add ContainsHTMLGuard

erik-krogh · erik-krogh · commit 562a38cdd547 · 2020-05-28T10:24:42.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -73,6 +73,26 @@ module Shared {
       e = this.getBaseString().getEnclosingExpr() and outcome = this.getPolarity().booleanNot()
     }
   }
+
+  /**
+   * A sanitizer guard that checks for the existence of HTML chars in a string.
+   * E.g. `/["'&<>]/.exec(str)`.
+   */
+  class ContainsHTMLGuard extends SanitizerGuard, DataFlow::MethodCallNode {
+    DataFlow::RegExpCreationNode regExp;
+
+    ContainsHTMLGuard() {
+      this.getMethodName() = ["test", "exec"] and
+      this.getReceiver().getALocalSource() = regExp and
+      regExp.getRoot() instanceof RegExpCharacterClass and
+      forall(string s | s = ["\"", "&", "<", ">"] | regExp.getRoot().getAMatchedString() = s)
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = false and e = this.getArgument(0).asExpr()
+    }
+  }
+
 }
 
 /** Provides classes and predicates for the DOM-based XSS query. */
@@ -359,6 +379,8 @@ module DomBasedXss {
       )
     )
   }
+
+  private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }
 }
 
 /** Provides classes and predicates for the reflected XSS query. */
@@ -463,6 +485,8 @@ module ReflectedXss {
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 
   private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
+
+  private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }
 }
 
 /** Provides classes and predicates for the stored XSS query. */
@@ -496,6 +520,8 @@ module StoredXss {
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 
   private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
+
+  private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }
 }
 
 /** Provides classes and predicates for the XSS through DOM query. */
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js
@@ -49,3 +49,22 @@ app.get('/echo', function(req, res) {
 	res.setHeader('Content-Length', msg.length);
 	res.end(msg);
 });
+
+app.get('/user/:id', function(req, res) {
+  const url = req.params.id;
+  if (!/["'&<>]/.exec(url)) {
+    res.send(url); // OK
+  }
+});
+
+function escapeHtml1 (str) {
+  if (!/["'&<>]/.exec(str)) {
+      return str;
+  }
+}
+
+app.get('/user/:id', function(req, res) {
+  const url = req.params.id;
+
+  res.send(escapeHtml1(url)); // OK
+});

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,26 @@ module Shared {`
`73`	`73`	`e = this.getBaseString().getEnclosingExpr() and outcome = this.getPolarity().booleanNot()`
`74`	`74`	`}`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+ /**`
	`78`	`+ * A sanitizer guard that checks for the existence of HTML chars in a string.`
	`79`	+ * E.g. `/["'&<>]/.exec(str)`.
	`80`	`+ */`
	`81`	`+ class ContainsHTMLGuard extends SanitizerGuard, DataFlow::MethodCallNode {`
	`82`	`+ DataFlow::RegExpCreationNode regExp;`
	`83`	`+`
	`84`	`+ ContainsHTMLGuard() {`
	`85`	`+ this.getMethodName() = ["test", "exec"] and`
	`86`	`+ this.getReceiver().getALocalSource() = regExp and`
	`87`	`+ regExp.getRoot() instanceof RegExpCharacterClass and`
	`88`	`+ forall(string s \| s = ["\"", "&", "<", ">"] \| regExp.getRoot().getAMatchedString() = s)`
	`89`	`+ }`
	`90`	`+`
	`91`	`+ override predicate sanitizes(boolean outcome, Expr e) {`
	`92`	`+ outcome = false and e = this.getArgument(0).asExpr()`
	`93`	`+ }`
	`94`	`+ }`
	`95`	`+`
`76`	`96`	`}`
`77`	`97`
`78`	`98`	`/** Provides classes and predicates for the DOM-based XSS query. */`
`@@ -359,6 +379,8 @@ module DomBasedXss {`
`359`	`379`	`)`
`360`	`380`	`)`
`361`	`381`	`}`
	`382`	`+`
	`383`	`+ private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }`
`362`	`384`	`}`
`363`	`385`
`364`	`386`	`/** Provides classes and predicates for the reflected XSS query. */`
`@@ -463,6 +485,8 @@ module ReflectedXss {`
`463`	`485`	`private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }`
`464`	`486`
`465`	`487`	`private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }`
	`488`	`+`
	`489`	`+ private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }`
`466`	`490`	`}`
`467`	`491`
`468`	`492`	`/** Provides classes and predicates for the stored XSS query. */`
`@@ -496,6 +520,8 @@ module StoredXss {`
`496`	`520`	`private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }`
`497`	`521`
`498`	`522`	`private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }`
	`523`	`+`
	`524`	`+ private class ContainsHTMLGuard extends SanitizerGuard, Shared::ContainsHTMLGuard { }`
`499`	`525`	`}`
`500`	`526`
`501`	`527`	`/** Provides classes and predicates for the XSS through DOM query. */`