Skip to content

Commit 5203375

Browse files
codeql-cicodeql-ci
authored
Merge pull request github#6298 from erik-krogh/ansi-to-html
Approved by asgerf
2 parents f4f8ce0 + ae2fc71 commit 5203375

File tree

5 files changed

+61
-0
lines changed

5 files changed

+61
-0
lines changed

javascript/change-notes/2021-07-15-ansi-to-html.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
lgtm,codescanning
2+
* The security queries now track taint through the `ansi-to-html` library.
3+
Affected packages are
4+
[ansi-to-html](https://www.npmjs.com/package/ansi-to-html)

javascript/ql/src/semmle/javascript/frameworks/Logging.qll

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,3 +337,17 @@ class StripAnsiStep extends TaintTracking::SharedTaintStep {
337337
)
338338
}
339339
}
340+
341+
/**
342+
* A step through the [`ansi-to-html`](https://npmjs.org/package/ansi-to-html) library.
343+
*/
344+
class AnsiToHtmlStep extends TaintTracking::SharedTaintStep {
345+
override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
346+
exists(API::CallNode call |
347+
call = API::moduleImport("ansi-to-html").getInstance().getMember("toHtml").getACall()
348+
|
349+
pred = call.getArgument(0) and
350+
succ = call
351+
)
352+
}
353+
}

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -684,6 +684,14 @@ nodes
684684
| tst.js:444:44:444:49 | source |
685685
| tst.js:445:32:445:37 | source |
686686
| tst.js:445:32:445:37 | source |
687+
| tst.js:453:7:453:39 | source |
688+
| tst.js:453:16:453:39 | documen ... .search |
689+
| tst.js:453:16:453:39 | documen ... .search |
690+
| tst.js:455:18:455:23 | source |
691+
| tst.js:455:18:455:23 | source |
692+
| tst.js:456:18:456:42 | ansiToH ... source) |
693+
| tst.js:456:18:456:42 | ansiToH ... source) |
694+
| tst.js:456:36:456:41 | source |
687695
| typeahead.js:20:13:20:45 | target |
688696
| typeahead.js:20:22:20:45 | documen ... .search |
689697
| typeahead.js:20:22:20:45 | documen ... .search |
@@ -1341,6 +1349,13 @@ edges
13411349
| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source |
13421350
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
13431351
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
1352+
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
1353+
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
1354+
| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source |
1355+
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
1356+
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
1357+
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
1358+
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
13441359
| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
13451360
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
13461361
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
@@ -1566,6 +1581,8 @@ edges
15661581
| tst.js:443:41:443:46 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:443:41:443:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
15671582
| tst.js:444:44:444:49 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:444:44:444:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
15681583
| tst.js:445:32:445:37 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:445:32:445:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value |
1584+
| tst.js:455:18:455:23 | source | tst.js:453:16:453:39 | documen ... .search | tst.js:455:18:455:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value |
1585+
| tst.js:456:18:456:42 | ansiToH ... source) | tst.js:453:16:453:39 | documen ... .search | tst.js:456:18:456:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value |
15691586
| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
15701587
| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
15711588
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -691,6 +691,14 @@ nodes
691691
| tst.js:444:44:444:49 | source |
692692
| tst.js:445:32:445:37 | source |
693693
| tst.js:445:32:445:37 | source |
694+
| tst.js:453:7:453:39 | source |
695+
| tst.js:453:16:453:39 | documen ... .search |
696+
| tst.js:453:16:453:39 | documen ... .search |
697+
| tst.js:455:18:455:23 | source |
698+
| tst.js:455:18:455:23 | source |
699+
| tst.js:456:18:456:42 | ansiToH ... source) |
700+
| tst.js:456:18:456:42 | ansiToH ... source) |
701+
| tst.js:456:36:456:41 | source |
694702
| typeahead.js:9:28:9:30 | loc |
695703
| typeahead.js:9:28:9:30 | loc |
696704
| typeahead.js:10:16:10:18 | loc |
@@ -1365,6 +1373,13 @@ edges
13651373
| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source |
13661374
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
13671375
| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source |
1376+
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
1377+
| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source |
1378+
| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source |
1379+
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
1380+
| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source |
1381+
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
1382+
| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) |
13681383
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
13691384
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
13701385
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -444,3 +444,14 @@ function mootools(){
444444
new Element("div").setProperties({"html": source}); // NOT OK
445445
new Element("div").appendHtml(source); // NOT OK
446446
}
447+
448+
449+
const Convert = require('ansi-to-html');
450+
const ansiToHtml = new Convert();
451+
452+
function ansiToHTML() {
453+
var source = document.location.search;
454+
455+
$("#foo").html(source); // NOT OK
456+
$("#foo").html(ansiToHtml.toHtml(source)); // NOT OK
457+
}

0 commit comments

Comments
 (0)