remove postmessage events as source for js/resource-exhaustion

2025-12-17 01:03:14 +01:00 · 2022-04-13 23:11:53 +02:00
parent 51a0b6d501
commit 4c97f68a3d
2 changed files with 9 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
@@ -29,7 +29,11 @@ module ResourceExhaustion {

  /** A source of remote user input, considered as a data flow source for resource exhaustion vulnerabilities. */
  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
-    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
+    RemoteFlowSourceAsSource() {
+      // exclude source that only happen client-side
+      not this instanceof ClientSideRemoteFlowSource and
+      not this = DataFlow::parameterNode(any(PostMessageEventHandler pmeh).getEventParameter())
+    }
  }

  /**
--- a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
@@ -98,4 +98,8 @@ function browser() {
    setTimeout(() => {
        console.log("f00");
    }, delay); // OK - source is client side
+
+    window.onmessage = (e) => {
+        setTimeout(() => {}, e.data); // OK - source is client side
+    }
 }