JS: Replace DocumentUrl with TaintedUrlSuffix

2026-04-24 08:15:14 +02:00 · 2024-12-04 13:56:56 +01:00
parent e2b2d1c9ab
commit ef833de60e
7 changed files with 44 additions and 32 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js
@@ -1,13 +1,13 @@
 import React from "react";
 import {Helmet} from "react-helmet";
- 
+
 class Application extends React.Component {
  render () {
    return (
        <div className="application">
            <Helmet>
                <title>My unsafe app</title>
-                <script type="application/javascript" src={document.location.hash}/>
+                <script type="application/javascript" src={document.location.hash.substr(1)}/> {/* NOT OK */}
            </Helmet>
        </div>
    );
@@ -18,28 +18,31 @@ export default Application

 import Link from 'next/link'
 export function NextLink() {
-    return <Link href={document.location.hash}><a>this page!</a></Link>;
+    return <>
+      <Link href={document.location.hash}><a>safe</a></Link> {/* OK */}
+      <Link href={document.location.hash.substr(1)}><a>unsafe</a></Link> {/* NOT OK */}
+    </>;
 }

 import { useRouter } from 'next/router'

 export function nextRouter() {
  const router = useRouter();
-  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 1</span>
+  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 1</span> // NOT OK
 }

 import { withRouter } from 'next/router'

 function Page({ router }) {
-  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span>
+  return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span> // NOT OK
 }

 export const pageWithRouter = withRouter(Page);

 export function plainLink() {
-  return <a href={document.location.hash.substr(1)}>my plain link!</a>;
+  return <a href={document.location.hash.substr(1)}>my plain link!</a>; // NOT OK
 }

 export function someUnknown() {
-  return <FOO data={document.location.hash.substr(1)}>is safe.</FOO>;
-}
+  return <FOO data={document.location.hash.substr(1)}>is safe.</FOO>; // OK
+}
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst10.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst10.js
@@ -1,14 +1,14 @@
 // OK - cannot affect hostname
-location.href = '/foo' + document.location.search;
+location.href = '/foo' + document.location.search.substring(1);

 // NOT OK
-location.href = '/' + document.location.search;
+location.href = '/' + document.location.search.substring(1);

 // NOT OK
-location.href = '//' + document.location.search;
+location.href = '//' + document.location.search.substring(1);

 // NOT OK
-location.href = '//foo' + document.location.search;
+location.href = '//foo' + document.location.search.substring(1);

 // NOT OK
-location.href = 'https://foo' + document.location.search;
+location.href = 'https://foo' + document.location.search.substring(1);
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst12.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst12.js
@@ -1,5 +1,5 @@
 function foo() {
    var urlParts = window.location.hash.split('?');
    var loc = urlParts[0] + "?" + boxes.value;
-    window.location = loc; // OK [INCONSISTENCY] - always starts with '#'
+    window.location = loc; // OK - always starts with '#'
 }
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst15.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst15.js
@@ -1,8 +1,18 @@
 function foo() {
    var url = document.location.toString();
-    window.location = url.substring(0).substring(1); // OK
-    window.location = url.substring(0, 10).substring(1); // OK
-    window.location = url.substring(0, url.indexOf('/', 10)).substring(1); // OK
+    window.location = url.substring(0).substring(1); // OK [INCONSISTENCY] - but not important
+    window.location = url.substring(0, 10).substring(1); // OK [INCONSISTENCY]
+    window.location = url.substring(0, url.indexOf('/', 10)).substring(1); // OK [INCONSISTENCY]
+
+    var url2 = document.location.toString();
+    window.location = url2.substring(0).substring(unknown()); // NOT OK
+    window.location = url2.substring(0, 10).substring(unknown()); // NOT OK
+    window.location = url2.substring(0, url2.indexOf('/', 10)).substring(unknown()); // NOT OK
+
+    var search = document.location.search.toString();
+    window.location = search.substring(0).substring(1); // NOT OK
+    window.location = search.substring(0, 10).substring(1); // NOT OK
+    window.location = search.substring(0, search.indexOf('/', 10)).substring(1); // NOT OK
 }

 function bar() {
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst7.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst7.js
@@ -1,5 +1,5 @@
 // NOT OK
-new Worker(document.location.search);
+new Worker(document.location.search.substring(1));

 // NOT OK
-$("<script>").attr("src", document.location.search);
+$("<script>").attr("src", document.location.search.substring(1));