Merge pull request #12668 from asgerf/js/jquery-callback-sinks

JS: fix handling of jQuery sinks involving callback
2026-05-01 19:55:15 +02:00 · 2023-03-30 12:42:53 +02:00
parent 7729a6bdbf 61a7ee9387
commit 43174cfe3a
5 changed files with 38 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
@@ -122,6 +122,14 @@ class Configuration extends TaintTracking::Configuration {
    TaintedUrlSuffix::step(src, trg, TaintedUrlSuffix::label(), DataFlow::FlowLabel::taint()) and
    inlbl = TaintedUrlSuffix::label() and
    outlbl = prefixLabel()
+    or
+    exists(DataFlow::FunctionNode callback, DataFlow::Node arg |
+      any(JQuery::MethodCall c).interpretsArgumentAsHtml(arg) and
+      callback = arg.getABoundFunctionValue(_) and
+      src = callback.getReturnNode() and
+      trg = callback and
+      inlbl = outlbl
+    )
  }
 }