JS: Add step to a few other queries

asgerf · asgerf · commit 4f0e17bf9790 · 2023-03-07T09:39:40.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
@@ -48,6 +48,12 @@ class Configuration extends TaintTracking::Configuration {
     f instanceof DocumentUrl and
     g instanceof DocumentUrl and
     succ.(DataFlow::PropRead).accesses(pred, "href")
+    or
+    exists(HtmlSanitizerCall call |
+      pred = call.getInput() and
+      succ = call and
+      f = g
+    )
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -72,6 +72,11 @@ module RequestForgery {
       succ = url and
       pred = url.getArgument(0)
     )
+    or
+    exists(HtmlSanitizerCall call |
+      pred = call.getInput() and
+      succ = call
+    )
   }
 
   private class SinkFromModel extends Sink {
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -35,6 +35,13 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof LocalUrlSanitizingGuard or
     guard instanceof HostnameSanitizerGuard
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(HtmlSanitizerCall call |
+      pred = call.getInput() and
+      succ = call
+    )
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -841,6 +841,12 @@ module TaintedPath {
       dst = call and
       srclabel = dstlabel
     )
+    or
+    exists(HtmlSanitizerCall call |
+      src = call.getInput() and
+      dst = call and
+      srclabel = dstlabel
+    )
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,11 @@ module RequestForgery {`
`72`	`72`	`succ = url and`
`73`	`73`	`pred = url.getArgument(0)`
`74`	`74`	`)`
	`75`	`+ or`
	`76`	`+ exists(HtmlSanitizerCall call \|`
	`77`	`+ pred = call.getInput() and`
	`78`	`+ succ = call`
	`79`	`+ )`
`75`	`80`	`}`
`76`	`81`
`77`	`82`	`private class SinkFromModel extends Sink {`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,13 @@ class Configuration extends TaintTracking::Configuration {`
`35`	`35`	`guard instanceof LocalUrlSanitizingGuard or`
`36`	`36`	`guard instanceof HostnameSanitizerGuard`
`37`	`37`	`}`
	`38`	`+`
	`39`	`+ override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {`
	`40`	`+ exists(HtmlSanitizerCall call \|`
	`41`	`+ pred = call.getInput() and`
	`42`	`+ succ = call`
	`43`	`+ )`
	`44`	`+ }`
`38`	`45`	`}`
`39`	`46`
`40`	`47`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -841,6 +841,12 @@ module TaintedPath {`
`841`	`841`	`dst = call and`
`842`	`842`	`srclabel = dstlabel`
`843`	`843`	`)`
	`844`	`+ or`
	`845`	`+ exists(HtmlSanitizerCall call \|`
	`846`	`+ src = call.getInput() and`
	`847`	`+ dst = call and`
	`848`	`+ srclabel = dstlabel`
	`849`	`+ )`
`844`	`850`	`}`
`845`	`851`
`846`	`852`	`/**`