add xss-through-dom source from react-final-form

2026-05-02 04:05:14 +02:00 · 2021-02-07 22:47:57 +01:00
parent ff3950ce98
commit 458dda9d25
3 changed files with 43 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -136,5 +136,23 @@ module XssThroughDom {
        this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
      }
    }
+
+    /**
+     * An object containing input values from a form build with `react-final-form`.
+     */
+    class ReactFinalFormSource extends Source {
+      ReactFinalFormSource() {
+        exists(JSXElement elem |
+          DataFlow::moduleMember("react-final-form", "Form").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName("onSubmit")
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+      }
+    }
  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -25,6 +25,11 @@ nodes
 | forms.js:35:19:35:24 | values |
 | forms.js:35:19:35:30 | values.email |
 | forms.js:35:19:35:30 | values.email |
+| forms.js:44:21:44:26 | values |
+| forms.js:44:21:44:26 | values |
+| forms.js:45:21:45:26 | values |
+| forms.js:45:21:45:33 | values.stooge |
+| forms.js:45:21:45:33 | values.stooge |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -97,6 +102,10 @@ edges
 | forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
 | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
 | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
+| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
+| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
+| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
+| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -122,6 +131,7 @@ edges
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
 | forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
 | forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
+| forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -37,3 +37,18 @@ const FormikEnhanced = withFormik({
    $("#id").html(submitForm.email); // OK 
 })

+import { Form } from 'react-final-form'
+
+const App = () => (
+  <Form
+    onSubmit={async values => {
+      $("#id").html(values.stooge); // NOT OK
+    }}
+    initialValues={{ stooge: 'larry', employed: false }}
+    render={({ handleSubmit, form, submitting, pristine, values }) => (
+      <form onSubmit={handleSubmit}>
+        <input type="text" name="stooge"></input>
+      </form>
+    )}
+  />
+)