hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-02-17 13:59:19 +01:00
parent 36049f05f8
commit ecccb8a409
4 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/src/semmle/javascript/JSX.qll
View File

@@ -65,6 +65,12 @@ class JSXElement extends JSXNode {
}
override string getAPrimaryQlClass() { result = "JSXElement" }
/**
* Holds if this JSX element is a HTML element.
* That is, the name starts with a lowercase letter.
*/
predicate isHTMLElement() { getName().regexpMatch("[a-z].*") }
}
/**

5
javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -173,7 +173,10 @@ module ClientSideUrlRedirect {
class ReactAttributeWriteUrlSink extends ScriptUrlSink {
ReactAttributeWriteUrlSink() {
exists(JSXAttribute attr |
attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()
attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl() and
attr.getElement().isHTMLElement()
or
DataFlow::moduleImport("next/link").flowsToExpr(attr.getElement().getNameExpr())
|
this = attr.getValue().flow()
)