hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

add InclusionTest to PostMessageEventSanitizer

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-04-12 13:15:31 +02:00
parent e2badab251
commit 2d6d304d7c
2 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -1225,19 +1225,25 @@ module TaintTracking {
* An equality test on `e.origin` or `e.source` where `e` is a `postMessage` event object,
* considered as a sanitizer for `e`.
*/
private class PostMessageEventSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
private class PostMessageEventSanitizer extends AdditionalSanitizerGuardNode {
VarAccess event;
override EqualityTest astNode;
boolean polarity;
PostMessageEventSanitizer() {
exists(string prop | prop = "origin" or prop = "source" |
astNode.getAnOperand().(PropAccess).accesses(event, prop) and
event.mayReferToParameter(any(PostMessageEventHandler h).getEventParameter())
event.mayReferToParameter(any(PostMessageEventHandler h).getEventParameter()) and
exists(DataFlow::PropRead read | read.accesses(event.flow(), ["origin", "source"]) |
exists(EqualityTest test | polarity = test.getPolarity() and this.getAstNode() = test |
test.getAnOperand().flow() = read
)
or
exists(InclusionTest test | polarity = test.getPolarity() and this = test |
test.getContainedNode() = read
)
)
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = astNode.getPolarity() and
outcome = polarity and
e = event
}

13
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js
View File

@@ -14,4 +14,17 @@ function test() {
}
window.addEventListener("message", foo.bind(null, {data: 'items'}));
window.onmessage = e => {
if (e.origin !== "https://foobar.com") {
return;
}
document.write(e.data); // OK - there is an origin check
}
window.onmessage = e => {
if (mySet.includes(e.origin)) {
document.write(e.data); // OK - there is an origin check
}
}
}