hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add client-side-url sinks that may execute JavaScript as XSS sinks

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-03-01 16:29:00 +01:00
parent b471fec149
commit 87842bb8b7
5 changed files with 203 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -253,6 +253,15 @@ module DomBasedXss {
}
}
import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect as ClientSideUrlRedirect
/**
* A write to a URL which may execute JavaScript code.
*/
class WriteURLSink extends Sink instanceof ClientSideUrlRedirect::Sink {
WriteURLSink() { super.isXSSSink() }
}
/**
* An expression whose value is interpreted as HTML or CSS
* and may be inserted into the DOM.

97
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -432,6 +432,26 @@ nodes
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types.js:3:24:3:34 | window.name |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
| tst3.js:2:23:2:74 | decodeU ... str(1)) |
| tst3.js:2:42:2:63 | window. ... .search |
| tst3.js:2:42:2:63 | window. ... .search |
| tst3.js:2:42:2:73 | window. ... bstr(1) |
| tst3.js:4:25:4:28 | data |
| tst3.js:4:25:4:32 | data.src |
| tst3.js:4:25:4:32 | data.src |
| tst3.js:5:26:5:29 | data |
| tst3.js:5:26:5:31 | data.p |
| tst3.js:5:26:5:31 | data.p |
| tst3.js:7:32:7:35 | data |
| tst3.js:7:32:7:37 | data.p |
| tst3.js:7:32:7:37 | data.p |
| tst3.js:9:37:9:40 | data |
| tst3.js:9:37:9:42 | data.p |
| tst3.js:9:37:9:42 | data.p |
| tst3.js:10:38:10:41 | data |
| tst3.js:10:38:10:43 | data.p |
| tst3.js:10:38:10:43 | data.p |
| tst.js:2:7:2:39 | target |
| tst.js:2:7:2:39 | target |
| tst.js:2:16:2:39 | documen ... .search |
@@ -732,6 +752,29 @@ nodes
| tst.js:465:19:465:24 | source |
| tst.js:467:20:467:25 | source |
| tst.js:467:20:467:25 | source |
| tst.js:471:7:471:46 | url |
| tst.js:471:13:471:36 | documen ... .search |
| tst.js:471:13:471:36 | documen ... .search |
| tst.js:471:13:471:46 | documen ... bstr(1) |
| tst.js:473:19:473:21 | url |
| tst.js:473:19:473:21 | url |
| tst.js:474:26:474:28 | url |
| tst.js:474:26:474:28 | url |
| tst.js:475:25:475:27 | url |
| tst.js:475:25:475:27 | url |
| tst.js:476:20:476:22 | url |
| tst.js:476:20:476:22 | url |
| tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:479:43:479:45 | url |
| tst.js:481:20:481:45 | ["http: ... ", url] |
| tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:42:481:44 | url |
| tst.js:484:22:484:24 | url |
| tst.js:484:22:484:24 | url |
| tst.js:486:22:486:24 | url |
| tst.js:486:22:486:24 | url |
| typeahead.js:20:13:20:45 | target |
| typeahead.js:20:22:20:45 | documen ... .search |
| typeahead.js:20:22:20:45 | documen ... .search |
@@ -1172,6 +1215,25 @@ edges
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:9:37:9:40 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:10:38:10:41 | data |
| tst3.js:2:23:2:74 | decodeU ... str(1)) | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
| tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) |
| tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) |
| tst3.js:2:42:2:73 | window. ... bstr(1) | tst3.js:2:23:2:74 | decodeU ... str(1)) |
| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target |
@@ -1426,6 +1488,28 @@ edges
| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source |
| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url |
| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url |
| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url |
| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url |
| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url |
| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url |
| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url |
| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url |
| tst.js:471:7:471:46 | url | tst.js:479:43:479:45 | url |
| tst.js:471:7:471:46 | url | tst.js:481:42:481:44 | url |
| tst.js:471:7:471:46 | url | tst.js:484:22:484:24 | url |
| tst.js:471:7:471:46 | url | tst.js:484:22:484:24 | url |
| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url |
| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url |
| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url |
| tst.js:479:43:479:45 | url | tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:479:43:479:45 | url | tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:481:20:481:45 | ["http: ... ", url] | tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:20:481:45 | ["http: ... ", url] | tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:42:481:44 | url | tst.js:481:20:481:45 | ["http: ... ", url] |
| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
@@ -1583,6 +1667,11 @@ edges
| tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value |
| trusted-types.js:2:71:2:71 | x | trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:71:2:71 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:3:24:3:34 | window.name | user-provided value |
| tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:63 | window. ... .search | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst3.js:5:26:5:31 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:5:26:5:31 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst3.js:9:37:9:42 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:9:37:9:42 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst.js:5:18:5:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:5:18:5:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value |
| tst.js:8:18:8:126 | "<OPTIO ... PTION>" | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | Cross-site scripting vulnerability due to $@. | tst.js:8:37:8:58 | documen ... on.href | user-provided value |
| tst.js:12:5:12:42 | '<div s ... 'px">' | tst.js:2:16:2:39 | documen ... .search | tst.js:12:5:12:42 | '<div s ... 'px">' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value |
@@ -1665,6 +1754,14 @@ edges
| tst.js:463:21:463:26 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:463:21:463:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value |
| tst.js:465:19:465:24 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:465:19:465:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value |
| tst.js:467:20:467:25 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:467:20:467:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value |
| tst.js:473:19:473:21 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:473:19:473:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:474:26:474:28 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:474:26:474:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:475:25:475:27 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:475:25:475:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:476:20:476:22 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:476:20:476:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:479:20:479:45 | "http:/ ... " + url | tst.js:471:13:471:36 | documen ... .search | tst.js:479:20:479:45 | "http:/ ... " + url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:481:20:481:55 | ["http: ... in("/") | tst.js:471:13:471:36 | documen ... .search | tst.js:481:20:481:55 | ["http: ... in("/") | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:484:22:484:24 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:484:22:484:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| tst.js:486:22:486:24 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:486:22:486:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value |
| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |

84
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -439,6 +439,26 @@ nodes
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types.js:3:24:3:34 | window.name |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
| tst3.js:2:23:2:74 | decodeU ... str(1)) |
| tst3.js:2:42:2:63 | window. ... .search |
| tst3.js:2:42:2:63 | window. ... .search |
| tst3.js:2:42:2:73 | window. ... bstr(1) |
| tst3.js:4:25:4:28 | data |
| tst3.js:4:25:4:32 | data.src |
| tst3.js:4:25:4:32 | data.src |
| tst3.js:5:26:5:29 | data |
| tst3.js:5:26:5:31 | data.p |
| tst3.js:5:26:5:31 | data.p |
| tst3.js:7:32:7:35 | data |
| tst3.js:7:32:7:37 | data.p |
| tst3.js:7:32:7:37 | data.p |
| tst3.js:9:37:9:40 | data |
| tst3.js:9:37:9:42 | data.p |
| tst3.js:9:37:9:42 | data.p |
| tst3.js:10:38:10:41 | data |
| tst3.js:10:38:10:43 | data.p |
| tst3.js:10:38:10:43 | data.p |
| tst.js:2:7:2:39 | target |
| tst.js:2:7:2:39 | target |
| tst.js:2:16:2:39 | documen ... .search |
@@ -739,6 +759,29 @@ nodes
| tst.js:465:19:465:24 | source |
| tst.js:467:20:467:25 | source |
| tst.js:467:20:467:25 | source |
| tst.js:471:7:471:46 | url |
| tst.js:471:13:471:36 | documen ... .search |
| tst.js:471:13:471:36 | documen ... .search |
| tst.js:471:13:471:46 | documen ... bstr(1) |
| tst.js:473:19:473:21 | url |
| tst.js:473:19:473:21 | url |
| tst.js:474:26:474:28 | url |
| tst.js:474:26:474:28 | url |
| tst.js:475:25:475:27 | url |
| tst.js:475:25:475:27 | url |
| tst.js:476:20:476:22 | url |
| tst.js:476:20:476:22 | url |
| tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:479:43:479:45 | url |
| tst.js:481:20:481:45 | ["http: ... ", url] |
| tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:42:481:44 | url |
| tst.js:484:22:484:24 | url |
| tst.js:484:22:484:24 | url |
| tst.js:486:22:486:24 | url |
| tst.js:486:22:486:24 | url |
| typeahead.js:9:28:9:30 | loc |
| typeahead.js:9:28:9:30 | loc |
| typeahead.js:10:16:10:18 | loc |
@@ -1207,6 +1250,25 @@ edges
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:9:37:9:40 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:10:38:10:41 | data |
| tst3.js:2:23:2:74 | decodeU ... str(1)) | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
| tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) |
| tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) |
| tst3.js:2:42:2:73 | window. ... bstr(1) | tst3.js:2:23:2:74 | decodeU ... str(1)) |
| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target |
@@ -1461,6 +1523,28 @@ edges
| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source |
| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url |
| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url |
| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url |
| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url |
| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url |
| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url |
| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url |
| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url |
| tst.js:471:7:471:46 | url | tst.js:479:43:479:45 | url |
| tst.js:471:7:471:46 | url | tst.js:481:42:481:44 | url |
| tst.js:471:7:471:46 | url | tst.js:484:22:484:24 | url |
| tst.js:471:7:471:46 | url | tst.js:484:22:484:24 | url |
| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url |
| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url |
| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) |
| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url |
| tst.js:479:43:479:45 | url | tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:479:43:479:45 | url | tst.js:479:20:479:45 | "http:/ ... " + url |
| tst.js:481:20:481:45 | ["http: ... ", url] | tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:20:481:45 | ["http: ... ", url] | tst.js:481:20:481:55 | ["http: ... in("/") |
| tst.js:481:42:481:44 | url | tst.js:481:20:481:45 | ["http: ... ", url] |
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |

16
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
View File

@@ -470,20 +470,20 @@ function domMethods() {
function urlStuff() {
var url = document.location.search.substr(1);
$("<a>", {href: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
$("#foo").attr("href", url); // NOT OK - but not detected [INCONSISTENCY]
$("#foo").attr({href: url}); // NOT OK - but not detected [INCONSISTENCY]
$("<img>", {src: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
$("<a>", {href: url}).appendTo("body"); // NOT OK
$("#foo").attr("href", url); // NOT OK
$("#foo").attr({href: url}); // NOT OK
$("<img>", {src: url}).appendTo("body"); // NOT OK
$("<a>", {href: win.location.href}).appendTo("body"); // OK
$("<img>", {src: "http://google.com/" + url}).appendTo("body"); // OK
$("<img>", {src: "http://google.com/" + url}).appendTo("body"); // OK - but flagged [INCONSISTENCY]
$("<img>", {src: ["http://google.com", url].join("/")}).appendTo("body"); // OK
$("<img>", {src: ["http://google.com", url].join("/")}).appendTo("body"); // OK - but flagged [INCONSISTENCY]
if (url.startsWith("https://")) {
$("<img>", {src: url}).appendTo("body"); // OK
$("<img>", {src: url}).appendTo("body"); // OK - but flagged [INCONSISTENCY]
} else {
$("<img>", {src: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
$("<img>", {src: url}).appendTo("body"); // NOT OK
}
window.open(location.hash.substr(1)); // OK - any JavaScript is executed in another context

10
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js
View File

@@ -1,13 +1,13 @@
var foo = document.getElementById("foo");
var data = JSON.parse(decodeURIComponent(window.location.search.substr(1)));
foo.setAttribute("src", data.src); // NOT OK - but not detected [INCONSISTENCY]
foo.setAttribute("HREF", data.p); // NOT OK - but not detected [INCONSISTENCY]
foo.setAttribute("src", data.src); // NOT OK
foo.setAttribute("HREF", data.p); // NOT OK
foo.setAttribute("width", data.w); // OK
foo.setAttribute("xlink:href", data.p) // NOT OK - but not detected [INCONSISTENCY]
foo.setAttribute("xlink:href", data.p) // NOT OK
foo.setAttributeNS('xlink', 'href', data.p); // NOT OK - but not detected [INCONSISTENCY]
foo.setAttributeNS('foobar', 'href', data.p); // NOT OK - but not detected [INCONSISTENCY]
foo.setAttributeNS('xlink', 'href', data.p); // NOT OK
foo.setAttributeNS('foobar', 'href', data.p); // NOT OK
foo.setAttributeNS('baz', 'width', data.w); // OK