hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4173 from erik-krogh/targetBlankFP

Browse Source 
Approved by esbena
This commit is contained in:
CodeQL CI
2020-09-04 08:21:22 +01:00
committed by GitHub
parent 7f18c3377e d946a61d6e
commit 58f51899c9
5 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/DOM/TargetBlank.ql
View File

@@ -29,7 +29,7 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
or
exists(string url | url = attr.getStringValue() |
// fixed string with templating
url.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
// ... that does not start with a fixed host or a relative path (common formats)
not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*")
)

13
javascript/ql/src/semmle/javascript/frameworks/Templating.qll
View File

@@ -36,7 +36,16 @@ module Templating {
* of the known template delimiters identified by `getADelimiter()`,
* storing it in its first (and only) capture group.
*/
string getDelimiterMatchingRegexp() {
result = "(?s).*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
string getDelimiterMatchingRegexp() { result = getDelimiterMatchingRegexpWithPrefix(".*") }
/**
* Gets a regular expression that matches a string containing one
* of the known template delimiters identified by `getADelimiter()`,
* storing it in its first (and only) capture group.
* Where the string prior to the template delimiter matches the regexp `prefix`.
*/
bindingset[prefix]
string getDelimiterMatchingRegexpWithPrefix(string prefix) {
result = "(?s)" + prefix + "(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
}
}

1
javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected
View File

@@ -1,6 +1,7 @@
| tst.html:23:1:23:61 | <a>...</> | External links without noopener/noreferrer are a potential security risk. |
| tst.html:24:1:24:48 | <a>...</> | External links without noopener/noreferrer are a potential security risk. |
| tst.html:25:1:25:36 | <a>...</> | External links without noopener/noreferrer are a potential security risk. |
| tst.html:30:1:30:61 | <a>...</> | External links without noopener/noreferrer are a potential security risk. |
| tst.js:18:1:18:43 | <a href ... ple</a> | External links without noopener/noreferrer are a potential security risk. |
| tst.js:19:1:19:58 | <a href ... ple</a> | External links without noopener/noreferrer are a potential security risk. |
| tst.js:20:1:20:51 | <a data ... ple</a> | External links without noopener/noreferrer are a potential security risk. |

8
javascript/ql/test/query-tests/DOM/TargetBlank/tst.html
View File

@@ -26,5 +26,13 @@
Example
</a>
<h1>NOT OK: mailto is not fine.</h1>
<a target="_blank" href="mailto:{{var:mail}}">mail somone</a>
<h1>OK: template elements after # or ? are fine.</h1>
<a href="file.extension?#[% row.href %]" target="_blank">Example</a>
<a href="file.extension?[% row.href %]" target="_blank">Example</a>
<a href="file.extension#[% row.href %]" target="_blank">Example</a>
</body>
</html>