fix catastrophic join order in UnsafeJQueryPlugin

2025-12-16 16:53:25 +01:00 · 2020-09-14 09:59:48 +02:00
parent 9502869e3c
commit 6fb534f178
1 changed files with 14 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -195,15 +195,25 @@ module UnsafeJQueryPlugin {
   */
  predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {
    exists(
-      JQuery::JQueryPluginMethod plugin, DataFlow::PropWrite defaultDef, string default,
+      JQuery::JQueryPluginMethod plugin, DataFlow::PropWrite defaultDef,
      DataFlow::PropRead finalRead
    |
      hasDefaultOption(plugin, defaultDef) and
-      defaultDef.getPropertyName() = finalRead.getPropertyName() and
-      defaultDef.getRhs().mayHaveStringValue(default) and
-      default.regexpMatch("\\s*<.*") and
+      defaultDef = getALikelyHTMLWrite(finalRead.getPropertyName()) and
      finalRead.flowsTo(sink) and
      sink.getTopLevel() = plugin.getTopLevel()
    )
  }
+
+  /**
+   * Gets a property-write that writes a HTML-like constant string to `prop`.
+   */
+  pragma[noinline]
+  private DataFlow::PropWrite getALikelyHTMLWrite(string prop) {
+    exists(string default |
+      result.getRhs().mayHaveStringValue(default) and
+      default.regexpMatch("\\s*<.*") and
+      result.getPropertyName() = prop
+    )
+  }
 }