Merge pull request #195 from esben-semmle/js/reflected-xss-through-filenames

Approved by asger-semmle
2026-04-30 03:05:15 +02:00 · 2018-09-19 12:42:22 +01:00
parent 86fe0ce42e bb48421d77
commit 89f2dbf8db
17 changed files with 411 additions and 7 deletions
--- a/javascript/ql/src/Security/CWE-079/StoredXss.qhelp
+++ b/javascript/ql/src/Security/CWE-079/StoredXss.qhelp
@@ -0,0 +1,63 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+	<p>
+
+		Directly using uncontrolled stored value (for example, file names) to
+		create HTML content without properly sanitizing the input first,
+		allows for a cross-site scripting vulnerability.
+
+	</p>
+	<p>
+
+		This kind of vulnerability is also called <i>stored</i> cross-site
+		scripting, to distinguish it from other types of cross-site scripting.
+
+	</p>
+</overview>
+
+<recommendation>
+	<p>
+
+		To guard against cross-site scripting, consider using contextual
+		output encoding/escaping before using uncontrolled stored values to
+		create HTML content, or one of the other solutions that are mentioned
+		in the references.
+
+	</p>
+</recommendation>
+
+<example>
+	<p>
+
+		The following example code writes file names directly to a HTTP
+		response. This leaves the website vulnerable to cross-site scripting,
+		if an attacker can choose the file names on the disk.
+
+	</p>
+	<sample src="examples/StoredXss.js" />
+	<p>
+		Sanitizing the file names prevents the vulnerability:
+	</p>
+	<sample src="examples/StoredXssGood.js" />
+</example>
+
+<references>
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
+		(Cross Site Scripting) Prevention Cheat Sheet</a>.
+	</li>
+	<li>
+		OWASP
+		<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+		Scripting</a>.
+	</li>
+	<li>
+		Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+	</li>
+</references>
+</qhelp>
--- a/javascript/ql/src/Security/CWE-079/StoredXss.ql
+++ b/javascript/ql/src/Security/CWE-079/StoredXss.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Stored cross-site scripting
+ * @description Using uncontrolled stored values in HTML allows for
+ *              a stored cross-site scripting vulnerability.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/stored-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.StoredXss::StoredXss
+
+from Configuration xss, DataFlow::Node source, DataFlow::Node sink
+where xss.hasFlow(source, sink)
+select sink, "Stored cross-site scripting vulnerability due to $@.",
+       source, "stored value"
--- a/javascript/ql/src/Security/CWE-079/examples/StoredXss.js
+++ b/javascript/ql/src/Security/CWE-079/examples/StoredXss.js
@@ -0,0 +1,14 @@
+var express = require('express'),
+    fs = require('fs');
+
+express().get('/list-directory', function(req, res) {
+    fs.readdir('/public', function (error, fileNames) {
+        var list = '<ul>';
+        fileNames.forEach(fileName => {
+            // BAD: `fileName` can contain HTML elements
+            list += '<li>' + fileName '</li>';
+        });
+        list += '</ul>'
+        res.send(list);
+    });
+});
--- a/javascript/ql/src/Security/CWE-079/examples/StoredXssGood.js
+++ b/javascript/ql/src/Security/CWE-079/examples/StoredXssGood.js
@@ -0,0 +1,15 @@
+var express = require('express'),
+    fs = require('fs'),
+    escape = require('escape-html');
+
+express().get('/list-directory', function(req, res) {
+    fs.readdir('/public', function (error, fileNames) {
+        var list = '<ul>';
+        fileNames.forEach(fileName => {
+            // GOOD: escaped `fileName` can not contain HTML elements
+            list += '<li>' + escape(fileName) '</li>';
+        });
+        list += '</ul>'
+        res.send(list);
+    });
+});