JS: include referer header as reflected XSS source

2026-04-29 02:35:15 +02:00 · 2018-10-04 10:53:10 +01:00
parent dc26bdc5e7
commit c2a5f99d9c
2 changed files with 5 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -412,6 +412,9 @@ module HTTP {
     *
     * In these cases, the request is technically sent from the user's browser, but
     * the user is not in direct control of the URL or POST body.
+     *
+     * Headers are never considered third-party controllable by this predicate, although the
+     * third party does have some control over the the Referer and Origin headers.
     */
    predicate isThirdPartyControllable() {
      exists (string kind | kind = getKind() |
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
@@ -47,6 +47,8 @@ module ReflectedXss {
  class ThirdPartyRequestInputAccessAsSource extends Source {
    ThirdPartyRequestInputAccessAsSource() {
      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+      or
+      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
    }
  }