Merge pull request github#12668 from asgerf/js/jquery-callback-sinks

JS: fix handling of jQuery sinks involving callback

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll

@@ -122,6 +122,14 @@ class Configuration extends TaintTracking::Configuration {
     TaintedUrlSuffix::step(src, trg, TaintedUrlSuffix::label(), DataFlow::FlowLabel::taint()) and
     inlbl = TaintedUrlSuffix::label() and
     outlbl = prefixLabel()
+    or
+    exists(DataFlow::FunctionNode callback, DataFlow::Node arg |
+      any(JQuery::MethodCall c).interpretsArgumentAsHtml(arg) and
+      callback = arg.getABoundFunctionValue(_) and
+      src = callback.getReturnNode() and
+      trg = callback and
+      inlbl = outlbl
+    )
   }
 }
 

javascript/ql/src/change-notes/2023-03-27-jquery-callback-sinks.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Improved the model of jQuery to account for XSS sinks where the HTML string
+  is provided via a callback. This may lead to more results for the `js/xss` query.

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -431,6 +431,11 @@ nodes
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash |
+| jquery.js:36:25:36:31 | tainted |
+| jquery.js:36:25:36:31 | tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:18:5:36 | req.param("locale") |
@@ -1512,6 +1517,9 @@ edges
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:37:31:37:37 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
@@ -1565,6 +1573,8 @@ edges
 | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
@@ -2355,6 +2365,8 @@ edges
 | jquery.js:27:5:27:25 | hash.re ... #', '') | jquery.js:18:14:18:33 | window.location.hash | jquery.js:27:5:27:25 | hash.re ... #', '') | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
 | jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
+| jquery.js:36:25:36:31 | tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:36:25:36:31 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
+| jquery.js:37:25:37:37 | () => tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:37:25:37:37 | () => tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
 | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
 | jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -431,6 +431,11 @@ nodes
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash |
+| jquery.js:36:25:36:31 | tainted |
+| jquery.js:36:25:36:31 | tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:18:5:36 | req.param("locale") |
@@ -1562,6 +1567,9 @@ edges
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:37:31:37:37 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
@@ -1615,6 +1623,8 @@ edges
 | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js

@@ -32,4 +32,7 @@ function test() {
   $(hash + 'blah'); // OK
   $('blah' + hash); // OK - does not start with '<'
   $('<b>' + hash + '</b>'); // NOT OK
+
+  $('#foo').replaceWith(tainted); // NOT OK
+  $('#foo').replaceWith(() => tainted); // NOT OK
 }