hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8710 from bananabr/dragAndDrop

Browse Source 
JS: drag and drop API Xss sources
This commit is contained in:
Erik Krogh Kristensen
2022-05-09 12:22:28 +02:00
committed by GitHub
parent 611a412f2a b5193d99d7
commit fe1e47bc17
8 changed files with 497 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/lib/change-notes/2022-04-11-drag-and-drop-data.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.

2
javascript/ql/lib/javascript.qll
View File

@@ -79,7 +79,6 @@ import semmle.javascript.frameworks.ComposedFunctions
import semmle.javascript.frameworks.Classnames
import semmle.javascript.frameworks.ClassValidator
import semmle.javascript.frameworks.ClientRequests
import semmle.javascript.frameworks.Clipboard
import semmle.javascript.frameworks.ClosureLibrary
import semmle.javascript.frameworks.CookieLibraries
import semmle.javascript.frameworks.Credentials
@@ -88,6 +87,7 @@ import semmle.javascript.frameworks.D3
import semmle.javascript.frameworks.data.ModelsAsData
import semmle.javascript.frameworks.DateFunctions
import semmle.javascript.frameworks.DigitalOcean
import semmle.javascript.frameworks.DomEvents
import semmle.javascript.frameworks.Electron
import semmle.javascript.frameworks.EventEmitter
import semmle.javascript.frameworks.Files

63
javascript/ql/lib/semmle/javascript/frameworks/Clipboard.qll
View File

@@ -1,63 +0,0 @@
/**
* Provides predicates for reasoning about clipboard data.
*/
import javascript
/**
* Gets a jQuery "paste" event.
* E.g. `e` in `$("#foo").on("paste", function(e) { ... })`.
*/
private DataFlow::SourceNode jQueryPasteEvent(DataFlow::TypeTracker t) {
t.start() and
exists(DataFlow::CallNode call |
call = JQuery::objectRef().getAMethodCall(["bind", "on", "live", "one", "delegate"]) and
call.getArgument(0).mayHaveStringValue("paste")
|
result = call.getCallback(call.getNumArgument() - 1).getParameter(0)
)
or
exists(DataFlow::TypeTracker t2 | result = jQueryPasteEvent(t2).track(t2, t))
}
/**
* Gets a DOM "paste" event.
* E.g. `e` in `document.addEventListener("paste", e => { ... })`.
*/
private DataFlow::SourceNode pasteEvent(DataFlow::TypeTracker t) {
t.start() and
exists(DataFlow::CallNode call | call = DOM::domValueRef().getAMemberCall("addEventListener") |
call.getArgument(0).mayHaveStringValue("paste") and
result = call.getCallback(1).getParameter(0)
)
or
t.start() and
result = jQueryPasteEvent(DataFlow::TypeTracker::end()).getAPropertyRead("originalEvent")
or
exists(DataFlow::TypeTracker t2 | result = pasteEvent(t2).track(t2, t))
}
/**
* Gets a reference to the clipboardData DataTransfer object.
* https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent/clipboardData
*/
private DataFlow::SourceNode clipboardDataTransferSource(DataFlow::TypeTracker t) {
t.start() and
exists(DataFlow::PropRead read | read = result |
read.getPropertyName() = "clipboardData" and
read.getBase().getALocalSource() = pasteEvent(DataFlow::TypeTracker::end())
)
or
exists(DataFlow::TypeTracker t2 | result = clipboardDataTransferSource(t2).track(t2, t))
}
/**
* A reference to data from the clipboard. Seen as a source for DOM-based XSS.
*/
private class ClipboardSource extends RemoteFlowSource {
ClipboardSource() {
this = clipboardDataTransferSource(DataFlow::TypeTracker::end()).getAMethodCall("getData")
}
override string getSourceType() { result = "Clipboard data" }
}

103
javascript/ql/lib/semmle/javascript/frameworks/DomEvents.qll Normal file
View File

@@ -0,0 +1,103 @@
/**
* Provides predicates for reasoning about events from the DOM that introduce tainted data.
*/
import javascript
/** Gets the name of a DOM event that might introduce tainted data. */
private string getATaintedDomEvent() { result = ["paste", "drop", "beforeinput"] }
/**
* Gets a jQuery event that might introduce tainted data.
* E.g. `e` in `$("#foo").on("paste", function(e) { ... })`.
*/
private DataFlow::SourceNode taintedJQueryEvent(DataFlow::TypeTracker t, string event) {
t.start() and
exists(DataFlow::CallNode call |
call = JQuery::objectRef().getAMethodCall(["bind", "on", "live", "one", "delegate"]) and
call.getArgument(0).mayHaveStringValue(event) and
event = getATaintedDomEvent()
|
result = call.getCallback(call.getNumArgument() - 1).getParameter(0)
)
or
exists(DataFlow::TypeTracker t2 | result = taintedJQueryEvent(t2, event).track(t2, t))
}
/**
* Gets a DOM event that might introduce tainted data.
* E.g. `e` in `document.addEventListener("paste", e => { ... })`.
*/
private DataFlow::SourceNode taintedEvent(DataFlow::TypeTracker t, string event) {
t.start() and
exists(DataFlow::CallNode call | call = DOM::domValueRef().getAMemberCall("addEventListener") |
call.getArgument(0).mayHaveStringValue(event) and
event = getATaintedDomEvent() and
result = call.getCallback(1).getParameter(0)
)
or
t.start() and
exists(DataFlow::ParameterNode pn | result = pn |
// https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent
pn.hasUnderlyingType("ClipboardEvent") and
event = "paste"
or
// https://developer.mozilla.org/en-US/docs/Web/API/DragEvent
pn.hasUnderlyingType("DragEvent") and
event = "drop"
or
// https://developer.mozilla.org/en-US/docs/Web/API/InputEvent
pn.hasUnderlyingType("InputEvent") and
event = "beforeinput"
)
or
t.start() and
exists(DataFlow::PropWrite pw | pw = DOM::domValueRef().getAPropertyWrite("on" + event) |
event = ["paste", "drop"] and // doesn't work for beforeinput, it's just not part of the API
result = pw.getRhs().getABoundFunctionValue(0).getParameter(0)
)
or
t.start() and
result = taintedJQueryEvent(DataFlow::TypeTracker::end(), event).getAPropertyRead("originalEvent")
or
exists(DataFlow::TypeTracker t2 | result = taintedEvent(t2, event).track(t2, t))
}
/**
* Gets a reference to a DataTransfer object.
* https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent/clipboardData
*/
private DataFlow::SourceNode taintedDataTransfer(DataFlow::TypeTracker t, string event) {
t.start() and
result = taintedEvent(DataFlow::TypeTracker::end(), event).getAPropertyRead("clipboardData") and
event = "paste"
or
t.start() and
result = taintedEvent(DataFlow::TypeTracker::end(), event).getAPropertyRead("dataTransfer") and
event = ["drop", "beforeinput"]
or
exists(DataFlow::TypeTracker t2 | result = taintedDataTransfer(t2, event).track(t2, t))
}
/**
* A reference to data from a DataTransfer object, which might originate from e.g. the clipboard.
* Seen as a source for DOM-based XSS.
*/
private class TaintedDataTransfer extends RemoteFlowSource {
string event;
TaintedDataTransfer() {
this = taintedDataTransfer(DataFlow::TypeTracker::end(), event).getAMethodCall("getData")
}
override string getSourceType() {
event = "paste" and
result = "Clipboard data"
or
event = "drop" and
result = "Drag&Drop data"
or
event = "beforeinput" and
result = "Input data"
}
}

120
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -136,6 +136,30 @@ nodes
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') |
| clipboard.ts:98:22:98:54 | dataTra ... /html') |
| clipboard.ts:98:22:98:54 | dataTra ... /html') |
| clipboard.ts:99:23:99:26 | html |
| clipboard.ts:99:23:99:26 | html |
| clipboard.ts:99:23:99:26 | html |
| custom-element.js:5:26:5:36 | window.name |
| custom-element.js:5:26:5:36 | window.name |
| custom-element.js:5:26:5:36 | window.name |
@@ -299,6 +323,42 @@ nodes
| dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dates.js:61:81:61:85 | taint |
| dates.js:61:81:61:85 | taint |
| dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
| dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1134,6 +1194,30 @@ edges
| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') |
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -1323,6 +1407,33 @@ edges
| dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -2067,6 +2178,9 @@ edges
| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:24:23:24:58 | e.clipb ... /html') | user-provided value |
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value |
| clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value |
| clipboard.ts:73:29:73:39 | droppedHtml | clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | clipboard.ts:71:27:71:62 | e.clipb ... /html') | user-provided value |
| clipboard.ts:99:23:99:26 | html | clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:99:23:99:26 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:98:22:98:54 | dataTra ... /html') | user-provided value |
| custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name | Cross-site scripting vulnerability due to $@. | custom-element.js:5:26:5:36 | window.name | user-provided value |
| d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
| d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
@@ -2088,6 +2202,12 @@ edges
| dates.js:57:31:57:101 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:57:31:57:101 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
| dates.js:59:31:59:87 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:59:31:59:87 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
| dates.js:61:31:61:88 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:61:31:61:88 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
| dragAndDrop.ts:15:25:15:28 | html | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | user-provided value |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | user-provided value |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | user-provided value |
| dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value |
| dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value |
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |

111
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -136,6 +136,30 @@ nodes
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:43:22:43:55 | clipboa ... /html') |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:50:29:50:32 | html |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') |
| clipboard.ts:98:22:98:54 | dataTra ... /html') |
| clipboard.ts:98:22:98:54 | dataTra ... /html') |
| clipboard.ts:99:23:99:26 | html |
| clipboard.ts:99:23:99:26 | html |
| clipboard.ts:99:23:99:26 | html |
| custom-element.js:5:26:5:36 | window.name |
| custom-element.js:5:26:5:36 | window.name |
| custom-element.js:5:26:5:36 | window.name |
@@ -299,6 +323,42 @@ nodes
| dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dates.js:61:81:61:85 | taint |
| dates.js:61:81:61:85 | taint |
| dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') |
| dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:73:29:73:39 | droppedHtml |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1184,6 +1244,30 @@ edges
| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') |
| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') |
| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:15:98:54 | html | clipboard.ts:99:23:99:26 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:98:15:98:54 | html |
| custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -1373,6 +1457,33 @@ edges
| dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:11:8:50 | html | dragAndDrop.ts:15:25:15:28 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:8:11:8:50 | html |
| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') |
| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') |
| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:15:43:54 | html | dragAndDrop.ts:50:29:50:32 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |

69
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts
View File

@@ -31,4 +31,71 @@ document.addEventListener('paste', (e) => {
$("#foo").bind('paste', (e) => {
$("#id").html(e.originalEvent.clipboardData.getData('text/html')); // NOT OK
});
});
(function () {
let div = document.createElement("div");
div.onpaste = function (e: ClipboardEvent) {
const { clipboardData } = e;
if (!clipboardData) return;
const text = clipboardData.getData('text/plain');
const html = clipboardData.getData('text/html');
if (!text && !html) return;
e.preventDefault();
const div = document.createElement('div');
if (html) {
div.innerHTML = html; // NOT OK
} else {
div.textContent = text;
}
document.body.append(div);
}
})();
async function getClipboardData(e: ClipboardEvent): Promise<Array<File | string>> {
// Using a set to filter out duplicates. For some reason, dropping URLs duplicates them 3 times (for me)
const dropItems = new Set<File | string>();
// First get all files in the drop event
if (e.clipboardData.files.length > 0) {
// tslint:disable-next-line: prefer-for-of
for (let i = 0; i < e.clipboardData.files.length; i++) {
const file = e.clipboardData.files[i];
}
}
if (e.clipboardData.types.includes('text/html')) {
const droppedHtml = e.clipboardData.getData('text/html');
const container = document.createElement('html');
container.innerHTML = droppedHtml;
const imgs = container.getElementsByTagName('img');
if (imgs.length === 1) {
const src = imgs[0].src;
dropItems.add(src);
}
} else if (e.clipboardData.types.includes('text/plain')) {
const plainText = e.clipboardData.getData('text/plain');
// Check if text is an URL
if (/^https?:\/\//i.test(plainText)) {
dropItems.add(plainText);
}
}
const imageItems = Array.from(dropItems);
return imageItems;
}
// inputevent
(function () {
let div = document.createElement("div");
div.addEventListener("beforeinput", function (e: InputEvent) {
const { data, inputType, isComposing, dataTransfer } = e;
if (!dataTransfer) return;
const html = dataTransfer.getData('text/html');
$("#id").html(html); // NOT OK
});
})();

89
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts Normal file
View File

@@ -0,0 +1,89 @@
$("#foo").on("drop", drop);
function drop(e) {
const { dataTransfer } = e.originalEvent;
if (!dataTransfer) return;
const text = dataTransfer.getData('text/plain');
const html = dataTransfer.getData('text/html');
if (!text && !html) return;
e.preventDefault();
const div = document.createElement('div');
if (html) {
div.innerHTML = html; // NOT OK
} else {
div.textContent = text;
}
document.body.append(div);
}
export function install(el: HTMLElement): void {
el.addEventListener('drop', (e) => {
$("#id").html(e.dataTransfer.getData('text/html')); // NOT OK
})
}
document.addEventListener('drop', (e) => {
$("#id").html(e.dataTransfer.getData('text/html')); // NOT OK
});
$("#foo").bind('drop', (e) => {
$("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // NOT OK
});
(function () {
let div = document.createElement("div");
div.ondrop = function (e: DragEvent) {
const { dataTransfer } = e;
if (!dataTransfer) return;
const text = dataTransfer.getData('text/plain');
const html = dataTransfer.getData('text/html');
if (!text && !html) return;
e.preventDefault();
const div = document.createElement('div');
if (html) {
div.innerHTML = html; // NOT OK
} else {
div.textContent = text;
}
document.body.append(div);
}
})();
async function getDropData(e: DragEvent): Promise<Array<File | string>> {
// Using a set to filter out duplicates. For some reason, dropping URLs duplicates them 3 times (for me)
const dropItems = new Set<File | string>();
// First get all files in the drop event
if (e.dataTransfer.files.length > 0) {
// tslint:disable-next-line: prefer-for-of
for (let i = 0; i < e.dataTransfer.files.length; i++) {
const file = e.dataTransfer.files[i];
}
}
if (e.dataTransfer.types.includes('text/html')) {
const droppedHtml = e.dataTransfer.getData('text/html');
const container = document.createElement('html');
container.innerHTML = droppedHtml;
const imgs = container.getElementsByTagName('img');
if (imgs.length === 1) {
const src = imgs[0].src;
dropItems.add(src);
}
} else if (e.dataTransfer.types.includes('text/plain')) {
const plainText = e.dataTransfer.getData('text/plain');
// Check if text is an URL
if (/^https?:\/\//i.test(plainText)) {
dropItems.add(plainText);
}
}
const imageItems = Array.from(dropItems);
return imageItems;
}