hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

[js/client-side-unvalidated-url-redirection] add interpretsValueAsJavaScript predicate

Browse Source
This commit is contained in:
Raz0r
2020-06-29 17:46:33 +03:00
parent 993506d781
commit 54db6c4a39
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -145,4 +145,17 @@ module ClientSideUrlRedirect {
)
}
}
/**
* A write of an attribute which may execute JavaScript code or
* exfiltrate data to an attacker controlled site.
*/
class AttributeWriteUrlSink extends ScriptUrlSink, DataFlow::ValueNode {
AttributeWriteUrlSink() {
exists(DomPropWriteNode pw |
pw.interpretsValueAsJavaScript() and
this = DataFlow::valueNode(pw.getRhs())
)
}
}
}

14
javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
View File

@@ -90,7 +90,8 @@ class DomMethodCallExpr extends MethodCallExpr {
attr = "formaction" or
attr = "href" or
attr = "src" or
attr = "xlink:href"
attr = "xlink:href" or
attr = "data"
|
getArgument(argPos - 1).getStringValue().toLowerCase() = attr
)
@@ -116,6 +117,17 @@ class DomPropWriteNode extends Assignment {
lhs.getPropertyName() = "innerHTML" or
lhs.getPropertyName() = "outerHTML"
}
/**
* Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
*/
predicate interpretsValueAsJavaScript() {
lhs.getPropertyName() = "action" or
lhs.getPropertyName() = "formaction" or
lhs.getPropertyName() = "href" or
lhs.getPropertyName() = "src" or
lhs.getPropertyName() = "data"
}
}
/**