support React links in js/client-side-unvalidated-url-redirection

2026-05-01 11:45:14 +02:00 · 2021-02-14 21:39:17 +01:00
parent 79839d2304
commit 41a0c0b55e
4 changed files with 33 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -166,4 +166,15 @@ module ClientSideUrlRedirect {
      )
    }
  }
+
+  /**
+   * A write to an React attribute which may execute JavaScript code.
+   */
+  class ReactAttributeWriteUrlSink extends ScriptUrlSink {
+    ReactAttributeWriteUrlSink() {
+      exists(JSXAttribute attr | attr.getName() = propertyNameIsInterpretedAsJavaScriptUrl() |
+        this = attr.getValue().flow()
+      )
+    }
+  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -122,14 +122,17 @@ class DomPropWriteNode extends Assignment {
   * Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
   */
  predicate interpretsValueAsJavaScriptUrl() {
-    lhs.getPropertyName() = "action" or
-    lhs.getPropertyName() = "formaction" or
-    lhs.getPropertyName() = "href" or
-    lhs.getPropertyName() = "src" or
-    lhs.getPropertyName() = "data"
+    lhs.getPropertyName() = propertyNameIsInterpretedAsJavaScriptUrl()
  }
 }

+/**
+ * Holds if a value assigned to property `name` of a DOM node can be interpreted as JavaScript via the `javascript:` protocol.
+ */
+string propertyNameIsInterpretedAsJavaScriptUrl() {
+  result = ["action", "formaction", "href", "src", "data"]
+}
+
 /**
 * A value written to web storage, like `localStorage` or `sessionStorage`.
 */