Merge remote-tracking branch 'upstream/master' into typeAheadSink

2026-04-30 19:26:02 +02:00 · 2019-11-26 14:37:40 +01:00
parent ace484a519 b1745f588c
commit 5a0cabb039
60 changed files with 1017 additions and 421 deletions
--- a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
+++ b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -222,6 +222,7 @@ where
  not lastStatementHasNoEffect(func) and
  // anonymous one-shot closure. Those are used in weird ways and we ignore them.
  not oneshotClosure(call) and
-  not hasNonVoidReturnType(func)
+  not hasNonVoidReturnType(func) and
+  not call.getEnclosingExpr() instanceof SuperCall
 select
  call, msg, func, name
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -76,6 +76,7 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
 import semmle.javascript.frameworks.jQuery
+import semmle.javascript.frameworks.Handlebars
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
 import semmle.javascript.frameworks.HttpFrameworks
--- a/javascript/ql/src/semmle/javascript/frameworks/Handlebars.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Handlebars.qll
@@ -0,0 +1,29 @@
+/**
+ * Provides classes for working with Handlebars code.
+ */
+
+import javascript
+
+module Handlebars {
+  /**
+   * A reference to the Handlebars library. 
+   */
+  class Handlebars extends DataFlow::SourceNode {
+    Handlebars() {
+      this.accessesGlobal("handlebars")
+      or
+      this.accessesGlobal("Handlebars")
+      or
+      this = DataFlow::moduleImport("handlebars")
+      or
+      this.hasUnderlyingType("Handlebars")
+    }
+  }
+
+  /**
+   * A new instantiation of a Handlebars.SafeString.
+   */
+  class SafeString extends DataFlow::NewNode {
+    SafeString() { this = any(Handlebars h).getAConstructorInvocation("SafeString") }
+  }
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -97,6 +97,8 @@ module DomBasedXss {
      )
      or
      this = any(Typeahead::TypeaheadSuggestionFunction f).getAReturn()
+      or
+      this = any(Handlebars::SafeString s).getAnArgument()
    }
  }

--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -315,6 +315,7 @@ nodes
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
+<<<<<<< HEAD
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:38 | document.location |
 | typeahead.js:20:22:20:38 | document.location |
@@ -323,6 +324,11 @@ nodes
 | typeahead.js:24:30:24:32 | val |
 | typeahead.js:25:18:25:20 | val |
 | typeahead.js:25:18:25:20 | val |
+=======
+| tst.js:297:35:297:42 | location |
+| tst.js:297:35:297:42 | location |
+| tst.js:297:35:297:42 | location |
+>>>>>>> upstream/master
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location |
@@ -619,6 +625,7 @@ edges
 | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val |
 | typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
 | typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
@@ -709,6 +716,7 @@ edges
 | tst.js:285:59:285:65 | tainted | tst.js:282:19:282:29 | window.name | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:19:282:29 | window.name | user-provided value |
 | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:59:285:65 | tainted | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
+| tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:297:35:297:42 | location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/tst.js
@@ -292,3 +292,7 @@ function flowThroughPropertyNames() {
    for (var p in obj)
      $(p); // OK
 }
+
+function handlebarsSafeString() {
+	return new Handlebars.SafeString(location); // NOT OK!	
+}
--- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
+++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
@@ -92,4 +92,16 @@

 +function() {
    console.log("FOO");
-}.call(this);
+}.call(this);
+
+class Foo {
+	constructor() {
+		console.log("FOO");
+	}
+}
+
+class Bar extends Foo {
+	constructor() {
+		console.log(super()); // OK.
+	}
+}