all split()[0] are safe for url-redirect

2026-04-30 11:15:13 +02:00 · 2020-05-07 10:55:17 +02:00
parent a3fb13882b
commit 945fe45b6f
2 changed files with 6 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -53,7 +53,9 @@ module ClientSideUrlRedirect {
    exists(MethodCallExpr mce, string methodName |
      mce = queryAccess.asExpr() and mce.calls(nd.asExpr(), methodName)
    |
-      methodName = "split"
+      methodName = "split" and
+      // exclude all splits where only the prefix is accessed, which is safe for url-redirects.
+      not exists(PropAccess pacc | mce = pacc.getBase() | pacc.getPropertyName() = "0")
      or
      (methodName = "substring" or methodName = "substr" or methodName = "slice") and
      // exclude `location.href.substring(0, ...)` and similar, which can
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst11.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst11.js
@@ -3,4 +3,7 @@ function foo() {
    var urlParts = document.location.href.split('?');
    var loc = urlParts[0] + "?" + boxes.value;
    window.location = loc
+
+    // Also OK.
+    window.location.replace(window.location.href.split("#")[0] + "#mappage");
 }