hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6298 from erik-krogh/ansi-to-html

Browse Source 
Approved by asgerf
This commit is contained in:
CodeQL CI
2021-07-16 02:09:03 -07:00
committed by GitHub
parent f4f8ce0d36 ae2fc7171b
commit 520337577b
5 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/change-notes/2021-07-15-ansi-to-html.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The security queries now track taint through the `ansi-to-html` library.
Affected packages are
[ansi-to-html](https://www.npmjs.com/package/ansi-to-html)

14
javascript/ql/src/semmle/javascript/frameworks/Logging.qll
View File

@@ -337,3 +337,17 @@ class StripAnsiStep extends TaintTracking::SharedTaintStep {
)
}
}
/**
* A step through the [`ansi-to-html`](https://npmjs.org/package/ansi-to-html) library.
*/
class AnsiToHtmlStep extends TaintTracking::SharedTaintStep {
override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call |
call = API::moduleImport("ansi-to-html").getInstance().getMember("toHtml").getACall()
|
pred = call.getArgument(0) and
succ = call
)
}
}

17
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -684,6 +684,14 @@ nodes
| tst.js:444:44:444:49 | source |
| tst.js:445:32:445:37 | source |
| tst.js:445:32:445:37 | source |
| tst.js:453:7:453:39 | source |
| tst.js:453:16:453:39 | documen ... .search |
| tst.js:453:16:453:39 | documen ... .search |
| tst.js:455:18:455:23 | source |
| tst.js:455:18:455:23 | source |
| tst.js:456:18:456:42 | ansiToH ... source) |
| tst.js:456:18:456:42 | ansiToH ... source) |
| tst.js:456:36:456:41 | source |
| typeahead.js:20:13:20:45 | target |
| typeahead.js:20:22:20:45 | documen ... .search |
| typeahead.js:20:22:20:45 | documen ... .search |
@@ -1341,6 +1349,13 @@ edges
| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source |
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source |
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
@@ -1566,6 +1581,8 @@ edges
| tst.js:443:41:443:46 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:443:41:443:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
| tst.js:444:44:444:49 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:444:44:444:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
| tst.js:445:32:445:37 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:445:32:445:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
| tst.js:455:18:455:23 | source | tst.js:453:16:453:39 | documen ... .search | tst.js:455:18:455:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value |
| tst.js:456:18:456:42 | ansiToH ... source) | tst.js:453:16:453:39 | documen ... .search | tst.js:456:18:456:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value |
| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |

15
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -691,6 +691,14 @@ nodes
| tst.js:444:44:444:49 | source |
| tst.js:445:32:445:37 | source |
| tst.js:445:32:445:37 | source |
| tst.js:453:7:453:39 | source |
| tst.js:453:16:453:39 | documen ... .search |
| tst.js:453:16:453:39 | documen ... .search |
| tst.js:455:18:455:23 | source |
| tst.js:455:18:455:23 | source |
| tst.js:456:18:456:42 | ansiToH ... source) |
| tst.js:456:18:456:42 | ansiToH ... source) |
| tst.js:456:36:456:41 | source |
| typeahead.js:9:28:9:30 | loc |
| typeahead.js:9:28:9:30 | loc |
| typeahead.js:10:16:10:18 | loc |
@@ -1365,6 +1373,13 @@ edges
| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source |
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source |
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |

11
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
View File

@@ -444,3 +444,14 @@ function mootools(){
new Element("div").setProperties({"html": source}); // NOT OK
new Element("div").appendHtml(source); // NOT OK
}
const Convert = require('ansi-to-html');
const ansiToHtml = new Convert();
function ansiToHTML() {
var source = document.location.search;
$("#foo").html(source); // NOT OK
$("#foo").html(ansiToHtml.toHtml(source)); // NOT OK
}