support html attribute concatenations with single quotes

2026-04-28 18:25:24 +02:00 · 2021-01-29 10:20:29 +01:00
parent 1c56c30eba
commit 3f1e81533c
6 changed files with 79 additions and 13 deletions
--- a/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
+++ b/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
@@ -23,7 +23,7 @@ abstract class IncompleteBlacklistSanitizer extends DataFlow::Node {
 * Describes the characters represented by `rep`.
 */
 string describeCharacters(string rep) {
-  rep = "\"" and result = "quotes"
+  rep = ["\"", "'"] and result = "quotes"
  or
  rep = "&" and result = "ampersands"
  or
@@ -86,6 +86,12 @@ module HtmlSanitization {
      chain.getAReplacementString() = "&#34;"
    )
    or
+    result = "'" and
+    (
+      chain.getAReplacedString() = result or
+      chain.getAReplacementString() = "&#39;"
+    )
+    or
    result = "&" and
    (
      chain.getAReplacedString() = result or
@@ -123,11 +129,7 @@ module HtmlSanitization {
        // replaces `<` and `>`
        getALikelyReplacedCharacter(chain) = "<" and
        getALikelyReplacedCharacter(chain) = ">" and
-        (
-          unsanitized = "\""
-          or
-          unsanitized = "&"
-        )
+        unsanitized = ["\"", "'", "&"]
        or
        // replaces '&' and either `<` or `>`
        getALikelyReplacedCharacter(chain) = "&" and
--- a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitization.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitization.qll
@@ -14,7 +14,7 @@ module IncompleteHtmlAttributeSanitization {

  private module Label {
    class Quote extends DataFlow::FlowLabel {
-      Quote() { this = "\"" }
+      Quote() { this = ["\"", "'"] }
    }

    class Ampersand extends DataFlow::FlowLabel {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -49,11 +49,15 @@ module IncompleteHtmlAttributeSanitization {
   */
  class HtmlAttributeConcatenation extends StringOps::ConcatenationLeaf {
    string lhs;
+    string quote;

    HtmlAttributeConcatenation() {
-      lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(?s)(.*)=\"[^\"]*", 1) and
+      quote = ["\"", "'"] and
+      exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
+        lhs = prev.regexpCapture("(?s)(.*)=" + quote + "[^" + quote + "=<>]*", 1)
+      ) and
      (
-        this.getNextLeaf().getStringValue().regexpMatch(".*\".*") or
+        this.getNextLeaf().getStringValue().regexpMatch(".*" + quote + ".*") or
        this instanceof StringOps::HtmlConcatenationLeaf
      )
    }
@@ -62,6 +66,11 @@ module IncompleteHtmlAttributeSanitization {
     * Holds if the attribute value is interpreted as JavaScript source code.
     */
    predicate isInterpretedAsJavaScript() { lhs.regexpMatch("(?i)(.* )?on[a-z]+") }
+
+    /**
+     * Gets the quote symbol (" or ') that is used to mark the attribute value.
+     */
+    string getQuote() { result = quote }
  }

  /**
@@ -74,7 +83,7 @@ module IncompleteHtmlAttributeSanitization {
    override string getADangerousCharacter() {
      isInterpretedAsJavaScript() and result = "&"
      or
-      result = "\""
+      result = getQuote()
    }
  }