treat nodes with type "Location" as a ___location source - but not if we can track it from an original node with type "Location"

erik-krogh · erik-krogh · commit 33dab1717efa · 2020-11-23T17:03:50.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -374,10 +374,26 @@ module DOM {
         this = DOM::domValueRef().getAPropertyRead("baseUri")
         or
         this = DataFlow::globalVarRef("___location")
+        or
+        this = any(DataFlow::Node n | n.hasUnderlyingType("Location")).getALocalSource() and
+        not this = nonFirstLocationType(DataFlow::TypeTracker::end()) // only start from the source, and not the locations we can type-track to.
       }
     }
   }
 
+  /**
+   * Get a reference to a node of type `Location` that has gone through at least 1 type-tracking step.
+   */
+  private DataFlow::SourceNode nonFirstLocationType(DataFlow::TypeTracker t) {
+    // One step inlined in the beginning.
+    exists(DataFlow::TypeTracker t2 |
+      result =
+        any(DataFlow::Node n | n.hasUnderlyingType("Location")).getALocalSource().track(t2, t)
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = nonFirstLocationType(t2).track(t2, t))
+  }
+
   /** Gets a data flow node that directly refers to a DOM `___location` object. */
   DataFlow::SourceNode locationSource() { result instanceof LocationSource::Range }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -157,6 +157,29 @@ nodes
 | tst.js:22:34:22:50 | document.___location |
 | tst.js:22:34:22:50 | document.___location |
 | tst.js:22:34:22:55 | documen ... on.href |
+| typed.ts:3:15:3:72 | ___location |
+| typed.ts:3:17:3:24 | ___location |
+| typed.ts:3:17:3:24 | ___location |
+| typed.ts:4:13:4:36 | params |
+| typed.ts:4:22:4:29 | ___location |
+| typed.ts:4:22:4:36 | ___location.search |
+| typed.ts:5:25:5:30 | params |
+| typed.ts:7:24:7:34 | redirectUri |
+| typed.ts:8:33:8:43 | redirectUri |
+| typed.ts:8:33:8:43 | redirectUri |
+| typed.ts:14:15:14:72 | ___location |
+| typed.ts:14:17:14:24 | ___location |
+| typed.ts:14:17:14:24 | ___location |
+| typed.ts:17:18:17:25 | ___location |
+| typed.ts:19:13:19:37 | secondLoc |
+| typed.ts:19:25:19:37 | container.loc |
+| typed.ts:21:33:21:41 | secondLoc |
+| typed.ts:24:32:24:34 | loc |
+| typed.ts:25:25:25:27 | loc |
+| typed.ts:25:25:25:34 | loc.search |
+| typed.ts:28:24:28:34 | redirectUri |
+| typed.ts:29:33:29:43 | redirectUri |
+| typed.ts:29:33:29:43 | redirectUri |
 edges
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
@@ -304,6 +327,27 @@ edges
 | tst.js:22:34:22:50 | document.___location | tst.js:22:34:22:55 | documen ... on.href |
 | tst.js:22:34:22:50 | document.___location | tst.js:22:34:22:55 | documen ... on.href |
 | tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:56 | indirec ... n.href) |
+| typed.ts:3:15:3:72 | ___location | typed.ts:4:22:4:29 | ___location |
+| typed.ts:3:17:3:24 | ___location | typed.ts:3:15:3:72 | ___location |
+| typed.ts:3:17:3:24 | ___location | typed.ts:3:15:3:72 | ___location |
+| typed.ts:4:13:4:36 | params | typed.ts:5:25:5:30 | params |
+| typed.ts:4:22:4:29 | ___location | typed.ts:4:22:4:36 | ___location.search |
+| typed.ts:4:22:4:36 | ___location.search | typed.ts:4:13:4:36 | params |
+| typed.ts:5:25:5:30 | params | typed.ts:7:24:7:34 | redirectUri |
+| typed.ts:7:24:7:34 | redirectUri | typed.ts:8:33:8:43 | redirectUri |
+| typed.ts:7:24:7:34 | redirectUri | typed.ts:8:33:8:43 | redirectUri |
+| typed.ts:14:15:14:72 | ___location | typed.ts:17:18:17:25 | ___location |
+| typed.ts:14:17:14:24 | ___location | typed.ts:14:15:14:72 | ___location |
+| typed.ts:14:17:14:24 | ___location | typed.ts:14:15:14:72 | ___location |
+| typed.ts:17:18:17:25 | ___location | typed.ts:19:25:19:37 | container.loc |
+| typed.ts:19:13:19:37 | secondLoc | typed.ts:21:33:21:41 | secondLoc |
+| typed.ts:19:25:19:37 | container.loc | typed.ts:19:13:19:37 | secondLoc |
+| typed.ts:21:33:21:41 | secondLoc | typed.ts:24:32:24:34 | loc |
+| typed.ts:24:32:24:34 | loc | typed.ts:25:25:25:27 | loc |
+| typed.ts:25:25:25:27 | loc | typed.ts:25:25:25:34 | loc.search |
+| typed.ts:25:25:25:34 | loc.search | typed.ts:28:24:28:34 | redirectUri |
+| typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
+| typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
 #select
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
@@ -344,3 +388,5 @@ edges
 | tst.js:14:20:14:59 | indirec ... ref)[1] | tst.js:14:34:14:50 | document.___location | tst.js:14:20:14:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:14:34:14:50 | document.___location | user-provided value |
 | tst.js:18:19:18:84 | new Reg ... ref)[1] | tst.js:18:59:18:75 | document.___location | tst.js:18:19:18:84 | new Reg ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:18:59:18:75 | document.___location | user-provided value |
 | tst.js:22:20:22:59 | indirec ... ref)[1] | tst.js:22:34:22:50 | document.___location | tst.js:22:20:22:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:22:34:22:50 | document.___location | user-provided value |
+| typed.ts:8:33:8:43 | redirectUri | typed.ts:3:17:3:24 | ___location | typed.ts:8:33:8:43 | redirectUri | Untrusted URL redirection due to $@. | typed.ts:3:17:3:24 | ___location | user-provided value |
+| typed.ts:29:33:29:43 | redirectUri | typed.ts:14:17:14:24 | ___location | typed.ts:29:33:29:43 | redirectUri | Untrusted URL redirection due to $@. | typed.ts:14:17:14:24 | ___location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tsconfig.json b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tsconfig.json
@@ -0,0 +1 @@
+{}
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/typed.ts b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/typed.ts
@@ -0,0 +1,31 @@
+export class MyComponent {
+    componentDidMount() {
+        const { ___location }: { ___location: Location } = (this as any).props;
+        var params = ___location.search;
+        this.doRedirect(params);
+    }
+    private doRedirect(redirectUri: string) {
+        window.___location.replace(redirectUri);
+    }
+}
+
+export class MyTrackingComponent {
+    componentDidMount() {
+        const { ___location }: { ___location: Location } = (this as any).props; // ___location source
+
+        var container = {
+            loc: ___location
+        };
+        var secondLoc = container.loc; // type-tracking step 1 - not the source
+        
+        this.myIndirectRedirect(secondLoc); 
+    }
+
+    private myIndirectRedirect(loc) { // type-tracking step 2 - also not the source
+        this.doRedirect(loc.search);
+    }
+
+    private doRedirect(redirectUri: string) {
+        window.___location.replace(redirectUri);
+    }
+}
