hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Make the TaintedUrlSuffix library use optional steps/barriers

Browse Source
This commit is contained in:
Asger F
2024-09-10 15:02:29 +02:00
parent 3b34cd72f2
commit 7790f68fe2
5 changed files with 21 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll
View File

@@ -4,6 +4,7 @@
*/
import javascript
private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPrivate
/**
* Provides a flow label for reasoning about URLs with a tainted query and fragment part,
@@ -45,6 +46,11 @@ module TaintedUrlSuffix {
]
}
predicate isBarrier(Node node, FlowLabel label) {
label = label() and
DataFlowPrivate::optionalBarrier(node, "tainted-url-suffix")
}
/**
* Holds if there is a flow step `src -> dst` involving the URL suffix taint label.
*
@@ -57,6 +63,10 @@ module TaintedUrlSuffix {
TaintTracking::AdditionalTaintStep::step(src, dst) and
not isSafeLocationProp(dst)
or
srclbl = label() and
dstlbl.isTaint() and
DataFlowPrivate::optionalStep(src, "tainted-url-suffix", dst)
or
// Transition from URL suffix to full taint when extracting the query/fragment part.
srclbl = label() and
dstlbl.isTaint() and

2
javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
View File

@@ -76,6 +76,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
isOptionallySanitizedNode(node) and
lbl = [DataFlow::FlowLabel::taint(), prefixLabel(), TaintedUrlSuffix::label()]
or
TaintedUrlSuffix::isBarrier(node, lbl)
or
node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(lbl)
}

14
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -514,9 +514,6 @@ nodes
| tst.js:371:7:371:39 | target | semmle.label | target |
| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search |
| tst.js:374:18:374:23 | target | semmle.label | target |
| tst.js:377:18:377:39 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | semmle.label | documen ... it("?") [ArrayElement] |
| tst.js:377:18:377:53 | documen ... "?")[0] | semmle.label | documen ... "?")[0] |
| tst.js:381:7:381:39 | target | semmle.label | target |
| tst.js:381:7:381:39 | target [taint3] | semmle.label | target [taint3] |
| tst.js:381:7:381:39 | target [taint8] | semmle.label | target [taint8] |
@@ -549,7 +546,7 @@ nodes
| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] |
| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash |
| tst.js:424:18:424:48 | window. ... it('#') | semmle.label | window. ... it('#') |
| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | semmle.label | window. ... it('#') [ArrayElement] |
| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] |
| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] |
| tst.js:428:7:428:39 | target | semmle.label | target |
| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search |
@@ -1115,8 +1112,6 @@ edges
| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | |
| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | |
| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | |
| tst.js:377:18:377:39 | documen ... on.href | tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | provenance | |
| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | tst.js:377:18:377:53 | documen ... "?")[0] | provenance | |
| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | |
| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | |
| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | |
@@ -1153,11 +1148,11 @@ edges
| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | Config |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance | |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance | Config |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | provenance | |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config |
| tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | |
| tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | |
| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | |
| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | |
| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | |
| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | |
@@ -1460,7 +1455,6 @@ subpaths
| tst.js:360:21:360:26 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:360:21:360:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value |
| tst.js:363:18:363:23 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:363:18:363:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value |
| tst.js:374:18:374:23 | target | tst.js:371:16:371:39 | documen ... .search | tst.js:374:18:374:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:371:16:371:39 | documen ... .search | user-provided value |
| tst.js:377:18:377:53 | documen ... "?")[0] | tst.js:377:18:377:39 | documen ... on.href | tst.js:377:18:377:53 | documen ... "?")[0] | Cross-site scripting vulnerability due to $@. | tst.js:377:18:377:39 | documen ... on.href | user-provided value |
| tst.js:384:18:384:23 | target | tst.js:381:16:381:39 | documen ... .search | tst.js:384:18:384:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value |
| tst.js:386:18:386:29 | target.taint | tst.js:381:16:381:39 | documen ... .search | tst.js:386:18:386:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value |
| tst.js:392:18:392:30 | target.taint3 | tst.js:391:19:391:42 | documen ... .search | tst.js:392:18:392:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:391:19:391:42 | documen ... .search | user-provided value |

13
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -519,9 +519,6 @@ nodes
| tst.js:371:7:371:39 | target | semmle.label | target |
| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search |
| tst.js:374:18:374:23 | target | semmle.label | target |
| tst.js:377:18:377:39 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | semmle.label | documen ... it("?") [ArrayElement] |
| tst.js:377:18:377:53 | documen ... "?")[0] | semmle.label | documen ... "?")[0] |
| tst.js:381:7:381:39 | target | semmle.label | target |
| tst.js:381:7:381:39 | target [taint3] | semmle.label | target [taint3] |
| tst.js:381:7:381:39 | target [taint8] | semmle.label | target [taint8] |
@@ -554,7 +551,7 @@ nodes
| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] |
| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash |
| tst.js:424:18:424:48 | window. ... it('#') | semmle.label | window. ... it('#') |
| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | semmle.label | window. ... it('#') [ArrayElement] |
| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] |
| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] |
| tst.js:428:7:428:39 | target | semmle.label | target |
| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search |
@@ -1140,8 +1137,6 @@ edges
| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | |
| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | |
| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | |
| tst.js:377:18:377:39 | documen ... on.href | tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | provenance | |
| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | tst.js:377:18:377:53 | documen ... "?")[0] | provenance | |
| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | |
| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | |
| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | |
@@ -1178,11 +1173,11 @@ edges
| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | Config |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance | |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance | Config |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | provenance | |
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config |
| tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | |
| tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | |
| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | |
| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | |
| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | |
| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | |

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
View File

@@ -373,7 +373,7 @@ function test() {
// NOT OK
$('myId').html(target)
// OK [INCONSISTENCY] (TODO: fix)
// OK
$('myid').html(document.location.href.split("?")[0]);
}