Do not discard XSS sinks when non-content-type headers are local to the sendArgument expression

Alvaro Muñoz · Alvaro Muñoz · commit 41fea776e8be · 2022-10-13T17:50:43.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -97,6 +97,7 @@ module ReflectedXss {
       // There is no dominating header, and `header` is non-local.
       not isLocalHeaderDefinition(header) and
       not exists(Http::HeaderDefinition dominatingHeader |
+        dominatingHeader.getAHeaderName() = "content-type" and
         dominatingHeader.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())
       )
     )

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,7 @@ module ReflectedXss {`
`97`	`97`	// There is no dominating header, and `header` is non-local.
`98`	`98`	`not isLocalHeaderDefinition(header) and`
`99`	`99`	`not exists(Http::HeaderDefinition dominatingHeader \|`
	`100`	`+ dominatingHeader.getAHeaderName() = "content-type" and`
`100`	`101`	`dominatingHeader.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())`
`101`	`102`	`)`
`102`	`103`	`)`