Skip to content

Commit 36049f0

Browse files
erik-krogherik-krogh
committed
update Next.js xss example such that the attack is viable
1 parent 1f02594 commit 36049f0

File tree

2 files changed

+12
-10
lines changed

2 files changed

+12
-10
lines changed

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,13 @@ nodes
1414
| react.js:28:43:28:59 | document.location |
1515
| react.js:28:43:28:59 | document.location |
1616
| react.js:28:43:28:64 | documen ... on.hash |
17-
| react.js:28:43:28:64 | documen ... on.hash |
17+
| react.js:28:43:28:74 | documen ... bstr(1) |
18+
| react.js:28:43:28:74 | documen ... bstr(1) |
1819
| react.js:34:43:34:59 | document.location |
1920
| react.js:34:43:34:59 | document.location |
2021
| react.js:34:43:34:64 | documen ... on.hash |
21-
| react.js:34:43:34:64 | documen ... on.hash |
22+
| react.js:34:43:34:74 | documen ... bstr(1) |
23+
| react.js:34:43:34:74 | documen ... bstr(1) |
2224
| sanitizer.js:2:9:2:25 | url |
2325
| sanitizer.js:2:15:2:25 | window.name |
2426
| sanitizer.js:2:15:2:25 | window.name |
@@ -215,12 +217,12 @@ edges
215217
| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
216218
| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
217219
| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
218-
| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
219-
| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
220-
| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
221-
| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
220+
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
221+
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:74 | documen ... bstr(1) |
222222
| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
223223
| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
224+
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
225+
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
224226
| sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
225227
| sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
226228
| sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -392,8 +394,8 @@ edges
392394
| electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection due to $@. | electron.js:4:12:4:22 | window.name | user-provided value |
393395
| react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:10:60:10:76 | document.location | user-provided value |
394396
| react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
395-
| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
396-
| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
397+
| react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:59 | document.location | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
398+
| react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:59 | document.location | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
397399
| sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
398400
| sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
399401
| sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,13 @@ import { useRouter } from 'next/router'
2525

2626
export function nextRouter() {
2727
const router = useRouter();
28-
return <span onClick={() => router.push(document.location.hash)}>Click to XSS 1</span>
28+
return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 1</span>
2929
}
3030

3131
import { withRouter } from 'next/router'
3232

3333
function Page({ router }) {
34-
return <span onClick={() => router.push(document.location.hash)}>Click to XSS 2</span>
34+
return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span>
3535
}
3636

3737
export const pageWithRouter = withRouter(Page);

0 commit comments

Comments
 (0)