rename and move getAPropertyNameInterpretedAsJavaScriptUrl

erik-krogh · erik-krogh · commit 1f02594ccc79 · 2021-03-02T12:25:50.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -491,4 +491,11 @@ module DOM {
     or
     result.hasUnderlyingType("Document")
   }
+
+  /**
+   * Holds if a value assigned to property `name` of a DOM node can be interpreted as JavaScript via the `javascript:` protocol.
+   */
+  string getAPropertyNameInterpretedAsJavaScriptUrl() {
+    result = ["action", "formaction", "href", "src", "data"]
+  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -172,7 +172,9 @@ module ClientSideUrlRedirect {
    */
   class ReactAttributeWriteUrlSink extends ScriptUrlSink {
     ReactAttributeWriteUrlSink() {
-      exists(JSXAttribute attr | attr.getName() = propertyNameIsInterpretedAsJavaScriptUrl() |
+      exists(JSXAttribute attr |
+        attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()
+      |
         this = attr.getValue().flow()
       )
     }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -122,17 +122,10 @@ class DomPropWriteNode extends Assignment {
    * Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
    */
   predicate interpretsValueAsJavaScriptUrl() {
-    lhs.getPropertyName() = propertyNameIsInterpretedAsJavaScriptUrl()
+    lhs.getPropertyName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()
   }
 }
 
-/**
- * Holds if a value assigned to property `name` of a DOM node can be interpreted as JavaScript via the `javascript:` protocol.
- */
-string propertyNameIsInterpretedAsJavaScriptUrl() {
-  result = ["action", "formaction", "href", "src", "data"]
-}
-
 /**
  * A value written to web storage, like `localStorage` or `sessionStorage`.
  */

Original file line number	Diff line number	Diff line change
`@@ -491,4 +491,11 @@ module DOM {`
`491`	`491`	`or`
`492`	`492`	`result.hasUnderlyingType("Document")`
`493`	`493`	`}`
	`494`	`+`
	`495`	`+ /**`
	`496`	+ * Holds if a value assigned to property `name` of a DOM node can be interpreted as JavaScript via the `javascript:` protocol.
	`497`	`+ */`
	`498`	`+ string getAPropertyNameInterpretedAsJavaScriptUrl() {`
	`499`	`+ result = ["action", "formaction", "href", "src", "data"]`
	`500`	`+ }`
`494`	`501`	`}`
Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,9 @@ module ClientSideUrlRedirect {`
`172`	`172`	`*/`
`173`	`173`	`class ReactAttributeWriteUrlSink extends ScriptUrlSink {`
`174`	`174`	`ReactAttributeWriteUrlSink() {`
`175`		`- exists(JSXAttribute attr \| attr.getName() = propertyNameIsInterpretedAsJavaScriptUrl() \|`
	`175`	`+ exists(JSXAttribute attr \|`
	`176`	`+ attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()`
	`177`	`+ \|`
`176`	`178`	`this = attr.getValue().flow()`
`177`	`179`	`)`
`178`	`180`	`}`