hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Restrict domValueRef to known DOM property names

Browse Source
This commit is contained in:
Asger Feldthaus
2020-06-10 15:10:10 +01:00
parent bb2b7fb6fb
commit f23c6030aa
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
javascript/ql/src/semmle/javascript/DOM.qll
View File

@@ -291,11 +291,25 @@ module DOM {
*/ */
abstract class Range extends DataFlow::Node { } abstract class Range extends DataFlow::Node { }
private string getADomPropertyName() {
exists(ExternalInstanceMemberDecl decl |
result = decl.getName() and
isDomRootType(decl.getDeclaringType().getASupertype*())
)
}
private class DefaultRange extends Range { private class DefaultRange extends Range {
DefaultRange() { DefaultRange() {
this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
or or
this = domValueRef().getAPropertyRead() exists(DataFlow::PropRead read |
this = read and
read = domValueRef().getAPropertyRead()
|
not read.mayHavePropertyName(_)
or
read.mayHavePropertyName(getADomPropertyName())
)
or or
this = domElementCreationOrQuery() this = domElementCreationOrQuery()
or or

4
javascript/ql/test/library-tests/DOM/Customizations.expected
View File

@@ -4,9 +4,5 @@ test_locationRef
| customization.js:3:3:3:14 | doc.location | | customization.js:3:3:3:14 | doc.location |
test_domValueRef test_domValueRef
| customization.js:4:3:4:28 | doc.get ... 'test') | | customization.js:4:3:4:28 | doc.get ... 'test') |
| tst.js:45:8:45:7 | this |
| tst.js:46:7:46:12 | this.x |
| tst.js:49:3:49:8 | window | | tst.js:49:3:49:8 | window |
| tst.js:50:3:50:8 | window | | tst.js:50:3:50:8 | window |
| tst.js:50:3:50:14 | window.myApp |
| tst.js:50:3:50:18 | window.myApp.foo |