hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

included ClipboardEvent and DragEvent as XSS sources

Browse Source
This commit is contained in:
bananabr
2022-04-11 16:37:00 -05:00
parent aafa8ddc9f
commit 57fac949fd
7 changed files with 147 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -144,6 +144,14 @@ nodes
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
@@ -331,6 +339,14 @@ nodes
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1174,6 +1190,14 @@ edges
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -1381,6 +1405,14 @@ edges
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -2126,6 +2158,7 @@ edges
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value |
| clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value |
| clipboard.ts:73:29:73:39 | droppedHtml | clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | clipboard.ts:71:27:71:62 | e.clipb ... /html') | user-provided value |
| d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
| d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
| d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
@@ -2151,6 +2184,7 @@ edges
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | user-provided value |
| dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value |
| dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value |
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |

32
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -144,6 +144,14 @@ nodes
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
@@ -331,6 +339,14 @@ nodes
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1224,6 +1240,14 @@ edges
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -1431,6 +1455,14 @@ edges
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |

35
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts
View File

@@ -53,4 +53,37 @@ $("#foo").bind('paste', (e) => {
}
document.body.append(div);
}
})();
})();
async function getClipboardData(e: ClipboardEvent): Promise<Array<File | string>> {
// Using a set to filter out duplicates. For some reason, dropping URLs duplicates them 3 times (for me)
const dropItems = new Set<File | string>();
// First get all files in the drop event
if (e.clipboardData.files.length > 0) {
// tslint:disable-next-line: prefer-for-of
for (let i = 0; i < e.clipboardData.files.length; i++) {
const file = e.clipboardData.files[i];
}
}
if (e.clipboardData.types.includes('text/html')) {
const droppedHtml = e.clipboardData.getData('text/html');
const container = document.createElement('html');
container.innerHTML = droppedHtml;
const imgs = container.getElementsByTagName('img');
if (imgs.length === 1) {
const src = imgs[0].src;
dropItems.add(src);
}
} else if (e.clipboardData.types.includes('text/plain')) {
const plainText = e.clipboardData.getData('text/plain');
// Check if text is an URL
if (/^https?:\/\//i.test(plainText)) {
dropItems.add(plainText);
}
}
const imageItems = Array.from(dropItems);
return imageItems;
}

35
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts
View File

@@ -53,4 +53,37 @@ $("#foo").bind('drop', (e) => {
}
document.body.append(div);
}
})();
})();
async function getDropData(e: DragEvent): Promise<Array<File | string>> {
// Using a set to filter out duplicates. For some reason, dropping URLs duplicates them 3 times (for me)
const dropItems = new Set<File | string>();
// First get all files in the drop event
if (e.dataTransfer.files.length > 0) {
// tslint:disable-next-line: prefer-for-of
for (let i = 0; i < e.dataTransfer.files.length; i++) {
const file = e.dataTransfer.files[i];
}
}
if (e.dataTransfer.types.includes('text/html')) {
const droppedHtml = e.dataTransfer.getData('text/html');
const container = document.createElement('html');
container.innerHTML = droppedHtml;
const imgs = container.getElementsByTagName('img');
if (imgs.length === 1) {
const src = imgs[0].src;
dropItems.add(src);
}
} else if (e.dataTransfer.types.includes('text/plain')) {
const plainText = e.dataTransfer.getData('text/plain');
// Check if text is an URL
if (/^https?:\/\//i.test(plainText)) {
dropItems.add(plainText);
}
}
const imageItems = Array.from(dropItems);
return imageItems;
}