Merge pull request #5916 from erik-krogh/scriptSink

Approved by esbena
2026-04-28 02:05:14 +02:00 · 2021-05-19 03:46:17 -07:00
parent c793ac933a cac0ab299b
commit 9bdfdb02d3
1 changed files with 31 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -51,6 +51,37 @@ module CodeInjection {
    }
  }

+  /**
+   * Gets a reference to a `<script />` tag created using `document.createElement`.
+   */
+  private DataFlow::SourceNode scriptTag(DataFlow::TypeTracker t) {
+    t.start() and
+    exists(DataFlow::CallNode call | call = result |
+      call = DOM::documentRef().getAMethodCall("createElement") and
+      call.getArgument(0).mayHaveStringValue("script")
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = scriptTag(t2).track(t2, t))
+  }
+
+  /**
+   * Gets a reference to a `<script />` tag created using `document.createElement`,
+   * or an element of type `HTMLScriptElement`.
+   */
+  private DataFlow::SourceNode scriptTag() {
+    result = scriptTag(DataFlow::TypeTracker::end())
+    or
+    result.hasUnderlyingType("HTMLScriptElement")
+  }
+
+  /**
+   * A write to the `textContent` property of a `<script />` tag,
+   * seen as a sink for code injection vulnerabilities.
+   */
+  class ScriptContentSink extends Sink {
+    ScriptContentSink() { this = scriptTag().getAPropertyWrite("textContent").getRhs() }
+  }
+
  /**
   * An expression which may be evaluated as JavaScript.
   */