hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add support for domNode.onpaste for copy-paste events

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-04-11 20:10:56 +02:00
parent 6713b2c671
commit aafa8ddc9f
4 changed files with 62 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/lib/semmle/javascript/frameworks/Clipboard.qll
View File

@@ -32,6 +32,12 @@ private DataFlow::SourceNode pasteEvent(DataFlow::TypeTracker t) {
)
or
t.start() and
exists(DataFlow::PropWrite pw | pw = DOM::domValueRef().getAPropertyWrite() |
pw.getPropertyName() = "onpaste" and
result = pw.getRhs().getABoundFunctionValue(0).getParameter(0)
)
or
t.start() and
result = jQueryPasteEvent(DataFlow::TypeTracker::end()).getAPropertyRead("originalEvent")
or
exists(DataFlow::TypeTracker t2 | result = pasteEvent(t2).track(t2, t))

17
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -136,6 +136,14 @@ nodes
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
@@ -1158,6 +1166,14 @@ edges
| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') |
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -2109,6 +2125,7 @@ edges
| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:24:23:24:58 | e.clipb ... /html') | user-provided value |
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value |
| clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value |
| d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
| d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
| d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |

16
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -136,6 +136,14 @@ nodes
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
| d3.js:4:12:4:22 | window.name |
@@ -1208,6 +1216,14 @@ edges
| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') |
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |

24
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts
View File

@@ -31,4 +31,26 @@ document.addEventListener('paste', (e) => {
$("#foo").bind('paste', (e) => {
$("#id").html(e.originalEvent.clipboardData.getData('text/html')); // NOT OK
});
});
(function () {
let div = document.createElement("div");
div.onpaste = function (e: ClipboardEvent) {
const { clipboardData } = e;
if (!clipboardData) return;
const text = clipboardData.getData('text/plain');
const html = clipboardData.getData('text/html');
if (!text && !html) return;
e.preventDefault();
const div = document.createElement('div');
if (html) {
div.innerHTML = html; // NOT OK
} else {
div.textContent = text;
}
document.body.append(div);
}
})();