hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Next.js router push as XSS sink

Browse Source
This commit is contained in:
tyage
2023-04-08 18:18:34 +09:00
parent 5ee9711f03
commit 7f9b8557ac
4 changed files with 87 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -231,6 +231,8 @@ module ClientSideUrlRedirect {
NextRoutePushUrlSink() {
this = NextJS::nextRouter().getAMemberCall(["push", "replace"]).getArgument(0)
}
override predicate isXssSink() { any() }
}
private class SinkFromModel extends Sink {

32
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -560,6 +560,20 @@ nodes
| react-use-context.js:16:26:16:36 | window.name |
| react-use-context.js:16:26:16:36 | window.name |
| react-use-context.js:16:26:16:36 | window.name |
| react-use-router.js:5:9:5:28 | router |
| react-use-router.js:5:18:5:28 | useRouter() |
| react-use-router.js:9:21:9:26 | router |
| react-use-router.js:9:21:9:32 | router.query |
| react-use-router.js:9:21:9:32 | router.query |
| react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:20:15:20:24 | router |
| react-use-router.js:20:17:20:22 | router |
| react-use-router.js:21:43:21:48 | router |
| react-use-router.js:21:43:21:54 | router.query |
| react-use-router.js:21:43:21:54 | router.query |
| react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-state.js:4:9:4:49 | state |
| react-use-state.js:4:9:4:49 | state |
| react-use-state.js:4:10:4:14 | state |
@@ -1700,6 +1714,22 @@ edges
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name |
| react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name |
| react-use-router.js:5:9:5:28 | router | react-use-router.js:9:21:9:26 | router |
| react-use-router.js:5:18:5:28 | useRouter() | react-use-router.js:5:9:5:28 | router |
| react-use-router.js:9:21:9:26 | router | react-use-router.js:9:21:9:32 | router.query |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:39 | router.query.foobar | react-use-router.js:5:18:5:28 | useRouter() |
| react-use-router.js:20:15:20:24 | router | react-use-router.js:21:43:21:48 | router |
| react-use-router.js:20:17:20:22 | router | react-use-router.js:20:15:20:24 | router |
| react-use-router.js:21:43:21:48 | router | react-use-router.js:21:43:21:54 | router.query |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:61 | router.query.foobar | react-use-router.js:20:17:20:22 | router |
| react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
| react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
| react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
@@ -2386,6 +2416,8 @@ edges
| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
| react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:10:22:10:32 | window.name | user-provided value |
| react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:16:26:16:36 | window.name | user-provided value |
| react-use-router.js:9:21:9:39 | router.query.foobar | react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:9:21:9:32 | router.query | user-provided value |
| react-use-router.js:21:43:21:61 | router.query.foobar | react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:21:43:21:54 | router.query | user-provided value |
| react-use-state.js:5:51:5:55 | state | react-use-state.js:4:38:4:48 | window.name | react-use-state.js:5:51:5:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:4:38:4:48 | window.name | user-provided value |
| react-use-state.js:11:51:11:55 | state | react-use-state.js:10:14:10:24 | window.name | react-use-state.js:11:51:11:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:10:14:10:24 | window.name | user-provided value |
| react-use-state.js:17:51:17:55 | state | react-use-state.js:16:20:16:30 | window.name | react-use-state.js:17:51:17:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:16:20:16:30 | window.name | user-provided value |

30
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -572,6 +572,20 @@ nodes
| react-use-context.js:16:26:16:36 | window.name |
| react-use-context.js:16:26:16:36 | window.name |
| react-use-context.js:16:26:16:36 | window.name |
| react-use-router.js:5:9:5:28 | router |
| react-use-router.js:5:18:5:28 | useRouter() |
| react-use-router.js:9:21:9:26 | router |
| react-use-router.js:9:21:9:32 | router.query |
| react-use-router.js:9:21:9:32 | router.query |
| react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:20:15:20:24 | router |
| react-use-router.js:20:17:20:22 | router |
| react-use-router.js:21:43:21:48 | router |
| react-use-router.js:21:43:21:54 | router.query |
| react-use-router.js:21:43:21:54 | router.query |
| react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-state.js:4:9:4:49 | state |
| react-use-state.js:4:9:4:49 | state |
| react-use-state.js:4:10:4:14 | state |
@@ -1762,6 +1776,22 @@ edges
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name |
| react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name |
| react-use-router.js:5:9:5:28 | router | react-use-router.js:9:21:9:26 | router |
| react-use-router.js:5:18:5:28 | useRouter() | react-use-router.js:5:9:5:28 | router |
| react-use-router.js:9:21:9:26 | router | react-use-router.js:9:21:9:32 | router.query |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:32 | router.query | react-use-router.js:9:21:9:39 | router.query.foobar |
| react-use-router.js:9:21:9:39 | router.query.foobar | react-use-router.js:5:18:5:28 | useRouter() |
| react-use-router.js:20:15:20:24 | router | react-use-router.js:21:43:21:48 | router |
| react-use-router.js:20:17:20:22 | router | react-use-router.js:20:15:20:24 | router |
| react-use-router.js:21:43:21:48 | router | react-use-router.js:21:43:21:54 | router.query |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:54 | router.query | react-use-router.js:21:43:21:61 | router.query.foobar |
| react-use-router.js:21:43:21:61 | router.query.foobar | react-use-router.js:20:17:20:22 | router |
| react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
| react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
| react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |

23
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js vendored Normal file
View File

@@ -0,0 +1,23 @@
import { useRouter } from 'next/router'
export function nextRouter() {
const router = useRouter();
return (
<div>
<span onClick={() => {
router.push(router.query.foobar) // NOT OK
}}>Click to XSS 1</span>
<span onClick={() => {
router.push('/?foobar=' + router.query.foobar) // OK
}}>Safe Link</span>
</div>
)
}
import { withRouter } from 'next/router'
function Page({ router }) {
return <span onClick={() => router.push(router.query.foobar)}>Click to XSS 2</span> // NOT OK
}
export const pageWithRouter = withRouter(Page);