Merge pull request #628 from xiemaisi/js/setUnsafeHTML

semmle-qlci · web-flow · commit 339753304531 · 2018-12-06T13:58:52.000Z
Approved by esben-semmle
diff --git a/change-notes/1.20/analysis-javascript.md b/change-notes/1.20/analysis-javascript.md
@@ -18,7 +18,7 @@
 
 | **Query**                                  | **Expected impact**          | **Change**                                                                   |
 |--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
+| Client-side cross-site scripting           | More results                 | This rule now recognizes WinJS functions that are vulnerable to HTML injection. |
 | Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements. |
-|                                            |                              |                                                                              |
 
 ## Changes to QL libraries
diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql
@@ -1,5 +1,5 @@
 /**
- * @name Client side cross-site scripting
+ * @name Client-side cross-site scripting
  * @description Writing user input directly to the DOM allows for
  *              a cross-site scripting vulnerability.
  * @kind path-problem
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
@@ -96,6 +96,13 @@ module DomBasedXss {
       or
       // call to an Angular method that interprets its argument as HTML
       any(AngularJS::AngularJSCall call).interpretsArgumentAsHtml(this.asExpr())
+      or
+      // call to a WinJS function that interprets its argument as HTML
+      exists (DataFlow::MethodCallNode mcn, string m |
+        m = "setInnerHTMLUnsafe" or m = "setOuterHTMLUnsafe" |
+        mcn.getMethodName() = m and
+        this = mcn.getArgument(1)
+      )
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -205,6 +205,12 @@ nodes
 | tst.js:244:39:244:55 | props.propTainted |
 | tst.js:248:60:248:82 | this.st ... Tainted |
 | tst.js:252:23:252:29 | tainted |
+| winjs.js:2:7:2:53 | tainted |
+| winjs.js:2:17:2:33 | document.location |
+| winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:3:43:3:49 | tainted |
+| winjs.js:4:43:4:49 | tainted |
 | xss-through-filenames.js:7:43:7:48 | files1 |
 | xss-through-filenames.js:8:18:8:23 | files1 |
 | xss-through-filenames.js:25:43:25:48 | files1 |
@@ -377,6 +383,11 @@ edges
 | tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
 | tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
 | tst.js:252:23:252:29 | tainted | tst.js:244:39:244:55 | props.propTainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
+| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted |
 | xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 |
 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 |
 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:30:34:30:37 | file |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -162,6 +162,12 @@ nodes
 | tst.js:244:39:244:55 | props.propTainted |
 | tst.js:248:60:248:82 | this.st ... Tainted |
 | tst.js:252:23:252:29 | tainted |
+| winjs.js:2:7:2:53 | tainted |
+| winjs.js:2:17:2:33 | document.location |
+| winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:3:43:3:49 | tainted |
+| winjs.js:4:43:4:49 | tainted |
 edges
 | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
 | addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data |
@@ -288,6 +294,11 @@ edges
 | tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
 | tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
 | tst.js:252:23:252:29 | tainted | tst.js:244:39:244:55 | props.propTainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
+| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted |
 #select
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
@@ -349,3 +360,5 @@ edges
 | tst.js:224:28:224:46 | this.props.tainted3 | tst.js:194:19:194:35 | document.location | tst.js:224:28:224:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
 | tst.js:228:32:228:49 | prevProps.tainted4 | tst.js:194:19:194:35 | document.location | tst.js:228:32:228:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
 | tst.js:248:60:248:82 | this.st ... Tainted | tst.js:194:19:194:35 | document.location | tst.js:248:60:248:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
+| winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/winjs.js b/javascript/ql/test/query-tests/Security/CWE-079/winjs.js
@@ -0,0 +1,5 @@
+function test(elt) {
+  var tainted = document.location.search.substring(1);
+  WinJS.Utilities.setInnerHTMLUnsafe(elt, tainted);
+  WinJS.Utilities.setOuterHTMLUnsafe(elt, tainted);
+}

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,13 @@ module DomBasedXss {`
`96`	`96`	`or`
`97`	`97`	`// call to an Angular method that interprets its argument as HTML`
`98`	`98`	`any(AngularJS::AngularJSCall call).interpretsArgumentAsHtml(this.asExpr())`
	`99`	`+ or`
	`100`	`+ // call to a WinJS function that interprets its argument as HTML`
	`101`	`+ exists (DataFlow::MethodCallNode mcn, string m \|`
	`102`	`+ m = "setInnerHTMLUnsafe" or m = "setOuterHTMLUnsafe" \|`
	`103`	`+ mcn.getMethodName() = m and`
	`104`	`+ this = mcn.getArgument(1)`
	`105`	`+ )`
`99`	`106`	`}`
`100`	`107`	`}`
`101`	`108`