hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add model for formik

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-02-07 12:58:10 +01:00
parent d1087d4e41
commit ff3950ce98
3 changed files with 132 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
View File

@@ -96,4 +96,45 @@ module XssThroughDom {
e = operand
}
}
/**
* A module for form inputs seen as sources for xss-through-dom.
*/
module Forms {
/**
* A reference to an import of `Formik`.
*/
private DataFlow::SourceNode formik() {
result = DataFlow::moduleImport("formik")
or
result = DataFlow::globalVarRef("Formik")
}
/**
* An object containing input values from a form build with `Formik`.
*/
class FormikSource extends Source {
FormikSource() {
exists(JSXElement elem |
formik().getAPropertyRead("Formik").flowsToExpr(elem.getNameExpr())
|
this =
elem.getAttributeByName(["validate", "onSubmit"])
.getValue()
.flow()
.getAFunctionValue()
.getParameter(0)
)
or
this =
formik()
.getAMemberCall("withFormik")
.getOptionArgument(0, ["validate", "handleSubmit"])
.getAFunctionValue()
.getParameter(0)
or
this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
}
}
}
}

52
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
View File

@@ -1,4 +1,30 @@
nodes
| forms.js:8:23:8:28 | values |
| forms.js:8:23:8:28 | values |
| forms.js:9:31:9:36 | values |
| forms.js:9:31:9:40 | values.foo |
| forms.js:9:31:9:40 | values.foo |
| forms.js:11:24:11:29 | values |
| forms.js:11:24:11:29 | values |
| forms.js:12:31:12:36 | values |
| forms.js:12:31:12:40 | values.bar |
| forms.js:12:31:12:40 | values.bar |
| forms.js:24:15:24:20 | values |
| forms.js:24:15:24:20 | values |
| forms.js:25:23:25:28 | values |
| forms.js:25:23:25:34 | values.email |
| forms.js:25:23:25:34 | values.email |
| forms.js:28:20:28:25 | values |
| forms.js:28:20:28:25 | values |
| forms.js:29:23:29:28 | values |
| forms.js:29:23:29:34 | values.email |
| forms.js:29:23:29:34 | values.email |
| forms.js:34:11:34:53 | values |
| forms.js:34:13:34:18 | values |
| forms.js:34:13:34:18 | values |
| forms.js:35:19:35:24 | values |
| forms.js:35:19:35:30 | values.email |
| forms.js:35:19:35:30 | values.email |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -50,6 +76,27 @@ nodes
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
edges
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
| forms.js:34:11:34:53 | values | forms.js:35:19:35:24 | values |
| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -70,6 +117,11 @@ edges
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
#select
| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
| forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
| forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
| forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |

39
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js Normal file
View File

@@ -0,0 +1,39 @@
import React from 'react';
import { Formik, withFormik, useFormikContext } from 'formik';
const FormikBasic = () => (
<div>
<Formik
initialValues={{ email: '', password: '' }}
validate={values => {
$("#id").html(values.foo); // NOT OK
}}
onSubmit={(values, { setSubmitting }) => {
$("#id").html(values.bar); // NOT OK
}}
>
{(inputs) => (
<form onSubmit={handleSubmit}></form>
)}
</Formik>
</div>
);
const FormikEnhanced = withFormik({
mapPropsToValues: () => ({ name: '' }),
validate: values => {
$("#id").html(values.email); // NOT OK
},
handleSubmit: (values, { setSubmitting }) => {
$("#id").html(values.email); // NOT OK
}
})(MyForm);
(function () {
const { values, submitForm } = useFormikContext();
$("#id").html(values.email); // NOT OK
$("#id").html(submitForm.email); // OK
})