Merge pull request github#6311 from asgerf/js/dom-element-methods

codeql-ci · web-flow · commit 475032780e63 · 2021-08-04T23:18:34.000-07:00
Approved by erik-krogh
diff --git a/javascript/change-notes/2021-07-16-dom-element-methods.md b/javascript/change-notes/2021-07-16-dom-element-methods.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Some methods from the DOM API are now modeled more precisely, potentially
+  leading to more `js/xss` results.
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -291,10 +291,33 @@ module DOM {
      */
     abstract class Range extends DataFlow::Node { }
 
+    private predicate isDomElementType(ExternalType type) { isDomRootType(type.getASupertype*()) }
+
     private string getADomPropertyName() {
       exists(ExternalInstanceMemberDecl decl |
         result = decl.getName() and
-        isDomRootType(decl.getDeclaringType().getASupertype*())
+        isDomElementType(decl.getDeclaringType())
+      )
+    }
+
+    private predicate isDomElementTypeName(string name) {
+      exists(ExternalType type |
+        isDomElementType(type) and
+        name = type.getName()
+      )
+    }
+
+    /** Gets a method name which, if invoked on a DOM element (possibly of a specific subtype), returns a DOM element. */
+    private string getAMethodProducingDomElements() {
+      exists(ExternalInstanceMemberDecl decl |
+        result = decl.getName() and
+        isDomElementType(decl.getDeclaringType()) and
+        isDomElementTypeName(decl.getDocumentation()
+              .getATagByTitle("return")
+              .getType()
+              .getAnUnderlyingType()
+              .(JSDocNamedTypeExpr)
+              .getName())
       )
     }
 
@@ -339,6 +362,8 @@ module DOM {
         or
         this = domElementCollection()
         or
+        this = domValueRef().getAMethodCall(getAMethodProducingDomElements())
+        or
         this = forms()
         or
         // reading property `foo` - where a child has `name="foo"` - resolves to that child.
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -699,6 +699,15 @@ nodes
 | tst.js:456:18:456:42 | ansiToH ... source) |
 | tst.js:456:18:456:42 | ansiToH ... source) |
 | tst.js:456:36:456:41 | source |
+| tst.js:460:6:460:38 | source |
+| tst.js:460:15:460:38 | documen ... .search |
+| tst.js:460:15:460:38 | documen ... .search |
+| tst.js:463:21:463:26 | source |
+| tst.js:463:21:463:26 | source |
+| tst.js:465:19:465:24 | source |
+| tst.js:465:19:465:24 | source |
+| tst.js:467:20:467:25 | source |
+| tst.js:467:20:467:25 | source |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:45 | documen ... .search |
 | typeahead.js:20:22:20:45 | documen ... .search |
@@ -1369,6 +1378,14 @@ edges
 | tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
 | tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
 | tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
+| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source |
+| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source |
+| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source |
+| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source |
+| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source |
+| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source |
+| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
+| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
@@ -1598,6 +1615,9 @@ edges
 | tst.js:445:32:445:37 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:445:32:445:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
 | tst.js:455:18:455:23 | source | tst.js:453:16:453:39 | documen ... .search | tst.js:455:18:455:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value |
 | tst.js:456:18:456:42 | ansiToH ... source) | tst.js:453:16:453:39 | documen ... .search | tst.js:456:18:456:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value |
+| tst.js:463:21:463:26 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:463:21:463:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value |
+| tst.js:465:19:465:24 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:465:19:465:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value |
+| tst.js:467:20:467:25 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:467:20:467:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -706,6 +706,15 @@ nodes
 | tst.js:456:18:456:42 | ansiToH ... source) |
 | tst.js:456:18:456:42 | ansiToH ... source) |
 | tst.js:456:36:456:41 | source |
+| tst.js:460:6:460:38 | source |
+| tst.js:460:15:460:38 | documen ... .search |
+| tst.js:460:15:460:38 | documen ... .search |
+| tst.js:463:21:463:26 | source |
+| tst.js:463:21:463:26 | source |
+| tst.js:465:19:465:24 | source |
+| tst.js:465:19:465:24 | source |
+| tst.js:467:20:467:25 | source |
+| tst.js:467:20:467:25 | source |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:10:16:10:18 | loc |
@@ -1393,6 +1402,14 @@ edges
 | tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
 | tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
 | tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
+| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source |
+| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source |
+| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source |
+| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source |
+| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source |
+| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source |
+| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
+| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/externs.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/externs.js
@@ -57,3 +57,13 @@ function Node() {}
  * @type {Node}
  */
 Node.prototype.parentNode;
+
+/**
+ * @return {DomObjectStub}
+ */
+DomObjectStub.prototype.insertRow = function() {};
+
+/**
+ * @return {DomObjectStub}
+ */
+DomObjectStub.prototype.insertCell = function() {};
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
@@ -454,4 +454,15 @@ function ansiToHTML() {
 
   $("#foo").html(source); // NOT OK
   $("#foo").html(ansiToHtml.toHtml(source)); // NOT OK
-}
+}
+
+function domMethods() {
+	var source = document.location.search;
+
+  let table = document.getElementById('mytable');
+  table.innerHTML = source; // NOT OK
+  let row = table.insertRow(-1);
+  row.innerHTML = source; // NOT OK
+  let cell = row.insertCell();
+  cell.innerHTML = source; // NOT OK
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	`+* Some methods from the DOM API are now modeled more precisely, potentially`
	`3`	+ leading to more `js/xss` results.