hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port ClientSideUrlRedirect

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:36:01 +02:00
parent 46fd727a55
commit 81d2721248
5 changed files with 211 additions and 371 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -49,6 +49,16 @@ module ClientSideUrlRedirect {
}
}
/**
* Holds if `node` extracts a part of a URL that does not contain the suffix.
*/
pragma[inline]
predicate isPrefixExtraction(DataFlow::MethodCallNode node) {
// Block flow through prefix-extraction `substring(0, ...)` and `split("#")[0]`
node.getMethodName() = [StringOps::substringMethodName(), "split"] and
not untrustedUrlSubstring(_, node)
}
/**
* Holds if `substring` refers to a substring of `base` which is considered untrusted
* when `base` is the current URL.

77
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
View File

@@ -19,7 +19,55 @@ private class ConcreteDocumentUrl extends DocumentUrl {
/**
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
*/
class Configuration extends TaintTracking::Configuration {
module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
class FlowState = DataFlow::FlowLabel;
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel state) {
source.(Source).getAFlowLabel() = state
}
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel state) {
sink instanceof Sink and state.isTaint()
}
predicate isBarrier(DataFlow::Node node) {
node instanceof Sanitizer or node = HostnameSanitizerGuard::getABarrierNode()
}
predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel state) {
isPrefixExtraction(node) and
state instanceof DocumentUrl
}
predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowLabel label) { isSink(node, label) }
predicate isAdditionalFlowStep(
DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
DataFlow::FlowLabel state2
) {
untrustedUrlSubstring(node1, node2) and
state1 instanceof DocumentUrl and
state2.isTaint()
or
exists(HtmlSanitizerCall call |
node1 = call.getInput() and
node2 = call and
state1 = state2
)
}
}
/**
* Taint-tracking flow for reasoning about unvalidated URL redirections.
*/
module ClientSideUrlRedirectFlow = TaintTracking::GlobalWithState<ClientSideUrlRedirectConfig>;
/**
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "ClientSideUrlRedirect" }
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
@@ -36,21 +84,22 @@ class Configuration extends TaintTracking::Configuration {
override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
override predicate isAdditionalFlowStep(
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel f, DataFlow::FlowLabel g
DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1,
DataFlow::FlowLabel state2
) {
untrustedUrlSubstring(pred, succ) and
f instanceof DocumentUrl and
g.isTaint()
ClientSideUrlRedirectConfig::isAdditionalFlowStep(node1, state1, node2, state2)
or
// preserve document.url label in step from `location` to `location.href`
f instanceof DocumentUrl and
g instanceof DocumentUrl and
succ.(DataFlow::PropRead).accesses(pred, "href")
or
exists(HtmlSanitizerCall call |
pred = call.getInput() and
succ = call and
f = g
// Preserve document.url label in step from `location` to `location.href` or `location.toString()`
state1 instanceof DocumentUrl and
state2 instanceof DocumentUrl and
(
node2.(DataFlow::PropRead).accesses(node1, "href")
or
exists(DataFlow::CallNode call |
call.getCalleeName() = "toString" and
node1 = call.getReceiver() and
node2 = call
)
)
}

7
javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
View File

@@ -15,9 +15,10 @@
import javascript
import semmle.javascript.security.dataflow.ClientSideUrlRedirectQuery
import DataFlow::PathGraph
import DataFlow::DeduplicatePathGraph<ClientSideUrlRedirectFlow::PathNode, ClientSideUrlRedirectFlow::PathGraph>
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
from PathNode source, PathNode sink
where
ClientSideUrlRedirectFlow::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode())
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
"user-provided value"

476
javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
View File

@@ -1,435 +1,210 @@
nodes
| electron.js:4:12:4:22 | window.name |
| electron.js:4:12:4:22 | window.name |
| electron.js:7:20:7:29 | getTaint() |
| electron.js:7:20:7:29 | getTaint() |
| react.js:10:60:10:81 | documen ... on.hash |
| react.js:10:60:10:81 | documen ... on.hash |
| react.js:10:60:10:81 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash |
| react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash |
| react.js:34:43:34:64 | documen ... on.hash |
| react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash |
| react.js:40:19:40:40 | documen ... on.hash |
| react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:50 | documen ... bstr(1) |
| sanitizer.js:2:9:2:25 | url |
| sanitizer.js:2:15:2:25 | window.name |
| sanitizer.js:2:15:2:25 | window.name |
| sanitizer.js:4:27:4:29 | url |
| sanitizer.js:4:27:4:29 | url |
| sanitizer.js:16:27:16:29 | url |
| sanitizer.js:16:27:16:29 | url |
| sanitizer.js:19:27:19:29 | url |
| sanitizer.js:19:27:19:29 | url |
| sanitizer.js:22:27:22:29 | url |
| sanitizer.js:22:27:22:29 | url |
| sanitizer.js:25:27:25:29 | url |
| sanitizer.js:25:27:25:29 | url |
| sanitizer.js:28:27:28:29 | url |
| sanitizer.js:28:27:28:29 | url |
| sanitizer.js:31:27:31:29 | url |
| sanitizer.js:31:27:31:29 | url |
| sanitizer.js:37:27:37:29 | url |
| sanitizer.js:37:27:37:29 | url |
| tst2.js:2:7:2:33 | href |
| tst2.js:2:14:2:28 | window.location |
| tst2.js:2:14:2:28 | window.location |
| tst2.js:2:14:2:33 | window.location.href |
| tst2.js:2:14:2:33 | window.location.href |
| tst2.js:4:21:4:24 | href |
| tst2.js:4:21:4:55 | href.su ... '?')+1) |
| tst2.js:4:21:4:55 | href.su ... '?')+1) |
| tst6.js:2:7:2:45 | redirect |
| tst6.js:2:18:2:45 | $locati ... irect') |
| tst6.js:2:18:2:45 | $locati ... irect') |
| tst6.js:4:21:4:28 | redirect |
| tst6.js:4:21:4:28 | redirect |
| tst6.js:6:17:6:24 | redirect |
| tst6.js:6:17:6:24 | redirect |
| tst6.js:8:21:8:48 | $locati ... irect') |
| tst6.js:8:21:8:48 | $locati ... irect') |
| tst6.js:8:21:8:56 | $locati ... + "foo" |
| tst6.js:8:21:8:56 | $locati ... + "foo" |
| tst7.js:2:12:2:35 | documen ... .search |
| tst7.js:2:12:2:35 | documen ... .search |
| tst7.js:2:12:2:35 | documen ... .search |
| tst7.js:5:27:5:50 | documen ... .search |
| tst7.js:5:27:5:50 | documen ... .search |
| tst7.js:5:27:5:50 | documen ... .search |
| tst9.js:2:21:2:42 | documen ... on.hash |
| tst9.js:2:21:2:42 | documen ... on.hash |
| tst9.js:2:21:2:55 | documen ... ring(1) |
| tst9.js:2:21:2:55 | documen ... ring(1) |
| tst10.js:5:17:5:46 | '/' + d ... .search |
| tst10.js:5:17:5:46 | '/' + d ... .search |
| tst10.js:5:23:5:46 | documen ... .search |
| tst10.js:5:23:5:46 | documen ... .search |
| tst10.js:8:17:8:47 | '//' + ... .search |
| tst10.js:8:17:8:47 | '//' + ... .search |
| tst10.js:8:24:8:47 | documen ... .search |
| tst10.js:8:24:8:47 | documen ... .search |
| tst10.js:11:17:11:50 | '//foo' ... .search |
| tst10.js:11:17:11:50 | '//foo' ... .search |
| tst10.js:11:27:11:50 | documen ... .search |
| tst10.js:11:27:11:50 | documen ... .search |
| tst10.js:14:17:14:56 | 'https: ... .search |
| tst10.js:14:17:14:56 | 'https: ... .search |
| tst10.js:14:33:14:56 | documen ... .search |
| tst10.js:14:33:14:56 | documen ... .search |
| tst12.js:3:9:3:50 | urlParts |
| tst12.js:3:20:3:39 | window.location.hash |
| tst12.js:3:20:3:39 | window.location.hash |
| tst12.js:3:20:3:50 | window. ... it('?') |
| tst12.js:4:9:4:45 | loc |
| tst12.js:4:15:4:22 | urlParts |
| tst12.js:4:15:4:25 | urlParts[0] |
| tst12.js:4:15:4:45 | urlPart ... s.value |
| tst12.js:5:23:5:25 | loc |
| tst12.js:5:23:5:25 | loc |
| tst13.js:2:9:2:52 | payload |
| tst13.js:2:19:2:42 | documen ... .search |
| tst13.js:2:19:2:42 | documen ... .search |
| tst13.js:2:19:2:52 | documen ... bstr(1) |
| tst13.js:4:15:4:21 | payload |
| tst13.js:4:15:4:21 | payload |
| tst13.js:8:21:8:27 | payload |
| tst13.js:8:21:8:27 | payload |
| tst13.js:12:14:12:20 | payload |
| tst13.js:12:14:12:20 | payload |
| tst13.js:16:17:16:23 | payload |
| tst13.js:16:17:16:23 | payload |
| tst13.js:20:14:20:20 | payload |
| tst13.js:20:14:20:20 | payload |
| tst13.js:24:14:24:20 | payload |
| tst13.js:24:14:24:20 | payload |
| tst13.js:28:21:28:27 | payload |
| tst13.js:28:21:28:27 | payload |
| tst13.js:32:17:32:23 | payload |
| tst13.js:32:17:32:23 | payload |
| tst13.js:36:21:36:27 | payload |
| tst13.js:36:21:36:27 | payload |
| tst13.js:40:15:40:21 | payload |
| tst13.js:40:15:40:21 | payload |
| tst13.js:44:14:44:20 | payload |
| tst13.js:44:14:44:20 | payload |
| tst13.js:49:32:49:32 | e |
| tst13.js:49:32:49:32 | e |
| tst13.js:50:23:50:23 | e |
| tst13.js:50:23:50:23 | e |
| tst13.js:52:34:52:34 | e |
| tst13.js:52:34:52:34 | e |
| tst13.js:53:28:53:28 | e |
| tst13.js:53:28:53:28 | e |
| tst13.js:59:9:59:52 | payload |
| tst13.js:59:19:59:42 | documen ... .search |
| tst13.js:59:19:59:42 | documen ... .search |
| tst13.js:59:19:59:52 | documen ... bstr(1) |
| tst13.js:61:18:61:24 | payload |
| tst13.js:61:18:61:24 | payload |
| tst13.js:65:9:65:49 | payload |
| tst13.js:65:19:65:39 | history ... on.hash |
| tst13.js:65:19:65:39 | history ... on.hash |
| tst13.js:65:19:65:49 | history ... bstr(1) |
| tst13.js:67:21:67:27 | payload |
| tst13.js:67:21:67:27 | payload |
| tst13.js:72:9:72:49 | payload |
| tst13.js:72:19:72:39 | history ... on.hash |
| tst13.js:72:19:72:39 | history ... on.hash |
| tst13.js:72:19:72:49 | history ... bstr(1) |
| tst13.js:74:21:74:27 | payload |
| tst13.js:74:21:74:27 | payload |
| tst13.js:78:9:78:48 | url |
| tst13.js:78:15:78:38 | documen ... .search |
| tst13.js:78:15:78:38 | documen ... .search |
| tst13.js:78:15:78:48 | documen ... bstr(1) |
| tst13.js:80:21:80:23 | url |
| tst13.js:80:21:80:23 | url |
| tst13.js:81:28:81:30 | url |
| tst13.js:81:28:81:30 | url |
| tst13.js:82:27:82:29 | url |
| tst13.js:82:27:82:29 | url |
| tst13.js:83:22:83:24 | url |
| tst13.js:83:22:83:24 | url |
| tst.js:2:19:2:69 | /.*redi ... n.href) |
| tst.js:2:19:2:72 | /.*redi ... ref)[1] |
| tst.js:2:19:2:72 | /.*redi ... ref)[1] |
| tst.js:2:47:2:63 | document.location |
| tst.js:2:47:2:63 | document.location |
| tst.js:2:47:2:68 | documen ... on.href |
| tst.js:2:47:2:68 | documen ... on.href |
| tst.js:6:20:6:56 | indirec ... n.href) |
| tst.js:6:20:6:59 | indirec ... ref)[1] |
| tst.js:6:20:6:59 | indirec ... ref)[1] |
| tst.js:6:34:6:50 | document.location |
| tst.js:6:34:6:50 | document.location |
| tst.js:6:34:6:55 | documen ... on.href |
| tst.js:6:34:6:55 | documen ... on.href |
| tst.js:10:19:10:81 | new Reg ... n.href) |
| tst.js:10:19:10:84 | new Reg ... ref)[1] |
| tst.js:10:19:10:84 | new Reg ... ref)[1] |
| tst.js:10:59:10:75 | document.location |
| tst.js:10:59:10:75 | document.location |
| tst.js:10:59:10:80 | documen ... on.href |
| tst.js:10:59:10:80 | documen ... on.href |
| tst.js:14:20:14:56 | indirec ... n.href) |
| tst.js:14:20:14:59 | indirec ... ref)[1] |
| tst.js:14:20:14:59 | indirec ... ref)[1] |
| tst.js:14:34:14:50 | document.location |
| tst.js:14:34:14:50 | document.location |
| tst.js:14:34:14:55 | documen ... on.href |
| tst.js:14:34:14:55 | documen ... on.href |
| tst.js:18:19:18:81 | new Reg ... n.href) |
| tst.js:18:19:18:84 | new Reg ... ref)[1] |
| tst.js:18:19:18:84 | new Reg ... ref)[1] |
| tst.js:18:59:18:75 | document.location |
| tst.js:18:59:18:75 | document.location |
| tst.js:18:59:18:80 | documen ... on.href |
| tst.js:18:59:18:80 | documen ... on.href |
| tst.js:22:20:22:56 | indirec ... n.href) |
| tst.js:22:20:22:59 | indirec ... ref)[1] |
| tst.js:22:20:22:59 | indirec ... ref)[1] |
| tst.js:22:34:22:50 | document.location |
| tst.js:22:34:22:50 | document.location |
| tst.js:22:34:22:55 | documen ... on.href |
| tst.js:22:34:22:55 | documen ... on.href |
| tst.js:26:22:26:79 | new Reg ... n.href) |
| tst.js:26:22:26:82 | new Reg ... ref)[1] |
| tst.js:26:22:26:82 | new Reg ... ref)[1] |
| tst.js:26:62:26:78 | win.location.href |
| tst.js:26:62:26:78 | win.location.href |
| typed.ts:4:13:4:36 | params |
| typed.ts:4:22:4:36 | location.search |
| typed.ts:4:22:4:36 | location.search |
| typed.ts:5:25:5:30 | params |
| typed.ts:7:24:7:34 | redirectUri |
| typed.ts:8:33:8:43 | redirectUri |
| typed.ts:8:33:8:43 | redirectUri |
| typed.ts:25:25:25:34 | loc.search |
| typed.ts:25:25:25:34 | loc.search |
| typed.ts:28:24:28:34 | redirectUri |
| typed.ts:29:33:29:43 | redirectUri |
| typed.ts:29:33:29:43 | redirectUri |
| typed.ts:47:25:47:34 | loc.search |
| typed.ts:47:25:47:34 | loc.search |
| typed.ts:48:26:48:36 | loc2.search |
| typed.ts:48:26:48:36 | loc2.search |
| typed.ts:51:24:51:34 | redirectUri |
| typed.ts:52:33:52:43 | redirectUri |
| typed.ts:52:33:52:43 | redirectUri |
| typed.ts:55:25:55:35 | redirectUri |
| typed.ts:56:33:56:43 | redirectUri |
| typed.ts:56:33:56:43 | redirectUri |
| electron.js:4:12:4:22 | window.name | semmle.label | window.name |
| electron.js:7:20:7:29 | getTaint() | semmle.label | getTaint() |
| react.js:10:60:10:81 | documen ... on.hash | semmle.label | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash | semmle.label | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash | semmle.label | documen ... on.hash |
| react.js:28:43:28:74 | documen ... bstr(1) | semmle.label | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | semmle.label | documen ... on.hash |
| react.js:34:43:34:74 | documen ... bstr(1) | semmle.label | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | semmle.label | documen ... on.hash |
| react.js:40:19:40:50 | documen ... bstr(1) | semmle.label | documen ... bstr(1) |
| sanitizer.js:2:9:2:25 | url | semmle.label | url |
| sanitizer.js:2:15:2:25 | window.name | semmle.label | window.name |
| sanitizer.js:4:27:4:29 | url | semmle.label | url |
| sanitizer.js:16:27:16:29 | url | semmle.label | url |
| sanitizer.js:19:27:19:29 | url | semmle.label | url |
| sanitizer.js:22:27:22:29 | url | semmle.label | url |
| sanitizer.js:25:27:25:29 | url | semmle.label | url |
| sanitizer.js:28:27:28:29 | url | semmle.label | url |
| sanitizer.js:31:27:31:29 | url | semmle.label | url |
| sanitizer.js:37:27:37:29 | url | semmle.label | url |
| tst2.js:2:7:2:33 | href | semmle.label | href |
| tst2.js:2:14:2:33 | window.location.href | semmle.label | window.location.href |
| tst2.js:4:21:4:24 | href | semmle.label | href |
| tst2.js:4:21:4:55 | href.su ... '?')+1) | semmle.label | href.su ... '?')+1) |
| tst6.js:2:7:2:45 | redirect | semmle.label | redirect |
| tst6.js:2:18:2:45 | $locati ... irect') | semmle.label | $locati ... irect') |
| tst6.js:4:21:4:28 | redirect | semmle.label | redirect |
| tst6.js:6:17:6:24 | redirect | semmle.label | redirect |
| tst6.js:8:21:8:48 | $locati ... irect') | semmle.label | $locati ... irect') |
| tst6.js:8:21:8:56 | $locati ... + "foo" | semmle.label | $locati ... + "foo" |
| tst7.js:2:12:2:35 | documen ... .search | semmle.label | documen ... .search |
| tst7.js:5:27:5:50 | documen ... .search | semmle.label | documen ... .search |
| tst9.js:2:21:2:42 | documen ... on.hash | semmle.label | documen ... on.hash |
| tst9.js:2:21:2:55 | documen ... ring(1) | semmle.label | documen ... ring(1) |
| tst10.js:5:17:5:46 | '/' + d ... .search | semmle.label | '/' + d ... .search |
| tst10.js:5:23:5:46 | documen ... .search | semmle.label | documen ... .search |
| tst10.js:8:17:8:47 | '//' + ... .search | semmle.label | '//' + ... .search |
| tst10.js:8:24:8:47 | documen ... .search | semmle.label | documen ... .search |
| tst10.js:11:17:11:50 | '//foo' ... .search | semmle.label | '//foo' ... .search |
| tst10.js:11:27:11:50 | documen ... .search | semmle.label | documen ... .search |
| tst10.js:14:17:14:56 | 'https: ... .search | semmle.label | 'https: ... .search |
| tst10.js:14:33:14:56 | documen ... .search | semmle.label | documen ... .search |
| tst12.js:3:9:3:50 | urlParts | semmle.label | urlParts |
| tst12.js:3:20:3:39 | window.location.hash | semmle.label | window.location.hash |
| tst12.js:3:20:3:50 | window. ... it('?') | semmle.label | window. ... it('?') |
| tst12.js:4:9:4:45 | loc | semmle.label | loc |
| tst12.js:4:15:4:22 | urlParts | semmle.label | urlParts |
| tst12.js:5:23:5:25 | loc | semmle.label | loc |
| tst13.js:2:9:2:52 | payload | semmle.label | payload |
| tst13.js:2:19:2:42 | documen ... .search | semmle.label | documen ... .search |
| tst13.js:2:19:2:52 | documen ... bstr(1) | semmle.label | documen ... bstr(1) |
| tst13.js:4:15:4:21 | payload | semmle.label | payload |
| tst13.js:8:21:8:27 | payload | semmle.label | payload |
| tst13.js:12:14:12:20 | payload | semmle.label | payload |
| tst13.js:16:17:16:23 | payload | semmle.label | payload |
| tst13.js:20:14:20:20 | payload | semmle.label | payload |
| tst13.js:24:14:24:20 | payload | semmle.label | payload |
| tst13.js:28:21:28:27 | payload | semmle.label | payload |
| tst13.js:32:17:32:23 | payload | semmle.label | payload |
| tst13.js:36:21:36:27 | payload | semmle.label | payload |
| tst13.js:40:15:40:21 | payload | semmle.label | payload |
| tst13.js:44:14:44:20 | payload | semmle.label | payload |
| tst13.js:49:32:49:32 | e | semmle.label | e |
| tst13.js:50:23:50:23 | e | semmle.label | e |
| tst13.js:52:34:52:34 | e | semmle.label | e |
| tst13.js:53:28:53:28 | e | semmle.label | e |
| tst13.js:59:9:59:52 | payload | semmle.label | payload |
| tst13.js:59:19:59:42 | documen ... .search | semmle.label | documen ... .search |
| tst13.js:59:19:59:52 | documen ... bstr(1) | semmle.label | documen ... bstr(1) |
| tst13.js:61:18:61:24 | payload | semmle.label | payload |
| tst13.js:65:9:65:49 | payload | semmle.label | payload |
| tst13.js:65:19:65:39 | history ... on.hash | semmle.label | history ... on.hash |
| tst13.js:65:19:65:49 | history ... bstr(1) | semmle.label | history ... bstr(1) |
| tst13.js:67:21:67:27 | payload | semmle.label | payload |
| tst13.js:72:9:72:49 | payload | semmle.label | payload |
| tst13.js:72:19:72:39 | history ... on.hash | semmle.label | history ... on.hash |
| tst13.js:72:19:72:49 | history ... bstr(1) | semmle.label | history ... bstr(1) |
| tst13.js:74:21:74:27 | payload | semmle.label | payload |
| tst13.js:78:9:78:48 | url | semmle.label | url |
| tst13.js:78:15:78:38 | documen ... .search | semmle.label | documen ... .search |
| tst13.js:78:15:78:48 | documen ... bstr(1) | semmle.label | documen ... bstr(1) |
| tst13.js:80:21:80:23 | url | semmle.label | url |
| tst13.js:81:28:81:30 | url | semmle.label | url |
| tst13.js:82:27:82:29 | url | semmle.label | url |
| tst13.js:83:22:83:24 | url | semmle.label | url |
| tst.js:2:19:2:69 | /.*redi ... n.href) | semmle.label | /.*redi ... n.href) |
| tst.js:2:19:2:72 | /.*redi ... ref)[1] | semmle.label | /.*redi ... ref)[1] |
| tst.js:2:47:2:68 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:6:20:6:56 | indirec ... n.href) | semmle.label | indirec ... n.href) |
| tst.js:6:20:6:59 | indirec ... ref)[1] | semmle.label | indirec ... ref)[1] |
| tst.js:6:34:6:55 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:10:19:10:81 | new Reg ... n.href) | semmle.label | new Reg ... n.href) |
| tst.js:10:19:10:84 | new Reg ... ref)[1] | semmle.label | new Reg ... ref)[1] |
| tst.js:10:59:10:80 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:14:20:14:56 | indirec ... n.href) | semmle.label | indirec ... n.href) |
| tst.js:14:20:14:59 | indirec ... ref)[1] | semmle.label | indirec ... ref)[1] |
| tst.js:14:34:14:55 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:18:19:18:81 | new Reg ... n.href) | semmle.label | new Reg ... n.href) |
| tst.js:18:19:18:84 | new Reg ... ref)[1] | semmle.label | new Reg ... ref)[1] |
| tst.js:18:59:18:80 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:22:20:22:56 | indirec ... n.href) | semmle.label | indirec ... n.href) |
| tst.js:22:20:22:59 | indirec ... ref)[1] | semmle.label | indirec ... ref)[1] |
| tst.js:22:34:22:55 | documen ... on.href | semmle.label | documen ... on.href |
| tst.js:26:22:26:79 | new Reg ... n.href) | semmle.label | new Reg ... n.href) |
| tst.js:26:22:26:82 | new Reg ... ref)[1] | semmle.label | new Reg ... ref)[1] |
| tst.js:26:62:26:78 | win.location.href | semmle.label | win.location.href |
| typed.ts:4:13:4:36 | params | semmle.label | params |
| typed.ts:4:22:4:36 | location.search | semmle.label | location.search |
| typed.ts:5:25:5:30 | params | semmle.label | params |
| typed.ts:7:24:7:34 | redirectUri | semmle.label | redirectUri |
| typed.ts:8:33:8:43 | redirectUri | semmle.label | redirectUri |
| typed.ts:25:25:25:34 | loc.search | semmle.label | loc.search |
| typed.ts:28:24:28:34 | redirectUri | semmle.label | redirectUri |
| typed.ts:29:33:29:43 | redirectUri | semmle.label | redirectUri |
| typed.ts:47:25:47:34 | loc.search | semmle.label | loc.search |
| typed.ts:48:26:48:36 | loc2.search | semmle.label | loc2.search |
| typed.ts:51:24:51:34 | redirectUri | semmle.label | redirectUri |
| typed.ts:52:33:52:43 | redirectUri | semmle.label | redirectUri |
| typed.ts:55:25:55:35 | redirectUri | semmle.label | redirectUri |
| typed.ts:56:33:56:43 | redirectUri | semmle.label | redirectUri |
edges
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
| react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash |
| react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:45 | documen ... on.hash |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:19:27:19:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:19:27:19:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:22:27:22:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:22:27:22:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:25:27:25:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:25:27:25:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:28:27:28:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:28:27:28:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:31:27:31:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:31:27:31:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:37:27:37:29 | url |
| sanitizer.js:2:9:2:25 | url | sanitizer.js:37:27:37:29 | url |
| sanitizer.js:2:15:2:25 | window.name | sanitizer.js:2:9:2:25 | url |
| sanitizer.js:2:15:2:25 | window.name | sanitizer.js:2:9:2:25 | url |
| tst2.js:2:7:2:33 | href | tst2.js:4:21:4:24 | href |
| tst2.js:2:14:2:28 | window.location | tst2.js:2:14:2:33 | window.location.href |
| tst2.js:2:14:2:28 | window.location | tst2.js:2:14:2:33 | window.location.href |
| tst2.js:2:14:2:33 | window.location.href | tst2.js:2:7:2:33 | href |
| tst2.js:2:14:2:33 | window.location.href | tst2.js:2:7:2:33 | href |
| tst2.js:4:21:4:24 | href | tst2.js:4:21:4:55 | href.su ... '?')+1) |
| tst2.js:4:21:4:24 | href | tst2.js:4:21:4:55 | href.su ... '?')+1) |
| tst6.js:2:7:2:45 | redirect | tst6.js:4:21:4:28 | redirect |
| tst6.js:2:7:2:45 | redirect | tst6.js:4:21:4:28 | redirect |
| tst6.js:2:7:2:45 | redirect | tst6.js:6:17:6:24 | redirect |
| tst6.js:2:7:2:45 | redirect | tst6.js:6:17:6:24 | redirect |
| tst6.js:2:18:2:45 | $locati ... irect') | tst6.js:2:7:2:45 | redirect |
| tst6.js:2:18:2:45 | $locati ... irect') | tst6.js:2:7:2:45 | redirect |
| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" |
| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" |
| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" |
| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" |
| tst7.js:2:12:2:35 | documen ... .search | tst7.js:2:12:2:35 | documen ... .search |
| tst7.js:5:27:5:50 | documen ... .search | tst7.js:5:27:5:50 | documen ... .search |
| tst9.js:2:21:2:42 | documen ... on.hash | tst9.js:2:21:2:55 | documen ... ring(1) |
| tst9.js:2:21:2:42 | documen ... on.hash | tst9.js:2:21:2:55 | documen ... ring(1) |
| tst9.js:2:21:2:42 | documen ... on.hash | tst9.js:2:21:2:55 | documen ... ring(1) |
| tst9.js:2:21:2:42 | documen ... on.hash | tst9.js:2:21:2:55 | documen ... ring(1) |
| tst10.js:5:23:5:46 | documen ... .search | tst10.js:5:17:5:46 | '/' + d ... .search |
| tst10.js:5:23:5:46 | documen ... .search | tst10.js:5:17:5:46 | '/' + d ... .search |
| tst10.js:5:23:5:46 | documen ... .search | tst10.js:5:17:5:46 | '/' + d ... .search |
| tst10.js:5:23:5:46 | documen ... .search | tst10.js:5:17:5:46 | '/' + d ... .search |
| tst10.js:8:24:8:47 | documen ... .search | tst10.js:8:17:8:47 | '//' + ... .search |
| tst10.js:8:24:8:47 | documen ... .search | tst10.js:8:17:8:47 | '//' + ... .search |
| tst10.js:8:24:8:47 | documen ... .search | tst10.js:8:17:8:47 | '//' + ... .search |
| tst10.js:8:24:8:47 | documen ... .search | tst10.js:8:17:8:47 | '//' + ... .search |
| tst10.js:11:27:11:50 | documen ... .search | tst10.js:11:17:11:50 | '//foo' ... .search |
| tst10.js:11:27:11:50 | documen ... .search | tst10.js:11:17:11:50 | '//foo' ... .search |
| tst10.js:11:27:11:50 | documen ... .search | tst10.js:11:17:11:50 | '//foo' ... .search |
| tst10.js:11:27:11:50 | documen ... .search | tst10.js:11:17:11:50 | '//foo' ... .search |
| tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search |
| tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search |
| tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search |
| tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search |
| tst12.js:3:9:3:50 | urlParts | tst12.js:4:15:4:22 | urlParts |
| tst12.js:3:20:3:39 | window.location.hash | tst12.js:3:20:3:50 | window. ... it('?') |
| tst12.js:3:20:3:39 | window.location.hash | tst12.js:3:20:3:50 | window. ... it('?') |
| tst12.js:3:20:3:50 | window. ... it('?') | tst12.js:3:9:3:50 | urlParts |
| tst12.js:4:9:4:45 | loc | tst12.js:5:23:5:25 | loc |
| tst12.js:4:9:4:45 | loc | tst12.js:5:23:5:25 | loc |
| tst12.js:4:15:4:22 | urlParts | tst12.js:4:15:4:25 | urlParts[0] |
| tst12.js:4:15:4:25 | urlParts[0] | tst12.js:4:15:4:45 | urlPart ... s.value |
| tst12.js:4:15:4:45 | urlPart ... s.value | tst12.js:4:9:4:45 | loc |
| tst13.js:2:9:2:52 | payload | tst13.js:4:15:4:21 | payload |
| tst12.js:4:15:4:22 | urlParts | tst12.js:4:9:4:45 | loc |
| tst13.js:2:9:2:52 | payload | tst13.js:4:15:4:21 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:8:21:8:27 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:8:21:8:27 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:12:14:12:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:12:14:12:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:16:17:16:23 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:16:17:16:23 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:20:14:20:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:20:14:20:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:24:14:24:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:24:14:24:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:28:21:28:27 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:28:21:28:27 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:32:17:32:23 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:32:17:32:23 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:36:21:36:27 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:36:21:36:27 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:40:15:40:21 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:40:15:40:21 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:44:14:44:20 | payload |
| tst13.js:2:9:2:52 | payload | tst13.js:44:14:44:20 | payload |
| tst13.js:2:19:2:42 | documen ... .search | tst13.js:2:19:2:52 | documen ... bstr(1) |
| tst13.js:2:19:2:42 | documen ... .search | tst13.js:2:19:2:52 | documen ... bstr(1) |
| tst13.js:2:19:2:52 | documen ... bstr(1) | tst13.js:2:9:2:52 | payload |
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
| tst13.js:59:9:59:52 | payload | tst13.js:61:18:61:24 | payload |
| tst13.js:59:9:59:52 | payload | tst13.js:61:18:61:24 | payload |
| tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
| tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
| tst13.js:59:19:59:52 | documen ... bstr(1) | tst13.js:59:9:59:52 | payload |
| tst13.js:65:9:65:49 | payload | tst13.js:67:21:67:27 | payload |
| tst13.js:65:9:65:49 | payload | tst13.js:67:21:67:27 | payload |
| tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
| tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
| tst13.js:65:19:65:49 | history ... bstr(1) | tst13.js:65:9:65:49 | payload |
| tst13.js:72:9:72:49 | payload | tst13.js:74:21:74:27 | payload |
| tst13.js:72:9:72:49 | payload | tst13.js:74:21:74:27 | payload |
| tst13.js:72:19:72:39 | history ... on.hash | tst13.js:72:19:72:49 | history ... bstr(1) |
| tst13.js:72:19:72:39 | history ... on.hash | tst13.js:72:19:72:49 | history ... bstr(1) |
| tst13.js:72:19:72:49 | history ... bstr(1) | tst13.js:72:9:72:49 | payload |
| tst13.js:78:9:78:48 | url | tst13.js:80:21:80:23 | url |
| tst13.js:78:9:78:48 | url | tst13.js:80:21:80:23 | url |
| tst13.js:78:9:78:48 | url | tst13.js:81:28:81:30 | url |
| tst13.js:78:9:78:48 | url | tst13.js:81:28:81:30 | url |
| tst13.js:78:9:78:48 | url | tst13.js:82:27:82:29 | url |
| tst13.js:78:9:78:48 | url | tst13.js:82:27:82:29 | url |
| tst13.js:78:9:78:48 | url | tst13.js:83:22:83:24 | url |
| tst13.js:78:9:78:48 | url | tst13.js:83:22:83:24 | url |
| tst13.js:78:15:78:38 | documen ... .search | tst13.js:78:15:78:48 | documen ... bstr(1) |
| tst13.js:78:15:78:38 | documen ... .search | tst13.js:78:15:78:48 | documen ... bstr(1) |
| tst13.js:78:15:78:48 | documen ... bstr(1) | tst13.js:78:9:78:48 | url |
| tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
| tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
| tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
| tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
| tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:69 | /.*redi ... n.href) |
| tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:69 | /.*redi ... n.href) |
| tst.js:6:20:6:56 | indirec ... n.href) | tst.js:6:20:6:59 | indirec ... ref)[1] |
| tst.js:6:20:6:56 | indirec ... n.href) | tst.js:6:20:6:59 | indirec ... ref)[1] |
| tst.js:6:34:6:50 | document.location | tst.js:6:34:6:55 | documen ... on.href |
| tst.js:6:34:6:50 | document.location | tst.js:6:34:6:55 | documen ... on.href |
| tst.js:6:34:6:55 | documen ... on.href | tst.js:6:20:6:56 | indirec ... n.href) |
| tst.js:6:34:6:55 | documen ... on.href | tst.js:6:20:6:56 | indirec ... n.href) |
| tst.js:10:19:10:81 | new Reg ... n.href) | tst.js:10:19:10:84 | new Reg ... ref)[1] |
| tst.js:10:19:10:81 | new Reg ... n.href) | tst.js:10:19:10:84 | new Reg ... ref)[1] |
| tst.js:10:59:10:75 | document.location | tst.js:10:59:10:80 | documen ... on.href |
| tst.js:10:59:10:75 | document.location | tst.js:10:59:10:80 | documen ... on.href |
| tst.js:10:59:10:80 | documen ... on.href | tst.js:10:19:10:81 | new Reg ... n.href) |
| tst.js:10:59:10:80 | documen ... on.href | tst.js:10:19:10:81 | new Reg ... n.href) |
| tst.js:14:20:14:56 | indirec ... n.href) | tst.js:14:20:14:59 | indirec ... ref)[1] |
| tst.js:14:20:14:56 | indirec ... n.href) | tst.js:14:20:14:59 | indirec ... ref)[1] |
| tst.js:14:34:14:50 | document.location | tst.js:14:34:14:55 | documen ... on.href |
| tst.js:14:34:14:50 | document.location | tst.js:14:34:14:55 | documen ... on.href |
| tst.js:14:34:14:55 | documen ... on.href | tst.js:14:20:14:56 | indirec ... n.href) |
| tst.js:14:34:14:55 | documen ... on.href | tst.js:14:20:14:56 | indirec ... n.href) |
| tst.js:18:19:18:81 | new Reg ... n.href) | tst.js:18:19:18:84 | new Reg ... ref)[1] |
| tst.js:18:19:18:81 | new Reg ... n.href) | tst.js:18:19:18:84 | new Reg ... ref)[1] |
| tst.js:18:59:18:75 | document.location | tst.js:18:59:18:80 | documen ... on.href |
| tst.js:18:59:18:75 | document.location | tst.js:18:59:18:80 | documen ... on.href |
| tst.js:18:59:18:80 | documen ... on.href | tst.js:18:19:18:81 | new Reg ... n.href) |
| tst.js:18:59:18:80 | documen ... on.href | tst.js:18:19:18:81 | new Reg ... n.href) |
| tst.js:22:20:22:56 | indirec ... n.href) | tst.js:22:20:22:59 | indirec ... ref)[1] |
| tst.js:22:20:22:56 | indirec ... n.href) | tst.js:22:20:22:59 | indirec ... ref)[1] |
| tst.js:22:34:22:50 | document.location | tst.js:22:34:22:55 | documen ... on.href |
| tst.js:22:34:22:50 | document.location | tst.js:22:34:22:55 | documen ... on.href |
| tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:56 | indirec ... n.href) |
| tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:56 | indirec ... n.href) |
| tst.js:26:22:26:79 | new Reg ... n.href) | tst.js:26:22:26:82 | new Reg ... ref)[1] |
| tst.js:26:22:26:79 | new Reg ... n.href) | tst.js:26:22:26:82 | new Reg ... ref)[1] |
| tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:79 | new Reg ... n.href) |
| tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:79 | new Reg ... n.href) |
| typed.ts:4:13:4:36 | params | typed.ts:5:25:5:30 | params |
| typed.ts:4:22:4:36 | location.search | typed.ts:4:13:4:36 | params |
| typed.ts:4:22:4:36 | location.search | typed.ts:4:13:4:36 | params |
| typed.ts:5:25:5:30 | params | typed.ts:7:24:7:34 | redirectUri |
| typed.ts:7:24:7:34 | redirectUri | typed.ts:8:33:8:43 | redirectUri |
| typed.ts:7:24:7:34 | redirectUri | typed.ts:8:33:8:43 | redirectUri |
| typed.ts:25:25:25:34 | loc.search | typed.ts:28:24:28:34 | redirectUri |
| typed.ts:25:25:25:34 | loc.search | typed.ts:28:24:28:34 | redirectUri |
| typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
| typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
| typed.ts:47:25:47:34 | loc.search | typed.ts:51:24:51:34 | redirectUri |
| typed.ts:47:25:47:34 | loc.search | typed.ts:51:24:51:34 | redirectUri |
| typed.ts:48:26:48:36 | loc2.search | typed.ts:55:25:55:35 | redirectUri |
| typed.ts:48:26:48:36 | loc2.search | typed.ts:55:25:55:35 | redirectUri |
| typed.ts:51:24:51:34 | redirectUri | typed.ts:52:33:52:43 | redirectUri |
| typed.ts:51:24:51:34 | redirectUri | typed.ts:52:33:52:43 | redirectUri |
| typed.ts:55:25:55:35 | redirectUri | typed.ts:56:33:56:43 | redirectUri |
| typed.ts:55:25:55:35 | redirectUri | typed.ts:56:33:56:43 | redirectUri |
subpaths
#select
| electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection depends on a $@. | electron.js:4:12:4:22 | window.name | user-provided value |
| react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection depends on a $@. | react.js:10:60:10:81 | documen ... on.hash | user-provided value |
@@ -445,7 +220,6 @@ edges
| sanitizer.js:28:27:28:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:28:27:28:29 | url | Untrusted URL redirection depends on a $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
| sanitizer.js:31:27:31:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:31:27:31:29 | url | Untrusted URL redirection depends on a $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
| sanitizer.js:37:27:37:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:37:27:37:29 | url | Untrusted URL redirection depends on a $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
| tst2.js:4:21:4:55 | href.su ... '?')+1) | tst2.js:2:14:2:28 | window.location | tst2.js:4:21:4:55 | href.su ... '?')+1) | Untrusted URL redirection depends on a $@. | tst2.js:2:14:2:28 | window.location | user-provided value |
| tst2.js:4:21:4:55 | href.su ... '?')+1) | tst2.js:2:14:2:33 | window.location.href | tst2.js:4:21:4:55 | href.su ... '?')+1) | Untrusted URL redirection depends on a $@. | tst2.js:2:14:2:33 | window.location.href | user-provided value |
| tst6.js:4:21:4:28 | redirect | tst6.js:2:18:2:45 | $locati ... irect') | tst6.js:4:21:4:28 | redirect | Untrusted URL redirection depends on a $@. | tst6.js:2:18:2:45 | $locati ... irect') | user-provided value |
| tst6.js:6:17:6:24 | redirect | tst6.js:2:18:2:45 | $locati ... irect') | tst6.js:6:17:6:24 | redirect | Untrusted URL redirection depends on a $@. | tst6.js:2:18:2:45 | $locati ... irect') | user-provided value |
@@ -478,17 +252,11 @@ edges
| tst13.js:81:28:81:30 | url | tst13.js:78:15:78:38 | documen ... .search | tst13.js:81:28:81:30 | url | Untrusted URL redirection depends on a $@. | tst13.js:78:15:78:38 | documen ... .search | user-provided value |
| tst13.js:82:27:82:29 | url | tst13.js:78:15:78:38 | documen ... .search | tst13.js:82:27:82:29 | url | Untrusted URL redirection depends on a $@. | tst13.js:78:15:78:38 | documen ... .search | user-provided value |
| tst13.js:83:22:83:24 | url | tst13.js:78:15:78:38 | documen ... .search | tst13.js:83:22:83:24 | url | Untrusted URL redirection depends on a $@. | tst13.js:78:15:78:38 | documen ... .search | user-provided value |
| tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:2:47:2:63 | document.location | user-provided value |
| tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:2:47:2:68 | documen ... on.href | user-provided value |
| tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:6:34:6:50 | document.location | user-provided value |
| tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:55 | documen ... on.href | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:6:34:6:55 | documen ... on.href | user-provided value |
| tst.js:10:19:10:84 | new Reg ... ref)[1] | tst.js:10:59:10:75 | document.location | tst.js:10:19:10:84 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:10:59:10:75 | document.location | user-provided value |
| tst.js:10:19:10:84 | new Reg ... ref)[1] | tst.js:10:59:10:80 | documen ... on.href | tst.js:10:19:10:84 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:10:59:10:80 | documen ... on.href | user-provided value |
| tst.js:14:20:14:59 | indirec ... ref)[1] | tst.js:14:34:14:50 | document.location | tst.js:14:20:14:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:14:34:14:50 | document.location | user-provided value |
| tst.js:14:20:14:59 | indirec ... ref)[1] | tst.js:14:34:14:55 | documen ... on.href | tst.js:14:20:14:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:14:34:14:55 | documen ... on.href | user-provided value |
| tst.js:18:19:18:84 | new Reg ... ref)[1] | tst.js:18:59:18:75 | document.location | tst.js:18:19:18:84 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:18:59:18:75 | document.location | user-provided value |
| tst.js:18:19:18:84 | new Reg ... ref)[1] | tst.js:18:59:18:80 | documen ... on.href | tst.js:18:19:18:84 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:18:59:18:80 | documen ... on.href | user-provided value |
| tst.js:22:20:22:59 | indirec ... ref)[1] | tst.js:22:34:22:50 | document.location | tst.js:22:20:22:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:22:34:22:50 | document.location | user-provided value |
| tst.js:22:20:22:59 | indirec ... ref)[1] | tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:22:34:22:55 | documen ... on.href | user-provided value |
| tst.js:26:22:26:82 | new Reg ... ref)[1] | tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:82 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:26:62:26:78 | win.location.href | user-provided value |
| typed.ts:8:33:8:43 | redirectUri | typed.ts:4:22:4:36 | location.search | typed.ts:8:33:8:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:4:22:4:36 | location.search | user-provided value |

12
javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst15.js Normal file
View File

@@ -0,0 +1,12 @@
function foo() {
var url = document.location.toString();
window.location = url.substring(0).substring(1); // OK
window.location = url.substring(0, 10).substring(1); // OK
window.location = url.substring(0, url.indexOf('/', 10)).substring(1); // OK
}
function bar() {
var url = new URL(window.location);
window.location = url.origin; // OK
window.location = url.origin.substring(10); // OK
}