hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1449 from xiemaisi/js/fix-http-response-sink-perf-regression

Browse Source 
Approved by esben-semmle
This commit is contained in:
semmle-qlci
2019-06-12 21:36:23 +01:00
committed by GitHub
parent e1b61d3163 60964efce5
commit 913544600a
1 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -271,16 +271,19 @@ module ReflectedXss {
* a content type that does not (case-insensitively) contain the string "html". This
* is to prevent us from flagging plain-text or JSON responses as vulnerable.
*/
private class HttpResponseSink extends Sink {
HttpResponseSink() {
exists(HTTP::ResponseSendArgument sendarg | sendarg = asExpr() |
forall(HTTP::HeaderDefinition hd |
hd = sendarg.getRouteHandler().getAResponseHeader("content-type")
|
exists(string tp | hd.defines("content-type", tp) | tp.toLowerCase().matches("%html%"))
)
)
}
private class HttpResponseSink extends Sink, DataFlow::ValueNode {
override HTTP::ResponseSendArgument astNode;
HttpResponseSink() { not nonHtmlContentType(astNode.getRouteHandler()) }
}
/**
* Holds if `h` may send a response with a content type other than HTML.
*/
private predicate nonHtmlContentType(HTTP::RouteHandler h) {
exists(HTTP::HeaderDefinition hd | hd = h.getAResponseHeader("content-type") |
not exists(string tp | hd.defines("content-type", tp) | tp.regexpMatch("(?i).*html.*"))
)
}
/**