add xss-through-dom source from react-final-form

2026-04-29 02:35:15 +02:00 · 2021-02-07 22:47:57 +01:00
parent ff3950ce98
commit 458dda9d25
3 changed files with 43 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -136,5 +136,23 @@ module XssThroughDom {
        this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
      }
    }
+
+    /**
+     * An object containing input values from a form build with `react-final-form`.
+     */
+    class ReactFinalFormSource extends Source {
+      ReactFinalFormSource() {
+        exists(JSXElement elem |
+          DataFlow::moduleMember("react-final-form", "Form").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName("onSubmit")
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+      }
+    }
  }
 }