add location reads from the history libary as client-side remote flow

erik-krogh · erik-krogh · commit 608a0314df72 · 2021-06-03T12:33:25.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -272,3 +272,30 @@ private class WindowLocationFlowSource extends ClientSideRemoteFlowSource {
 
   override ClientSideRemoteFlowKind getKind() { result = kind }
 }
+
+/**
+ * A user-controlled location value read from the [history](http://npmjs.org/package/history) library.
+ */
+private class HistoryLibaryRemoteFlow extends ClientSideRemoteFlowSource {
+  ClientSideRemoteFlowKind kind;
+
+  HistoryLibaryRemoteFlow() {
+    exists(API::Node loc |
+      loc =
+        API::moduleImport("history")
+            .getMember(["createBrowserHistory", "createHashHistory"])
+            .getReturn()
+            .getMember("location")
+    |
+      this = loc.getMember("hash").getAnImmediateUse() and kind.isFragment()
+      or
+      this = loc.getMember("pathname").getAnImmediateUse() and kind.isPath()
+      or
+      this = loc.getMember("search").getAnImmediateUse() and kind.isQuery()
+    )
+  }
+
+  override string getSourceType() { result = "Window location" }
+
+  override ClientSideRemoteFlowKind getKind() { result = kind }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -135,6 +135,12 @@ nodes
 | tst13.js:59:19:59:52 | documen ... bstr(1) |
 | tst13.js:61:18:61:24 | payload |
 | tst13.js:61:18:61:24 | payload |
+| tst13.js:65:9:65:49 | payload |
+| tst13.js:65:19:65:39 | history ... on.hash |
+| tst13.js:65:19:65:39 | history ... on.hash |
+| tst13.js:65:19:65:49 | history ... bstr(1) |
+| tst13.js:67:21:67:27 | payload |
+| tst13.js:67:21:67:27 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -317,6 +323,11 @@ edges
 | tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
 | tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
 | tst13.js:59:19:59:52 | documen ... bstr(1) | tst13.js:59:9:59:52 | payload |
+| tst13.js:65:9:65:49 | payload | tst13.js:67:21:67:27 | payload |
+| tst13.js:65:9:65:49 | payload | tst13.js:67:21:67:27 | payload |
+| tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
+| tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
+| tst13.js:65:19:65:49 | history ... bstr(1) | tst13.js:65:9:65:49 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -409,6 +420,7 @@ edges
 | tst13.js:50:23:50:23 | e | tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e | Untrusted URL redirection due to $@. | tst13.js:49:32:49:32 | e | user-provided value |
 | tst13.js:53:28:53:28 | e | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e | Untrusted URL redirection due to $@. | tst13.js:52:34:52:34 | e | user-provided value |
 | tst13.js:61:18:61:24 | payload | tst13.js:59:19:59:42 | documen ... .search | tst13.js:61:18:61:24 | payload | Untrusted URL redirection due to $@. | tst13.js:59:19:59:42 | documen ... .search | user-provided value |
+| tst13.js:67:21:67:27 | payload | tst13.js:65:19:65:39 | history ... on.hash | tst13.js:67:21:67:27 | payload | Untrusted URL redirection due to $@. | tst13.js:65:19:65:39 | history ... on.hash | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:68 | documen ... on.href | user-provided value |
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
@@ -54,9 +54,15 @@ function foo() {
     }
 })();
 
-const history = require('history').createBrowserHistory();
 function bar() {
+    const history = require('history').createBrowserHistory();
     var payload = document.location.search.substr(1);
 
     history.push(payload); // NOT OK
+}
+function baz() {
+    const history = require('history').createHashHistory();
+    var payload = history.location.hash.substr(1);
+
+    history.replace(payload); // NOT OK
 }
