hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add ContainsHTMLGuard

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-05-27 20:25:23 +02:00
parent 593d4c0f32
commit 562a38cdd5
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -73,6 +73,26 @@ module Shared {
e = this.getBaseString().getEnclosingExpr() and outcome = this.getPolarity().booleanNot()
}
}
/**
* A sanitizer guard that checks for the existence of HTML chars in a string.
* E.g. `/["'&<>]/.exec(str)`.
*/
class ContainsHTMLGuard extends SanitizerGuard, DataFlow::MethodCallNode {
DataFlow::RegExpCreationNode regExp;
ContainsHTMLGuard() {
this.getMethodName() = ["test", "exec"] and
this.getReceiver().getALocalSource() = regExp and
regExp.getRoot() instanceof RegExpCharacterClass and
forall(string s | s = ["\"", "&", "<", ">"] | regExp.getRoot().getAMatchedString() = s)
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = false and e = this.getArgument(0).asExpr()
}
}
}
/** Provides classes and predicates for the DOM-based XSS query. */
@@ -359,6 +379,8 @@ module DomBasedXss {
)
)
}
private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }
}
/** Provides classes and predicates for the reflected XSS query. */
@@ -463,6 +485,8 @@ module ReflectedXss {
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }
}
/** Provides classes and predicates for the stored XSS query. */
@@ -496,6 +520,8 @@ module StoredXss {
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }
}
/** Provides classes and predicates for the XSS through DOM query. */

19
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js
View File

@@ -49,3 +49,22 @@ app.get('/echo', function(req, res) {
res.setHeader('Content-Length', msg.length);
res.end(msg);
});
app.get('/user/:id', function(req, res) {
const url = req.params.id;
if (!/["'&<>]/.exec(url)) {
res.send(url); // OK
}
});
function escapeHtml1 (str) {
if (!/["'&<>]/.exec(str)) {
return str;
}
}
app.get('/user/:id', function(req, res) {
const url = req.params.id;
res.send(escapeHtml1(url)); // OK
});