add "hash" and "search" to URL taint step

2026-05-01 03:35:13 +02:00 · 2020-02-05 12:44:10 +01:00
parent 88bb1dc23d
commit da28d3b971
1 changed files with 2 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -646,14 +646,14 @@ module TaintTracking {
     * Holds if `pred` should be stored in the object `succ` under the property `prop`.
     * 
     * This step is used to model 3 facts: 
-     * 1) A `URL` constructed using `url = new URL(input)` transfers taint from `input` to `url.searchParams`. (See prop = "searchParams")
+     * 1) A `URL` constructed using `url = new URL(input)` transfers taint from `input` to `url.searchParams`, `url.hash`, and `url.search`.
     * 2) Accessing the `searchParams` on a `URL` results in a `URLSearchParams` object (See the loadStoreStep method on this class and hiddenUrlPseudoProperty())
     * 3) A `URLSearchParams` object (either `url.searchParams` or `new URLSearchParams(input)`) has a tainted value, 
     *    which can be accessed using a `get` or `getAll` call. (See getableUrlPseudoProperty())
     */
    override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
      succ = this and (
-        (prop = "searchParams" or prop = hiddenUrlPseudoProperty()) and
+        (prop = "searchParams" or prop = "hash" or prop = "search" or prop = hiddenUrlPseudoProperty()) and
        exists(DataFlow::NewNode newUrl | succ = newUrl  |
          newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
          pred = newUrl.getArgument(0)