req.query.rawHtml |
| app.js:73:18:73:30 | req.query.foo |
| app.js:73:18:73:30 | req.query.foo |
| app.js:73:18:73:30 | req.query.foo |
| projectA/src/index.js:6:38:6:53 | req.query.taintA |
| projectA/src/index.js:6:38:6:53 | req.query.taintA |
| projectA/src/index.js:6:38:6:53 | req.query.taintA |
@@ -144,6 +147,11 @@ nodes
| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
| views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/dot_sinks.html.dot:3:13:3:19 | tainted |
| views/dot_sinks.html.dot:3:13:3:19 | tainted |
| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
@@ -367,6 +375,10 @@ edges
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
| app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
| app.js:73:18:73:30 | req.query.foo | views/dot_sinks.html.dot:3:13:3:19 | tainted |
| app.js:73:18:73:30 | req.query.foo | views/dot_sinks.html.dot:3:13:3:19 | tainted |
| app.js:73:18:73:30 | req.query.foo | views/dot_sinks.html.dot:3:13:3:19 | tainted |
| app.js:73:18:73:30 | req.query.foo | views/dot_sinks.html.dot:3:13:3:19 | tainted |
| projectA/src/index.js:6:38:6:53 | req.query.taintA | projectA/views/main.ejs:5:5:5:23 | taintedInMiddleware |
| projectA/src/index.js:6:38:6:53 | req.query.taintA | projectA/views/main.ejs:5:5:5:23 | taintedInMiddleware |
| projectA/src/index.js:6:38:6:53 | req.query.taintA | projectA/views/main.ejs:5:5:5:23 | taintedInMiddleware |
@@ -463,6 +475,10 @@ edges
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
| views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
| views/dot_sinks.html.dot:3:13:3:19 | tainted | views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/dot_sinks.html.dot:3:13:3:19 | tainted | views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/dot_sinks.html.dot:3:13:3:19 | tainted | views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/dot_sinks.html.dot:3:13:3:19 | tainted | views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/ejs_include1.ejs:1:5:1:7 | foo | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
| views/ejs_include1.ejs:1:5:1:7 | foo | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
| views/ejs_include1.ejs:1:5:1:7 | foo | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
@@ -553,6 +569,7 @@ edges
| projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> | projectB/src/index.js:43:16:43:30 | req.query.sinkB | projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> | Cross-site scripting vulnerability due to $@. | projectB/src/index.js:43:16:43:30 | req.query.sinkB | user-provided value |
| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:66:18:66:34 | req.query.rawHtml | user-provided value |
| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:66:18:66:34 | req.query.rawHtml | user-provided value |
| views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} | app.js:73:18:73:30 | req.query.foo | views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} | Cross-site scripting vulnerability due to $@. | app.js:73:18:73:30 | req.query.foo | user-provided value |
| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
| views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
| views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |

13
javascript/ql/test/library-tests/frameworks/Templating/app.js
View File

@@ -66,3 +66,16 @@ app.get('/angularjs', (req, res) => {
rawHtml: req.query.rawHtml,
});
});
app.get('/dotjs', (req, res) => {
// Currently we don't auto-insert the full .html.dot extension. Test all variations.
res.render('dot_sinks.html.dot', {
tainted: req.query.foo,
});
res.render('dot_sinks.html', {
tainted: req.query.foo,
});
res.render('dot_sinks', {
tainted: req.query.foo,
});
});

3
javascript/ql/test/library-tests/frameworks/Templating/test.expected
View File

@@ -12,6 +12,7 @@ getLikelyTemplateSyntax
| projectB/views/subfolder/other.ejs:0:0:0:0 | projectB/views/subfolder/other.ejs | ejs |
| views/angularjs_include.ejs:0:0:0:0 | views/angularjs_include.ejs | ejs |
| views/angularjs_sinks.ejs:0:0:0:0 | views/angularjs_sinks.ejs | ejs |
| views/dot_sinks.html.dot:0:0:0:0 | views/dot_sinks.html.dot | dot |
| views/ejs_include1.ejs:0:0:0:0 | views/ejs_include1.ejs | ejs |
| views/ejs_include2.ejs:0:0:0:0 | views/ejs_include2.ejs | ejs |
| views/ejs_sinks.ejs:0:0:0:0 | views/ejs_sinks.ejs | ejs |
@@ -24,6 +25,7 @@ getTargetFile
| app.js:25:5:40:6 | res.ren ... \\n }) | views/hbs_sinks.hbs:0:0:0:0 | views/hbs_sinks.hbs |
| app.js:44:5:60:6 | res.ren ... \\n }) | views/njk_sinks.njk:0:0:0:0 | views/njk_sinks.njk |
| app.js:64:5:67:6 | res.ren ... \\n }) | views/angularjs_sinks.ejs:0:0:0:0 | views/angularjs_sinks.ejs |
| app.js:72:5:74:6 | res.ren ... \\n }) | views/dot_sinks.html.dot:0:0:0:0 | views/dot_sinks.html.dot |
| consolidate.js:3:1:3:83 | consoli ... => {}) | views/instantiated_as_ejs.html:0:0:0:0 | views/instantiated_as_ejs.html |
| consolidate.js:4:1:4:90 | consoli ... => {}) | views/instantiated_as_hbs.html:0:0:0:0 | views/instantiated_as_hbs.html |
| projectA/src/index.js:11:5:14:6 | res.ren ... \\n }) | projectA/views/main.ejs:0:0:0:0 | projectA/views/main.ejs |
@@ -50,6 +52,7 @@ xssSink
| projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> |
| views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
| views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
| views/dot_sinks.html.dot:3:9:3:22 | {{! tainted }} |
| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
| views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> |
| views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |

6
javascript/ql/test/library-tests/frameworks/Templating/views/dot_sinks.html.dot Normal file
View File

@@ -0,0 +1,6 @@
<html>
<body>
{{! tainted }}
{{= tainted }}
</body>
</html>

27
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -706,6 +706,18 @@ nodes
| tooltip.jsx:11:25:11:30 | source |
| tooltip.jsx:11:25:11:30 | source |
| tooltip.jsx:11:25:11:30 | source |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name |
| tooltip.jsx:22:20:22:30 | window.name |
| tooltip.jsx:22:20:22:30 | window.name |
| tooltip.jsx:23:38:23:43 | source |
| tooltip.jsx:23:38:23:43 | source |
| translate.js:6:7:6:39 | target |
| translate.js:6:16:6:39 | documen ... .search |
| translate.js:6:16:6:39 | documen ... .search |
@@ -1882,6 +1894,20 @@ edges
| tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:6:11:6:30 | source |
| tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:6:11:6:30 | source |
| tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:6:11:6:30 | source |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:23:38:23:43 | source |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:23:38:23:43 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target |
| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |
| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |
@@ -2486,6 +2512,7 @@ edges
| string-manipulations.js:10:16:10:45 | String( ... n.href) | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:10:23:10:44 | documen ... on.href | user-provided value |
| tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
| tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
| tooltip.jsx:18:51:18:59 | provide() | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:18:51:18:59 | provide() | Cross-site scripting vulnerability due to $@. | tooltip.jsx:22:20:22:30 | window.name | user-provided value |
| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value |
| trusted-types-lib.js:2:12:2:12 | x | trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:2:12:2:12 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:13:20:13:30 | window.name | user-provided value |
| trusted-types.js:3:67:3:67 | x | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:67:3:67 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:4:20:4:30 | window.name | user-provided value |

26
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -718,6 +718,18 @@ nodes
| tooltip.jsx:11:25:11:30 | source |
| tooltip.jsx:11:25:11:30 | source |
| tooltip.jsx:11:25:11:30 | source |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name |
| tooltip.jsx:22:20:22:30 | window.name |
| tooltip.jsx:22:20:22:30 | window.name |
| tooltip.jsx:23:38:23:43 | source |
| tooltip.jsx:23:38:23:43 | source |
| translate.js:6:7:6:39 | target |
| translate.js:6:16:6:39 | documen ... .search |
| translate.js:6:16:6:39 | documen ... .search |
@@ -1944,6 +1956,20 @@ edges
| tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:6:11:6:30 | source |
| tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:6:11:6:30 | source |
| tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:6:11:6:30 | source |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:23:38:23:43 | source |
| tooltip.jsx:22:11:22:30 | source | tooltip.jsx:23:38:23:43 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() |
| translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target |
| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |
| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |

10
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx
View File

@@ -11,4 +11,14 @@ function tooltips() {
<span data-tip={source} data-html={true} /> // NOT OK
<ReactTooltip />
</span>
}
function MyElement(props) {
const provide = props.provide;
return <div dangerouslySetInnerHTML={{__html: provide()}} />; // NOT OK
}
function useMyElement() {
const source = window.name;
return <MyElement provide={() => source} />;
}