Merge pull request github#4774 from erik-krogh/forms

codeql-ci · web-flow · commit 1c8547c89743 · 2021-01-12T02:01:38.000-08:00
Approved by asgerf
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -298,6 +298,23 @@ module DOM {
       )
     }
 
+    /**
+     * A data flow node that might refer to some form.
+     * Either by a read like `document.forms[0]`, or a property read from `document` with some constant property-name.
+     * E.g. if `<form name="foobar">..</form>` exists, then `document.foobar` refers to that form.
+     */
+    private DataFlow::SourceNode forms() {
+      result = documentRef().getAPropertyRead("forms").getAPropertyRead()
+      or
+      exists(DataFlow::PropRead read |
+        read = documentRef().getAPropertyRead() and
+        result = read
+      |
+        read.mayHavePropertyName(_) and
+        not read.mayHavePropertyName(getADomPropertyName())
+      )
+    }
+
     private class DefaultRange extends Range {
       DefaultRange() {
         this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
@@ -317,6 +334,14 @@ module DOM {
         or
         this = domElementCollection()
         or
+        this = forms()
+        or
+        // reading property `foo` - where a child has `name="foo"` - resolves to that child.
+        // We only look for such properties on forms/document, to avoid potential false positives.
+        exists(DataFlow::SourceNode form | form = [forms(), documentRef()] |
+          this = form.getAPropertyRead(any(string s | not s = getADomPropertyName()))
+        )
+        or
         exists(JQuery::MethodCall call | this = call and call.getMethodName() = "get" |
           call.getNumArgument() = 1 and
           forex(InferredType t | t = call.getArgument(0).analyze().getAType() | t = TTNumber())
diff --git a/javascript/ql/test/library-tests/DOM/Customizations.expected b/javascript/ql/test/library-tests/DOM/Customizations.expected
@@ -4,7 +4,9 @@ test_documentRef
 test_locationRef
 | customization.js:3:3:3:14 | doc.___location |
 test_domValueRef
+| customization.js:4:3:4:20 | doc.getElementById |
 | customization.js:4:3:4:28 | doc.get ... 'test') |
+| nameditems.js:1:1:1:23 | documen ... entById |
 | nameditems.js:1:1:1:30 | documen ... ('foo') |
 | nameditems.js:1:1:2:19 | documen ... em('x') |
 | tst.js:49:3:49:8 | window |
diff --git a/javascript/ql/test/library-tests/DOM/externs/externs.js b/javascript/ql/test/library-tests/DOM/externs/externs.js
@@ -8,3 +8,13 @@ function EventTarget() {}
 
 /** @type {EventTarget} */
 var window;
+
+/**
+ * @see http://dev.w3.org/html5/workers/
+ * @interface
+ * @extends {EventTarget}
+ */
+function WorkerGlobalScope() {}
+
+/** @type {WorkerLocation} */
+WorkerGlobalScope.prototype.___location;
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -44,8 +44,11 @@ nodes
 | xss-through-dom.js:73:9:73:41 | selector |
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
-| xss-through-dom.js:77:7:77:14 | selector |
-| xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:77:4:77:11 | selector |
+| xss-through-dom.js:77:4:77:11 | selector |
+| xss-through-dom.js:79:4:79:34 | documen ... t.value |
+| xss-through-dom.js:79:4:79:34 | documen ... t.value |
+| xss-through-dom.js:79:4:79:34 | documen ... t.value |
 edges
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
@@ -61,10 +64,11 @@ edges
 | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") |
 | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
-| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:7:77:14 | selector |
-| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:4:77:11 | selector |
+| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:4:77:11 | selector |
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
+| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 #select
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
@@ -80,4 +84,5 @@ edges
 | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:61:30:61:69 | $(docum ... value") | DOM text |
 | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:64:30:64:40 | valMethod() | DOM text |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | DOM text |
-| xss-through-dom.js:77:7:77:14 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:7:77:14 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |
+| xss-through-dom.js:77:4:77:11 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:4:77:11 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |
+| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:79:4:79:34 | documen ... t.value | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -74,5 +74,7 @@
     if (something()) {
         selector = $("textarea").val || ''
     }
-    $(selector); // NOT OK
+	$(selector); // NOT OK
+	
+	$(document.my_form.my_input.value); // NOT OK
 })();

Original file line number	Diff line number	Diff line change
`@@ -74,5 +74,7 @@`
`74`	`74`	`if (something()) {`
`75`	`75`	`selector = $("textarea").val \|\| ''`
`76`	`76`	`}`
`77`		`- $(selector); // NOT OK`
	`77`	`+ $(selector); // NOT OK`
	`78`	`+`
	`79`	`+ $(document.my_form.my_input.value); // NOT OK`
`78`	`80`	`})();`