JS: Step through jQuery callback return values

Author: asgerf

javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll

@@ -563,6 +563,25 @@ module JQuery {
     }
   }
 
+  /** Gets a data flow node that reaches a sink that is interpreted as HTML. */
+  private DataFlow::SourceNode htmlCallback(DataFlow::TypeBackTracker t) {
+    t.start() and
+    any(JQuery::MethodCall c).interpretsArgumentAsHtml(result.getALocalUse())
+    or
+    exists(DataFlow::TypeBackTracker t2 | result = htmlCallback(t2).backtrack(t2, t))
+  }
+
+  /**
+   * Gets a function that is passed as a callback to a jQuery function, which will interpret its return value as HTML.
+   *
+   * For example, this gets the function `f` below:
+   * ```js
+   * function f() { ... }
+   * $('#foo').replaceWith(f);
+   * ```
+   */
+  DataFlow::FunctionNode htmlCallback() { result = htmlCallback(DataFlow::TypeBackTracker::end()) }
+
   /**
    * Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>` or `$.extend($.fn, {<pluginName>, <plugin>})`.
    */

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll

@@ -122,6 +122,13 @@ class Configuration extends TaintTracking::Configuration {
     TaintedUrlSuffix::step(src, trg, TaintedUrlSuffix::label(), DataFlow::FlowLabel::taint()) and
     inlbl = TaintedUrlSuffix::label() and
     outlbl = prefixLabel()
+    or
+    exists(DataFlow::FunctionNode callback |
+      callback = JQuery::htmlCallback() and
+      src = callback.getReturnNode() and
+      trg = callback and
+      inlbl = outlbl
+    )
   }
 }
 

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected

@@ -1 +0,0 @@
-| query-tests/Security/CWE-079/DomBasedXss/jquery.js:37 | expected an alert, but found none | NOT OK |  |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -433,6 +433,9 @@ nodes
 | jquery.js:34:13:34:16 | hash |
 | jquery.js:36:25:36:31 | tainted |
 | jquery.js:36:25:36:31 | tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:18:5:36 | req.param("locale") |
@@ -1516,6 +1519,7 @@ edges
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:37:31:37:37 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
@@ -1569,6 +1573,8 @@ edges
 | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
@@ -2360,6 +2366,7 @@ edges
 | jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
 | jquery.js:36:25:36:31 | tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:36:25:36:31 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
+| jquery.js:37:25:37:37 | () => tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:37:25:37:37 | () => tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
 | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
 | jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -433,6 +433,9 @@ nodes
 | jquery.js:34:13:34:16 | hash |
 | jquery.js:36:25:36:31 | tainted |
 | jquery.js:36:25:36:31 | tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:18:5:36 | req.param("locale") |
@@ -1566,6 +1569,7 @@ edges
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:37:31:37:37 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
@@ -1619,6 +1623,8 @@ edges
 | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
+| jquery.js:37:31:37:37 | tainted | jquery.js:37:25:37:37 | () => tainted |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
 | json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |