JS: Extract HTML from inline templates

2026-04-28 02:05:14 +02:00 · 2020-12-14 10:37:38 +00:00
parent 6bf9345258
commit 8848ee2d10
9 changed files with 170 additions and 41 deletions
--- a/javascript/ql/src/semmle/javascript/HTML.qll
+++ b/javascript/ql/src/semmle/javascript/HTML.qll
@@ -84,6 +84,32 @@ module HTML {
    override string getAPrimaryQlClass() { result = "HTML::Element" }
  }

+  /**
+   * Gets the inline script of the given attribute, if any.
+   */
+  CodeInAttribute getCodeInAttribute(XMLAttribute attribute) {
+    exists(
+      string f, Location l1, int sl1, int sc1, int el1, int ec1, Location l2, int sl2, int sc2,
+      int el2, int ec2
+    |
+      l1 = attribute.getLocation() and
+      l2 = result.getLocation() and
+      l1.hasLocationInfo(f, sl1, sc1, el1, ec1) and
+      l2.hasLocationInfo(f, sl2, sc2, el2, ec2)
+    |
+      (
+        sl1 = sl2 and sc1 < sc2
+        or
+        sl1 < sl2
+      ) and
+      (
+        el1 = el2 and ec1 > ec2
+        or
+        el1 > el2
+      )
+    )
+  }
+
  /**
   * An attribute of an HTML element.
   *
@@ -101,6 +127,13 @@ module HTML {

    override Location getLocation() { xmllocations(this, result) }

+    /**
+     * Gets the inline script of this attribute, if any.
+     */
+    CodeInAttribute getCodeInAttribute() {
+      result = getCodeInAttribute(this)
+    }
+
    /**
     * Gets the element to which this attribute belongs.
     */
@@ -127,32 +160,6 @@ module HTML {

    override string toString() { result = getName() + "=" + getValue() }

-    /**
-     * Gets the inline script of this attribute, if any.
-     */
-    CodeInAttribute getCodeInAttribute() {
-      exists(
-        string f, Location l1, int sl1, int sc1, int el1, int ec1, Location l2, int sl2, int sc2,
-        int el2, int ec2
-      |
-        l1 = getLocation() and
-        l2 = result.getLocation() and
-        l1.hasLocationInfo(f, sl1, sc1, el1, ec1) and
-        l2.hasLocationInfo(f, sl2, sc2, el2, ec2)
-      |
-        (
-          sl1 = sl2 and sc1 < sc2
-          or
-          sl1 < sl2
-        ) and
-        (
-          el1 = el2 and ec1 > ec2
-          or
-          el1 > el2
-        )
-      )
-    }
-
    override string getAPrimaryQlClass() { result = "HTML::Attribute" }
  }

--- a/javascript/ql/src/semmle/javascript/frameworks/Angular2.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Angular2.qll
@@ -355,14 +355,30 @@ module Angular2 {
      result = decorator.getOptionArgument(0, "templateUrl").asExpr().(PathExpr).resolve()
    }

+    pragma[noinline]
+    private Location getInlineTemplateLocation() {
+      result = decorator.getOptionArgument(0, "template").asExpr().getLocation()
+    }
+
+    private XMLAttribute getAnAttributeInInlineTemplate() {
+      exists(Location templateLoc, Location attribLoc |
+        templateLoc = getInlineTemplateLocation() and
+        attribLoc = result.getLocation() and
+        templateLoc.getFile() = attribLoc.getFile()
+        // TODO: check line/column - though in practice checking the file is enough
+      )
+    }
+
    /**
     * Gets an access to the variable `name` in the template body.
     */
    DataFlow::Node getATemplateVarAccess(string name) {
-      exists(HTML::Attribute attrib |
-        attrib.getFile() = getTemplateFile() and
+      exists(XMLAttribute attrib |
+        attrib.getLocation().getFile() = getTemplateFile() or
+        attrib = getAnAttributeInInlineTemplate()
+      |
        isAngularExpressionAttribute(attrib) and
-        result = getAGlobalVarAccessInAttribute(attrib.getCodeInAttribute(), name).flow()
+        result = getAGlobalVarAccessInAttribute(HTML::getCodeInAttribute(attrib), name).flow()
      )
    }
  }