add writes to textContent on a <script /> as a sink for code-injection

2026-04-30 11:15:13 +02:00 · 2021-05-18 10:25:25 +02:00
parent 9b0e3b1950
commit cac0ab299b
1 changed files with 31 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -51,6 +51,37 @@ module CodeInjection {
    }
  }

+  /**
+   * Gets a reference to a `<script />` tag created using `document.createElement`.
+   */
+  private DataFlow::SourceNode scriptTag(DataFlow::TypeTracker t) {
+    t.start() and
+    exists(DataFlow::CallNode call | call = result |
+      call = DOM::documentRef().getAMethodCall("createElement") and
+      call.getArgument(0).mayHaveStringValue("script")
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = scriptTag(t2).track(t2, t))
+  }
+
+  /**
+   * Gets a reference to a `<script />` tag created using `document.createElement`,
+   * or an element of type `HTMLScriptElement`.
+   */
+  private DataFlow::SourceNode scriptTag() {
+    result = scriptTag(DataFlow::TypeTracker::end())
+    or
+    result.hasUnderlyingType("HTMLScriptElement")
+  }
+
+  /**
+   * A write to the `textContent` property of a `<script />` tag,
+   * seen as a sink for code injection vulnerabilities.
+   */
+  class ScriptContentSink extends Sink {
+    ScriptContentSink() { this = scriptTag().getAPropertyWrite("textContent").getRhs() }
+  }
+
  /**
   * An expression which may be evaluated as JavaScript.
   */