Merge pull request github#5112 from erik-krogh/forms

codeql-ci · web-flow · commit 02578cfff27b · 2021-02-11T04:32:14.000-08:00
Approved by asgerf
diff --git a/javascript/change-notes/2021-02-08-xss-through-dom-forms.md b/javascript/change-notes/2021-02-08-xss-through-dom-forms.md
@@ -0,0 +1,6 @@
+lgtm,codescanning
+* The `js/xss-through-dom` query now recognizes form inputs as sources.
+  Affected packages are
+    [formik](https://www.npmjs.com/package/formik) and
+    [react-final-form](https://www.npmjs.com/package/react-final-form) and
+    [react-hook-form](https://www.npmjs.com/package/react-hook-form)
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -357,6 +357,25 @@ module DOM {
     }
   }
 
+  /**
+   * Gets a reference to a DOM event.
+   */
+  private DataFlow::SourceNode domEventSource() {
+    // e.g. <form onSubmit={e => e.target}/>
+    exists(JSXAttribute attr | attr.getName().matches("on%") |
+      result = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
+    )
+    or
+    // node.addEventListener("submit", e => e.target)
+    result = domValueRef().getAMethodCall("addEventListener").getABoundCallbackParameter(1, 0)
+    or
+    // node.onSubmit = (e => e.target);
+    exists(DataFlow::PropWrite write | write = domValueRef().getAPropertyWrite() |
+      write.getPropertyName().matches("on%") and
+      result = write.getRhs().getAFunctionValue().getParameter(0)
+    )
+  }
+
   /** Gets a data flow node that refers directly to a value from the DOM. */
   DataFlow::SourceNode domValueSource() { result instanceof DomValueSource::Range }
 
@@ -368,6 +387,9 @@ module DOM {
     t.start() and
     result = domValueRef().getAMethodCall(["item", "namedItem"])
     or
+    t.startInProp("target") and
+    result = domEventSource()
+    or
     exists(DataFlow::TypeTracker t2 | result = domValueRef(t2).track(t2, t))
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
@@ -11,8 +11,8 @@ private import semmle.javascript.dataflow.InferredTypes
  */
 module XssThroughDom {
   import Xss::XssThroughDom
+  private import XssThroughDomCustomizations::XssThroughDom
   private import semmle.javascript.security.dataflow.Xss::DomBasedXss as DomBasedXss
-  private import semmle.javascript.dataflow.InferredTypes
   private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery
 
   /**
@@ -40,88 +40,4 @@ module XssThroughDom {
       DomBasedXss::isOptionallySanitizedEdge(pred, succ)
     }
   }
-
-  /**
-   * Gets an attribute name that could store user-controlled data.
-   *
-   * Attributes such as "id", "href", and "src" are often used as input to HTML.
-   * However, they are either rarely controlable by a user, or already a sink for other XSS vulnerabilities.
-   * Such attributes are therefore ignored.
-   */
-  bindingset[result]
-  string unsafeAttributeName() {
-    result.regexpMatch("data-.*") or
-    result.regexpMatch("aria-.*") or
-    result = ["name", "value", "title", "alt"]
-  }
-
-  /**
-   * A source for text from the DOM from a JQuery method call.
-   */
-  class JQueryTextSource extends Source, JQuery::MethodCall {
-    JQueryTextSource() {
-      (
-        this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
-        or
-        this.getMethodName() = "attr" and
-        this.getNumArgument() = 1 and
-        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
-        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
-      ) and
-      // looks like a $("<p>" + ... ) source, which is benign for this query.
-      not exists(DataFlow::Node prefix |
-        DomBasedXss::isPrefixOfJQueryHtmlString(this.getReceiver()
-              .(DataFlow::CallNode)
-              .getAnArgument(), prefix)
-      |
-        prefix.getStringValue().regexpMatch("\\s*<.*")
-      )
-    }
-  }
-
-  /**
-   * A source for text from the DOM from a DOM property read or call to `getAttribute()`.
-   */
-  class DOMTextSource extends Source {
-    DOMTextSource() {
-      exists(DataFlow::PropRead read | read = this |
-        read.getBase().getALocalSource() = DOM::domValueRef() and
-        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
-      )
-      or
-      exists(DataFlow::MethodCallNode mcn | mcn = this |
-        mcn.getReceiver().getALocalSource() = DOM::domValueRef() and
-        mcn.getMethodName() = "getAttribute" and
-        mcn.getArgument(0).mayHaveStringValue(unsafeAttributeName())
-      )
-    }
-  }
-
-  /**
-   * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
-   *
-   * This sanitizer helps prune infeasible paths in type-overloaded functions.
-   */
-  class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
-    override EqualityTest astNode;
-    Expr operand;
-    boolean polarity;
-
-    TypeTestGuard() {
-      exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
-        // typeof x === "string" sanitizes `x` when it evaluates to false
-        tag = "string" and
-        polarity = astNode.getPolarity().booleanNot()
-        or
-        // typeof x === "object" sanitizes `x` when it evaluates to true
-        tag != "string" and
-        polarity = astNode.getPolarity()
-      )
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      polarity = outcome and
-      e = operand
-    }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -0,0 +1,174 @@
+/**
+ * Provides default sources for reasoning about
+ * cross-site scripting vulnerabilities through the DOM.
+ */
+
+import javascript
+
+/**
+ * Sources for cross-site scripting vulnerabilities through the DOM.
+ */
+module XssThroughDom {
+  import Xss::XssThroughDom
+  private import semmle.javascript.dataflow.InferredTypes
+  private import semmle.javascript.security.dataflow.Xss::DomBasedXss as DomBasedXss
+
+  /**
+   * Gets an attribute name that could store user-controlled data.
+   *
+   * Attributes such as "id", "href", and "src" are often used as input to HTML.
+   * However, they are either rarely controlable by a user, or already a sink for other XSS vulnerabilities.
+   * Such attributes are therefore ignored.
+   */
+  bindingset[result]
+  string unsafeAttributeName() {
+    result.regexpMatch("data-.*") or
+    result.regexpMatch("aria-.*") or
+    result = ["name", "value", "title", "alt"]
+  }
+
+  /**
+   * A source for text from the DOM from a JQuery method call.
+   */
+  class JQueryTextSource extends Source, JQuery::MethodCall {
+    JQueryTextSource() {
+      (
+        this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
+        or
+        this.getMethodName() = "attr" and
+        this.getNumArgument() = 1 and
+        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
+        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+      ) and
+      // looks like a $("<p>" + ... ) source, which is benign for this query.
+      not exists(DataFlow::Node prefix |
+        DomBasedXss::isPrefixOfJQueryHtmlString(this.getReceiver()
+              .(DataFlow::CallNode)
+              .getAnArgument(), prefix)
+      |
+        prefix.getStringValue().regexpMatch("\\s*<.*")
+      )
+    }
+  }
+
+  /**
+   * A source for text from the DOM from a DOM property read or call to `getAttribute()`.
+   */
+  class DOMTextSource extends Source {
+    DOMTextSource() {
+      exists(DataFlow::PropRead read | read = this |
+        read.getBase().getALocalSource() = DOM::domValueRef() and
+        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
+      )
+      or
+      exists(DataFlow::MethodCallNode mcn | mcn = this |
+        mcn.getReceiver().getALocalSource() = DOM::domValueRef() and
+        mcn.getMethodName() = "getAttribute" and
+        mcn.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+      )
+    }
+  }
+
+  /**
+   * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
+   *
+   * This sanitizer helps prune infeasible paths in type-overloaded functions.
+   */
+  class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+    override EqualityTest astNode;
+    Expr operand;
+    boolean polarity;
+
+    TypeTestGuard() {
+      exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
+        // typeof x === "string" sanitizes `x` when it evaluates to false
+        tag = "string" and
+        polarity = astNode.getPolarity().booleanNot()
+        or
+        // typeof x === "object" sanitizes `x` when it evaluates to true
+        tag != "string" and
+        polarity = astNode.getPolarity()
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      polarity = outcome and
+      e = operand
+    }
+  }
+
+  /**
+   * A module for form inputs seen as sources for xss-through-dom.
+   */
+  module Forms {
+    /**
+     * A reference to an import of `Formik`.
+     */
+    private DataFlow::SourceNode formik() {
+      result = DataFlow::moduleImport("formik")
+      or
+      result = DataFlow::globalVarRef("Formik")
+    }
+
+    /**
+     * An object containing input values from a form build with `Formik`.
+     */
+    class FormikSource extends Source {
+      FormikSource() {
+        exists(JSXElement elem |
+          formik().getAPropertyRead("Formik").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName(["validate", "onSubmit"])
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+        or
+        this =
+          formik()
+              .getAMemberCall("withFormik")
+              .getOptionArgument(0, ["validate", "handleSubmit"])
+              .getAFunctionValue()
+              .getParameter(0)
+        or
+        this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
+      }
+    }
+
+    /**
+     * An object containing input values from a form build with `react-final-form`.
+     */
+    class ReactFinalFormSource extends Source {
+      ReactFinalFormSource() {
+        exists(JSXElement elem |
+          DataFlow::moduleMember("react-final-form", "Form").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName("onSubmit")
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+      }
+    }
+
+    /**
+     * An object containing input values from a form build with `react-hook-form`.
+     */
+    class ReactHookFormSource extends Source {
+      ReactHookFormSource() {
+        exists(API::Node useForm |
+          useForm = API::moduleImport("react-hook-form").getMember("useForm").getReturn()
+        |
+          this =
+            useForm.getMember("handleSubmit").getParameter(0).getParameter(0).getAnImmediateUse()
+          or
+          this = useForm.getMember("getValues").getACall()
+        )
+      }
+    }
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
