hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Migrate IncompleteHtmlAttributeSanitization

Browse Source
This commit is contained in:
Asger F
2024-12-13 10:55:00 +01:00
parent 2112ecc44d
commit d381ab1260
2 changed files with 23 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
View File

@@ -8,6 +8,20 @@ import javascript
import semmle.javascript.security.IncompleteBlacklistSanitizer
module IncompleteHtmlAttributeSanitization {
private newtype TFlowState = TCharacter(string c) { c = ["\"", "'", "&"] }
/** A flow state to associate with a tracked value. */
class FlowState extends TFlowState {
/** Gets a string representation of this flow state. */
string toString() { this = TCharacter(result) }
}
/** Predicates for working with flow states. */
module FlowState {
/** Gets the flow state corresponding to `c`. */
FlowState character(string c) { result = TCharacter(c) }
}
/**
* A data flow source for incomplete HTML sanitization vulnerabilities.
*/

17
javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll
View File

@@ -9,8 +9,9 @@
import javascript
import IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization
private import IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHtmlAttributeSanitization
private module Label {
deprecated private module Label {
class Quote extends DataFlow::FlowLabel {
Quote() { this = ["\"", "'"] }
}
@@ -26,18 +27,18 @@ private module Label {
* A taint-tracking configuration for reasoning about incomplete HTML sanitization vulnerabilities.
*/
module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfigSig {
class FlowState = DataFlow::FlowLabel;
class FlowState = IncompleteHtmlAttributeSanitization::FlowState;
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
label = Label::characterToLabel(source.(Source).getAnUnsanitizedCharacter())
predicate isSource(DataFlow::Node source, FlowState label) {
label = FlowState::character(source.(Source).getAnUnsanitizedCharacter())
}
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
label = Label::characterToLabel(sink.(Sink).getADangerousCharacter())
predicate isSink(DataFlow::Node sink, FlowState label) {
label = FlowState::character(sink.(Sink).getADangerousCharacter())
}
predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
lbl = Label::characterToLabel(node.(StringReplaceCall).getAReplacedString())
predicate isBarrier(DataFlow::Node node, FlowState lbl) {
lbl = FlowState::character(node.(StringReplaceCall).getAReplacedString())
}
predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }