detect DOM nodes from event callbacks

erik-krogh · erik-krogh · commit 101d4358a9f3 · 2021-02-10T14:17:49.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -361,9 +361,19 @@ module DOM {
    * Gets a reference to a DOM event.
    */
   private DataFlow::SourceNode domEventSource() {
+    // e.g. <form onSubmit={e => e.target}/>
     exists(JSXAttribute attr | attr.getName().matches("on%") |
       result = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
     )
+    or
+    // node.addEventListener("submit", e => e.target)
+    result = domValueRef().getAMethodCall("addEventListener").getABoundCallbackParameter(1, 0)
+    or
+    // node.onSubmit = (e => e.target);
+    exists(DataFlow::PropWrite write | write = domValueRef().getAPropertyWrite() |
+      write.getPropertyName().matches("on%") and
+      result = write.getRhs().getAFunctionValue().getParameter(0)
+    )
   }
 
   /** Gets a data flow node that refers directly to a value from the DOM. */
@@ -377,7 +387,6 @@ module DOM {
     t.start() and
     result = domValueRef().getAMethodCall(["item", "namedItem"])
     or
-    // e.g. <form onSubmit={e => e.target}/>
     t.startInProp("target") and
     result = domEventSource()
     or
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -44,6 +44,12 @@ nodes
 | forms.js:93:25:93:30 | values |
 | forms.js:93:25:93:35 | values.name |
 | forms.js:93:25:93:35 | values.name |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:103:23:103:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -130,6 +136,8 @@ edges
 | forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
 | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
 | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
+| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value |
+| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -159,6 +167,8 @@ edges
 | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text |
 | forms.js:72:19:72:27 | data.name | forms.js:71:21:71:24 | data | forms.js:72:19:72:27 | data.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:71:21:71:24 | data | DOM text |
 | forms.js:93:25:93:35 | values.name | forms.js:92:26:92:36 | getValues() | forms.js:93:25:93:35 | values.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:92:26:92:36 | getValues() | DOM text |
+| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:103:23:103:36 | e.target.value | DOM text |
+| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:107:23:107:36 | e.target.value | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -97,4 +97,13 @@ function HookForm2() {
     </form>
   );
 }
-  
+
+function vanillaJS() {
+    document.querySelector("form.myform").addEventListener("submit", e => {
+        $("#id").html(e.target.value); // NOT OK
+    });
+
+    document.querySelector("form.myform").onsubmit = function (e) {
+        $("#id").html(e.target.value); // NOT OK
+    }
+}
