add jQuery options objects as sources

erik-krogh · erik-krogh · commit 8ba5bddae8d9 · 2021-05-06T11:05:02.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -13,6 +13,7 @@ module UnsafeHtmlConstruction {
   private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
   private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
   private import semmle.javascript.PackageExports as Exports
+  private import semmle.javascript.security.dataflow.UnsafeJQueryPlugin::UnsafeJQueryPlugin as UnsafeJQueryPlugin
 
   /**
    * A source for unsafe HTML constructed from library input.
@@ -29,6 +30,13 @@ module UnsafeHtmlConstruction {
     }
   }
 
+  /**
+   * A jQuery plugin options object, seen as a source for unsafe HTML constructed from input.
+   */
+  class JQueryPluginOptionsAsSource extends Source {
+    JQueryPluginOptionsAsSource() { this instanceof UnsafeJQueryPlugin::JQueryPluginOptions }
+  }
+
   /**
    * A sink for unsafe HTML constructed from library input.
    * This sink somehow transforms its input into a value that can cause XSS if it ends up in a XSS sink.
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -15,13 +15,24 @@ nodes
 | main.js:21:47:21:47 | s |
 | main.js:22:34:22:34 | s |
 | main.js:22:34:22:34 | s |
-| main.js:46:17:46:17 | s |
-| main.js:47:21:47:21 | s |
-| main.js:52:65:52:73 | this.step |
-| main.js:52:65:52:73 | this.step |
-| main.js:57:41:57:41 | s |
-| main.js:57:41:57:41 | s |
-| main.js:58:20:58:20 | s |
+| main.js:41:17:41:17 | s |
+| main.js:42:21:42:21 | s |
+| main.js:47:65:47:73 | this.step |
+| main.js:47:65:47:73 | this.step |
+| main.js:52:41:52:41 | s |
+| main.js:52:41:52:41 | s |
+| main.js:53:20:53:20 | s |
+| main.js:56:28:56:34 | options |
+| main.js:56:28:56:34 | options |
+| main.js:57:11:59:5 | defaults |
+| main.js:57:22:59:5 | {\\n      ... "\\n    } |
+| main.js:60:11:60:48 | settings |
+| main.js:60:22:60:48 | $.exten ... ptions) |
+| main.js:60:31:60:38 | defaults |
+| main.js:60:41:60:47 | options |
+| main.js:62:19:62:26 | settings |
+| main.js:62:19:62:31 | settings.name |
+| main.js:62:19:62:31 | settings.name |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:2:29:2:29 | s |
@@ -54,12 +65,23 @@ edges
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
-| main.js:46:17:46:17 | s | main.js:47:21:47:21 | s |
-| main.js:47:21:47:21 | s | main.js:52:65:52:73 | this.step |
-| main.js:47:21:47:21 | s | main.js:52:65:52:73 | this.step |
-| main.js:57:41:57:41 | s | main.js:58:20:58:20 | s |
-| main.js:57:41:57:41 | s | main.js:58:20:58:20 | s |
-| main.js:58:20:58:20 | s | main.js:46:17:46:17 | s |
+| main.js:41:17:41:17 | s | main.js:42:21:42:21 | s |
+| main.js:42:21:42:21 | s | main.js:47:65:47:73 | this.step |
+| main.js:42:21:42:21 | s | main.js:47:65:47:73 | this.step |
+| main.js:52:41:52:41 | s | main.js:53:20:53:20 | s |
+| main.js:52:41:52:41 | s | main.js:53:20:53:20 | s |
+| main.js:53:20:53:20 | s | main.js:41:17:41:17 | s |
+| main.js:56:28:56:34 | options | main.js:60:41:60:47 | options |
+| main.js:56:28:56:34 | options | main.js:60:41:60:47 | options |
+| main.js:57:11:59:5 | defaults | main.js:60:31:60:38 | defaults |
+| main.js:57:22:59:5 | {\\n      ... "\\n    } | main.js:57:11:59:5 | defaults |
+| main.js:60:11:60:48 | settings | main.js:62:19:62:26 | settings |
+| main.js:60:22:60:48 | $.exten ... ptions) | main.js:60:11:60:48 | settings |
+| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) |
+| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n      ... "\\n    } |
+| main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) |
+| main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name |
+| main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
@@ -80,6 +102,7 @@ edges
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting |
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:17:48:17:50 | tmp | cross-site scripting |
 | main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | $@ based on $@ might later cause $@. | main.js:22:34:22:34 | s | Markdown rendering | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting |
-| main.js:52:65:52:73 | this.step | main.js:57:41:57:41 | s | main.js:52:65:52:73 | this.step | $@ based on $@ might later cause $@. | main.js:52:65:52:73 | this.step | HTML construction | main.js:57:41:57:41 | s | library input | main.js:52:54:52:85 | "<span> ... /span>" | cross-site scripting |
+| main.js:47:65:47:73 | this.step | main.js:52:41:52:41 | s | main.js:47:65:47:73 | this.step | $@ based on $@ might later cause $@. | main.js:47:65:47:73 | this.step | HTML construction | main.js:52:41:52:41 | s | library input | main.js:47:54:47:85 | "<span> ... /span>" | cross-site scripting |
+| main.js:62:19:62:31 | settings.name | main.js:56:28:56:34 | options | main.js:62:19:62:31 | settings.name | $@ based on $@ might later cause $@. | main.js:62:19:62:31 | settings.name | HTML construction | main.js:56:28:56:34 | options | library input | main.js:62:11:62:40 | "<b>" + ...  "</b>" | cross-site scripting |
 | typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | $@ based on $@ might later cause $@. | typed.ts:2:29:2:29 | s | HTML construction | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
 | typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | $@ based on $@ might later cause $@. | typed.ts:8:40:8:40 | s | HTML construction | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
@@ -52,3 +52,13 @@ class Foo {
 module.exports.createsClass = function (s) {
     return new Foo(s);
 }
+
+$.fn.xssPlugin = function (options) {
+    const defaults = {
+        name: "name"
+    };
+    const settings = $.extend(defaults, options);
+    return this.each(function () {
+        $("<b>" + settings.name + "</b>").appendTo(this); // NOT OK
+    });
+}
