Merge pull request github#3336 from erik-krogh/MoarJQuery

Approved by esbena

Author: semmle-qlci

change-notes/1.25/analysis-javascript.md

@@ -4,6 +4,7 @@
 
 * Support for the following frameworks and libraries has been improved:
   - [jGrowl](https://github.com/stanlemon/jGrowl)
+  - [jQuery](https://jquery.com/)
 
 ## New queries
 

javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql

@@ -16,7 +16,8 @@ import semmle.javascript.security.dataflow.UnsafeJQueryPlugin::UnsafeJQueryPlugi
 import DataFlow::PathGraph
 
 from
-  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, JQueryPluginMethod plugin
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+  JQuery::JQueryPluginMethod plugin
 where
   cfg.hasFlowPath(source, sink) and
   source.getNode().(Source).getPlugin() = plugin and

javascript/ql/src/semmle/javascript/DOM.qll

@@ -305,6 +305,13 @@ module DOM {
           call.getNumArgument() = 1 and
           forex(InferredType t | t = call.getArgument(0).analyze().getAType() | t = TTNumber())
         )
+        or
+        // A `this` node from a callback given to a `$().each(callback)` call.
+        // purposely not using JQuery::MethodCall to avoid `jquery.each()`.
+        exists(DataFlow::CallNode eachCall | eachCall = JQuery::objectRef().getAMethodCall("each") |
+          this = DataFlow::thisNode(eachCall.getCallback(0).getFunction()) or
+          this = eachCall.getABoundCallbackParameter(0, 1)
+        )
       }
     }
   }

javascript/ql/src/semmle/javascript/frameworks/jQuery.qll

@@ -496,6 +496,15 @@ module JQuery {
         hasUnderlyingType("jQuery")
       }
     }
+
+    /**
+     * A `this` node in a JQuery plugin function, which is a JQuery object.
+     */
+    private class JQueryPluginThisObject extends Range {
+      JQueryPluginThisObject() {
+        this = DataFlow::thisNode(any(JQueryPluginMethod method).getFunction())
+      }
+    }
   }
 
   /** A source of jQuery objects from the AST-based `JQueryObject` class. */
@@ -590,4 +599,64 @@ module JQuery {
       node = getArgument(0)
     }
   }
+
+  /**
+   * Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>` or `$.extend($.fn, {<pluginName>, <plugin>})`.
+   */
+  private predicate jQueryPluginDefinition(string pluginName, DataFlow::Node plugin) {
+    exists(DataFlow::PropRead fn, DataFlow::PropWrite write |
+      fn = jquery().getAPropertyRead("fn") and
+      (
+        write = fn.getAPropertyWrite()
+        or
+        exists(ExtendCall extend, DataFlow::SourceNode source |
+          fn.flowsTo(extend.getDestinationOperand()) and
+          source = extend.getASourceOperand() and
+          write = source.getAPropertyWrite()
+        )
+      ) and
+      plugin = write.getRhs() and
+      (
+        pluginName = write.getPropertyName() or
+        write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
+      )
+    )
+  }
+
+  /**
+   * Gets a node that is registered as a jQuery plugin method at `def`.
+   */
+  private DataFlow::SourceNode getAJQueryPluginMethod(
+    DataFlow::TypeBackTracker t, DataFlow::Node def
+  ) {
+    t.start() and jQueryPluginDefinition(_, def) and result.flowsTo(def)
+    or
+    exists(DataFlow::TypeBackTracker t2 | result = getAJQueryPluginMethod(t2, def).backtrack(t2, t))
+  }
+
+  /**
+   * Gets a function that is registered as a jQuery plugin method at `def`.
+   */
+  private DataFlow::FunctionNode getAJQueryPluginMethod(DataFlow::Node def) {
+    result = getAJQueryPluginMethod(DataFlow::TypeBackTracker::end(), def)
+  }
+
+  /**
+   * A function that is registered as a jQuery plugin method.
+   */
+  class JQueryPluginMethod extends DataFlow::FunctionNode {
+    string pluginName;
+
+    JQueryPluginMethod() {
+      exists(DataFlow::Node def |
+        jQueryPluginDefinition(pluginName, def) and
+        this = getAJQueryPluginMethod(def)
+      )
+    }
+
+    /**
+     * Gets the name of this plugin.
+     */
+    string getPluginName() { result = pluginName }
+  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll

@@ -18,7 +18,7 @@ module UnsafeJQueryPlugin {
     /**
      * Gets the plugin that this source is used in.
      */
-    abstract JQueryPluginMethod getPlugin();
+    abstract JQuery::JQueryPluginMethod getPlugin();
   }
 
   /**
@@ -49,49 +49,6 @@ module UnsafeJQueryPlugin {
     }
   }
 
-  /**
-   * Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>`.
-   */
-  private predicate jQueryPluginDefinition(string pluginName, DataFlow::Node plugin) {
-    exists(DataFlow::PropRead fn, DataFlow::PropWrite write |
-      fn = jquery().getAPropertyRead("fn") and
-      (
-        write = fn.getAPropertyWrite()
-        or
-        exists(ExtendCall extend, DataFlow::SourceNode source |
-          fn.flowsTo(extend.getDestinationOperand()) and
-          source = extend.getASourceOperand() and
-          write = source.getAPropertyWrite()
-        )
-      ) and
-      plugin = write.getRhs() and
-      (
-        pluginName = write.getPropertyName() or
-        write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
-      )
-    )
-  }
-
-  /**
-   * Gets a node that is registered as a jQuery plugin method at `def`.
-   */
-  private DataFlow::SourceNode getAJQueryPluginMethod(
-    DataFlow::TypeBackTracker t, DataFlow::Node def
-  ) {
-    t.start() and
-    jQueryPluginDefinition(_, def) and
-    result.flowsTo(def)
-    or
-    exists(DataFlow::TypeBackTracker t2 | result = getAJQueryPluginMethod(t2, def).backtrack(t2, t))
-  }
-
-  /**
-   * Gets a function that is registered as a jQuery plugin method at `def`.
-   */
-  private DataFlow::FunctionNode getAJQueryPluginMethod(DataFlow::Node def) {
-    result = getAJQueryPluginMethod(DataFlow::TypeBackTracker::end(), def)
-  }
-
   /**
    * Gets an operand to `extend`.
    */
@@ -109,29 +66,10 @@ module UnsafeJQueryPlugin {
     result = getAnExtendOperand(DataFlow::TypeBackTracker::end(), extend)
   }
 
-  /**
-   * A function that is registered as a jQuery plugin method.
-   */
-  class JQueryPluginMethod extends DataFlow::FunctionNode {
-    string pluginName;
-
-    JQueryPluginMethod() {
-      exists(DataFlow::Node def |
-        jQueryPluginDefinition(pluginName, def) and
-        this = getAJQueryPluginMethod(def)
-      )
-    }
-
-    /**
-     * Gets the name of this plugin.
-     */
-    string getPluginName() { result = pluginName }
-  }
-
   /**
    * Holds if `plugin` has a default option defined at `def`.
    */
-  private predicate hasDefaultOption(JQueryPluginMethod plugin, DataFlow::PropWrite def) {
+  private predicate hasDefaultOption(JQuery::JQueryPluginMethod plugin, DataFlow::PropWrite def) {
     exists(ExtendCall extend, JQueryPluginOptions options, DataFlow::SourceNode default |
       options.getPlugin() = plugin and
       options = getAnExtendOperand(extend) and
@@ -144,7 +82,7 @@ module UnsafeJQueryPlugin {
    * The client-provided options object for a jQuery plugin.
    */
   class JQueryPluginOptions extends DataFlow::ParameterNode {
-    JQueryPluginMethod method;
+    JQuery::JQueryPluginMethod method;
 
     JQueryPluginOptions() {
       exists(string optionsPattern |
@@ -165,7 +103,7 @@ module UnsafeJQueryPlugin {
     /**
      * Gets the plugin method that these options are used in.
      */
-    JQueryPluginMethod getPlugin() { result = method }
+    JQuery::JQueryPluginMethod getPlugin() { result = method }
   }
 
   /**
@@ -224,7 +162,9 @@ module UnsafeJQueryPlugin {
    * The client-provided options object for a jQuery plugin, considered as a source for unsafe jQuery plugins.
    */
   class JQueryPluginOptionsAsSource extends Source, JQueryPluginOptions {
-    override JQueryPluginMethod getPlugin() { result = JQueryPluginOptions.super.getPlugin() }
+    override JQuery::JQueryPluginMethod getPlugin() {
+      result = JQueryPluginOptions.super.getPlugin()
+    }
   }
 
   /**
@@ -246,7 +186,7 @@ module UnsafeJQueryPlugin {
   /**
    * Holds if `plugin` likely expects `sink` to be treated as a HTML fragment.
    */
-  predicate isLikelyIntentionalHtmlSink(JQueryPluginMethod plugin, Sink sink) {
+  predicate isLikelyIntentionalHtmlSink(JQuery::JQueryPluginMethod plugin, Sink sink) {
     exists(DataFlow::PropWrite defaultDef, string default, DataFlow::PropRead finalRead |
       hasDefaultOption(plugin, defaultDef) and
       defaultDef.getPropertyName() = finalRead.getPropertyName() and

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -80,6 +80,7 @@ module DomBasedXss {
         not exists(DataFlow::Node prefix, string strval |
           isPrefixOfJQueryHtmlString(this, prefix) and
           strval = prefix.getStringValue() and
+          not strval = "" and
           not strval.regexpMatch("\\s*<.*")
         ) and
         not DOM::locationRef().flowsTo(this)

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -347,6 +347,16 @@ nodes
 | tst.js:354:16:354:39 | documen ... .search |
 | tst.js:355:12:355:17 | target |
 | tst.js:355:12:355:17 | target |
+| tst.js:361:10:361:42 | target |
+| tst.js:361:19:361:35 | document.___location |
+| tst.js:361:19:361:35 | document.___location |
+| tst.js:361:19:361:42 | documen ... .search |
+| tst.js:362:16:362:21 | target |
+| tst.js:362:16:362:21 | target |
+| tst.js:366:21:366:26 | target |
+| tst.js:366:21:366:26 | target |
+| tst.js:369:18:369:23 | target |
+| tst.js:369:18:369:23 | target |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:38 | document.___location |
 | typeahead.js:20:22:20:38 | document.___location |
@@ -670,6 +680,15 @@ edges
 | tst.js:354:16:354:32 | document.___location | tst.js:354:16:354:39 | documen ... .search |
 | tst.js:354:16:354:32 | document.___location | tst.js:354:16:354:39 | documen ... .search |
 | tst.js:354:16:354:39 | documen ... .search | tst.js:354:7:354:39 | target |
+| tst.js:361:10:361:42 | target | tst.js:362:16:362:21 | target |
+| tst.js:361:10:361:42 | target | tst.js:362:16:362:21 | target |
+| tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
+| tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
+| tst.js:361:19:361:35 | document.___location | tst.js:361:19:361:42 | documen ... .search |
+| tst.js:361:19:361:35 | document.___location | tst.js:361:19:361:42 | documen ... .search |
+| tst.js:361:19:361:42 | documen ... .search | tst.js:361:10:361:42 | target |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:38 | document.___location | typeahead.js:20:22:20:45 | documen ... .search |
 | typeahead.js:20:22:20:38 | document.___location | typeahead.js:20:22:20:45 | documen ... .search |
@@ -772,6 +791,9 @@ edges
 | tst.js:336:18:336:35 | params.get('name') | tst.js:330:18:330:34 | document.___location | tst.js:336:18:336:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:330:18:330:34 | document.___location | user-provided value |
 | tst.js:349:5:349:30 | getUrl( ... ring(1) | tst.js:347:20:347:36 | document.___location | tst.js:349:5:349:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:347:20:347:36 | document.___location | user-provided value |
 | tst.js:355:12:355:17 | target | tst.js:354:16:354:32 | document.___location | tst.js:355:12:355:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:354:16:354:32 | document.___location | user-provided value |
+| tst.js:362:16:362:21 | target | tst.js:361:19:361:35 | document.___location | tst.js:362:16:362:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.___location | user-provided value |
+| tst.js:366:21:366:26 | target | tst.js:361:19:361:35 | document.___location | tst.js:366:21:366:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.___location | user-provided value |
+| tst.js:369:18:369:23 | target | tst.js:361:19:361:35 | document.___location | tst.js:369:18:369:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.___location | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.___location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.___location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.___location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.___location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.___location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.___location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.expected

@@ -41,6 +41,11 @@ nodes
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
+| xss-through-dom.js:73:9:73:41 | selector |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
+| xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:77:7:77:14 | selector |
 edges
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
@@ -56,6 +61,10 @@ edges
 | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") |
 | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
+| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:7:77:14 | selector |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
+| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 #select
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
@@ -71,3 +80,4 @@ edges
 | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:61:30:61:69 | $(docum ... value") | DOM text |
 | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:64:30:64:40 | valMethod() | DOM text |
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | DOM text |
+| xss-through-dom.js:77:7:77:14 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:7:77:14 | selector | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected

@@ -347,6 +347,16 @@ nodes
 | tst.js:354:16:354:39 | documen ... .search |
 | tst.js:355:12:355:17 | target |
 | tst.js:355:12:355:17 | target |
+| tst.js:361:10:361:42 | target |
+| tst.js:361:19:361:35 | document.___location |
+| tst.js:361:19:361:35 | document.___location |
+| tst.js:361:19:361:42 | documen ... .search |
+| tst.js:362:16:362:21 | target |
+| tst.js:362:16:362:21 | target |
+| tst.js:366:21:366:26 | target |
+| tst.js:366:21:366:26 | target |
+| tst.js:369:18:369:23 | target |
+| tst.js:369:18:369:23 | target |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:10:16:10:18 | loc |
@@ -674,6 +684,15 @@ edges
 | tst.js:354:16:354:32 | document.___location | tst.js:354:16:354:39 | documen ... .search |
 | tst.js:354:16:354:32 | document.___location | tst.js:354:16:354:39 | documen ... .search |
 | tst.js:354:16:354:39 | documen ... .search | tst.js:354:7:354:39 | target |
+| tst.js:361:10:361:42 | target | tst.js:362:16:362:21 | target |
+| tst.js:361:10:361:42 | target | tst.js:362:16:362:21 | target |
+| tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
+| tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
+| tst.js:361:19:361:35 | document.___location | tst.js:361:19:361:42 | documen ... .search |
+| tst.js:361:19:361:35 | document.___location | tst.js:361:19:361:42 | documen ... .search |
+| tst.js:361:19:361:42 | documen ... .search | tst.js:361:10:361:42 | target |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |

javascript/ql/test/query-tests/Security/CWE-079/tst.js

@@ -355,3 +355,20 @@ function growl() {
   $.jGrowl(target); // NOT OK
 }
 
+function thisNodes() {
+	var pluginName = "myFancyJQueryPlugin";
+	var myPlugin = function () {
+	    var target = document.___location.search
+	    this.html(target); // NOT OK. (this is a jQuery object)
+		this.innerHTML = target // OK. (this is a jQuery object)
+	
+		this.each(function (i, e) {
+			this.innerHTML = target; // NOT OK. (this is a DOM-node);
+			this.html(target); // OK. (this is a DOM-node);
+			
+			e.innerHTML = target; // NOT OK.
+		});
+	}
+	$.fn[pluginName] = myPlugin; 
+
+}