support React links in js/client-side-unvalidated-url-redirection

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -166,4 +166,15 @@ module ClientSideUrlRedirect {
       )
     }
   }
+
+  /**
+   * A write to an React attribute which may execute JavaScript code.
+   */
+  class ReactAttributeWriteUrlSink extends ScriptUrlSink {
+    ReactAttributeWriteUrlSink() {
+      exists(JSXAttribute attr | attr.getName() = propertyNameIsInterpretedAsJavaScriptUrl() |
+        this = attr.getValue().flow()
+      )
+    }
+  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll

@@ -122,14 +122,17 @@ class DomPropWriteNode extends Assignment {
    * Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
    */
   predicate interpretsValueAsJavaScriptUrl() {
-    lhs.getPropertyName() = "action" or
-    lhs.getPropertyName() = "formaction" or
-    lhs.getPropertyName() = "href" or
-    lhs.getPropertyName() = "src" or
-    lhs.getPropertyName() = "data"
+    lhs.getPropertyName() = propertyNameIsInterpretedAsJavaScriptUrl()
   }
 }
 
+/**
+ * Holds if a value assigned to property `name` of a DOM node can be interpreted as JavaScript via the `javascript:` protocol.
+ */
+string propertyNameIsInterpretedAsJavaScriptUrl() {
+  result = ["action", "formaction", "href", "src", "data"]
+}
+
 /**
  * A value written to web storage, like `localStorage` or `sessionStorage`.
  */

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -7,6 +7,10 @@ nodes
 | react.js:10:60:10:76 | document.location |
 | react.js:10:60:10:81 | documen ... on.hash |
 | react.js:10:60:10:81 | documen ... on.hash |
+| react.js:21:24:21:40 | document.location |
+| react.js:21:24:21:40 | document.location |
+| react.js:21:24:21:45 | documen ... on.hash |
+| react.js:21:24:21:45 | documen ... on.hash |
 | sanitizer.js:2:9:2:25 | url |
 | sanitizer.js:2:15:2:25 | window.name |
 | sanitizer.js:2:15:2:25 | window.name |
@@ -197,6 +201,10 @@ edges
 | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
 | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
 | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash |
+| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
+| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
+| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
+| react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -367,6 +375,7 @@ edges
 #select
 | electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection due to $@. | electron.js:4:12:4:22 | window.name | user-provided value |
 | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:10:60:10:76 | document.location | user-provided value |
+| react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js

@@ -15,3 +15,8 @@ class Application extends React.Component {
 };
 
 export default Application
+
+import Link from 'next/link'
+export function NextLink() {
+    return <Link href={document.location.hash}><a>this page!</a></Link>;
+}