hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Recognise form input from NgForm

Browse Source
This commit is contained in:
Asger F
2025-01-09 13:27:38 +01:00
parent 1ec3a62242
commit 97f5559e64
3 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
View File

@@ -232,6 +232,15 @@ module XssThroughDom {
)
}
}
/**
* An object containing input values from an Angular form, accessed through an `NgForm` object.
*/
class AngularFormSource extends Source {
AngularFormSource() {
this = API::Node::ofType("@angular/forms", "NgForm").getMember("value").asSource()
}
}
}
/**

4
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
View File

@@ -1,4 +1,5 @@
edges
| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | provenance | |
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values | provenance | |
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo | provenance | |
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values | provenance | |
@@ -44,6 +45,8 @@ edges
nodes
| angular.ts:12:24:12:41 | event.target.value | semmle.label | event.target.value |
| angular.ts:16:24:16:35 | target.value | semmle.label | target.value |
| angular.ts:20:24:20:33 | form.value | semmle.label | form.value |
| angular.ts:20:24:20:37 | form.value.foo | semmle.label | form.value.foo |
| forms.js:8:23:8:28 | values | semmle.label | values |
| forms.js:9:31:9:36 | values | semmle.label | values |
| forms.js:9:31:9:40 | values.foo | semmle.label | values.foo |
@@ -128,6 +131,7 @@ subpaths
#select
| angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:24:12:41 | event.target.value | DOM text |
| angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:35 | target.value | DOM text |
| angular.ts:20:24:20:37 | form.value.foo | angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:33 | form.value | DOM text |
| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
| forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |

2
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
View File

@@ -17,6 +17,6 @@ export class Foo {
}
blah(form: NgForm) {
document.write(form.value.foo); // NOT OK [INCONSISTENCY]
document.write(form.value.foo); // NOT OK
}
}