all split()[0] are safe for url-redirect

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -53,7 +53,9 @@ module ClientSideUrlRedirect {
     exists(MethodCallExpr mce, string methodName |
       mce = queryAccess.asExpr() and mce.calls(nd.asExpr(), methodName)
     |
-      methodName = "split"
+      methodName = "split" and
+      // exclude all splits where only the prefix is accessed, which is safe for url-redirects.
+      not exists(PropAccess pacc | mce = pacc.getBase() | pacc.getPropertyName() = "0")
       or
       (methodName = "substring" or methodName = "substr" or methodName = "slice") and
       // exclude `location.href.substring(0, ...)` and similar, which can

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst11.js

@@ -3,4 +3,7 @@ function foo() {
     var urlParts = document.location.href.split('?');
     var loc = urlParts[0] + "?" + boxes.value;
     window.location = loc
+
+    // Also OK.
+    window.location.replace(window.location.href.split("#")[0] + "#mappage");
 }