only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class

2026-04-29 18:55:14 +02:00 · 2021-02-17 13:59:19 +01:00
parent 36049f05f8
commit ecccb8a409
4 changed files with 29 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/JSX.qll
+++ b/javascript/ql/src/semmle/javascript/JSX.qll
@@ -65,6 +65,12 @@ class JSXElement extends JSXNode {
  }

  override string getAPrimaryQlClass() { result = "JSXElement" }
+
+  /**
+   * Holds if this JSX element is a HTML element.
+   * That is, the name starts with a lowercase letter.
+   */
+  predicate isHTMLElement() { getName().regexpMatch("[a-z].*") }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -173,7 +173,10 @@ module ClientSideUrlRedirect {
  class ReactAttributeWriteUrlSink extends ScriptUrlSink {
    ReactAttributeWriteUrlSink() {
      exists(JSXAttribute attr |
-        attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()
+        attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl() and
+        attr.getElement().isHTMLElement()
+        or
+        DataFlow::moduleImport("next/link").flowsToExpr(attr.getElement().getNameExpr())
      |
        this = attr.getValue().flow()
      )
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -21,6 +21,11 @@ nodes
 | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:74 | documen ... bstr(1) |
 | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:40:19:40:35 | document.location |
+| react.js:40:19:40:35 | document.location |
+| react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:50 | documen ... bstr(1) |
+| react.js:40:19:40:50 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url |
 | sanitizer.js:2:15:2:25 | window.name |
 | sanitizer.js:2:15:2:25 | window.name |
@@ -223,6 +228,10 @@ edges
 | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
 | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
+| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -396,6 +405,7 @@ edges
 | react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
 | react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:59 | document.location | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
 | react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:59 | document.location | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
+| react.js:40:19:40:50 | documen ... bstr(1) | react.js:40:19:40:35 | document.location | react.js:40:19:40:50 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:40:19:40:35 | document.location | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js
@@ -34,4 +34,12 @@ function Page({ router }) {
  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span>
 }

-export const pageWithRouter = withRouter(Page);
+export const pageWithRouter = withRouter(Page);
+
+export function plainLink() {
+  return <a href={document.location.hash.substr(1)}>my plain link!</a>;
+}
+
+export function someUnknown() {
+  return <FOO data={document.location.hash.substr(1)}>is safe.</FOO>;
+}