update Next.js xss example such that the attack is viable

2026-05-01 03:35:13 +02:00 · 2021-02-17 13:38:06 +01:00
parent 1f02594ccc
commit 36049f05f8
2 changed files with 12 additions and 10 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -14,11 +14,13 @@ nodes
 | react.js:28:43:28:59 | document.location |
 | react.js:28:43:28:59 | document.location |
 | react.js:28:43:28:64 | documen ... on.hash |
-| react.js:28:43:28:64 | documen ... on.hash |
+| react.js:28:43:28:74 | documen ... bstr(1) |
+| react.js:28:43:28:74 | documen ... bstr(1) |
 | react.js:34:43:34:59 | document.location |
 | react.js:34:43:34:59 | document.location |
 | react.js:34:43:34:64 | documen ... on.hash |
-| react.js:34:43:34:64 | documen ... on.hash |
+| react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:34:43:34:74 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url |
 | sanitizer.js:2:15:2:25 | window.name |
 | sanitizer.js:2:15:2:25 | window.name |
@@ -215,12 +217,12 @@ edges
 | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
 | react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
 | react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
-| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
-| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
-| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
-| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
+| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
+| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
 | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
+| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -392,8 +394,8 @@ edges
 | electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection due to $@. | electron.js:4:12:4:22 | window.name | user-provided value |
 | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:10:60:10:76 | document.location | user-provided value |
 | react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
-| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
-| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
+| react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:59 | document.location | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
+| react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:59 | document.location | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js
@@ -25,13 +25,13 @@ import { useRouter } from 'next/router'

 export function nextRouter() {
  const router = useRouter();
-  return <span onClick={() => router.push(document.location.hash)}>Click to XSS 1</span>
+  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 1</span>
 }

 import { withRouter } from 'next/router'

 function Page({ router }) {
-  return <span onClick={() => router.push(document.location.hash)}>Click to XSS 2</span>
+  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span>
 }

 export const pageWithRouter = withRouter(Page);