add ClientSideUrlRedirect sink for Next.js routers

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/Next.qll

@@ -8,7 +8,6 @@ import javascript
  * Provides classes and predicates modelling [Next.js](https://www.npmjs.com/package/next).
  */
 module NextJS {
-  // TODO: Private.
   /**
    * Gets a `package.json` that depends on the `Next.js` library.
    */
@@ -223,4 +222,19 @@ module NextJS {
       kind = "response" and result = getFunction().getParameter(1)
     }
   }
+
+  /**
+   * Gets a reference to a [Next.js router](https://nextjs.org/docs/api-reference/next/router).
+   */
+  DataFlow::SourceNode nextRouter() {
+    result = DataFlow::moduleMember("next/router", "useRouter").getACall()
+    or
+    result =
+      API::moduleImport("next/router")
+          .getMember("withRouter")
+          .getParameter(0)
+          .getParameter(0)
+          .getMember("router")
+          .getAnImmediateUse()
+  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -177,4 +177,11 @@ module ClientSideUrlRedirect {
       )
     }
   }
+
+  /**
+   * A call to change the current url with a Next.js router.
+   */
+  class NextRoutePushUrlSink extends ScriptUrlSink {
+    NextRoutePushUrlSink() { this = NextJS::nextRouter().getAMemberCall("push").getArgument(0) }
+  }
 }

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -11,6 +11,14 @@ nodes
 | react.js:21:24:21:40 | document.location |
 | react.js:21:24:21:45 | documen ... on.hash |
 | react.js:21:24:21:45 | documen ... on.hash |
+| react.js:28:43:28:59 | document.location |
+| react.js:28:43:28:59 | document.location |
+| react.js:28:43:28:64 | documen ... on.hash |
+| react.js:28:43:28:64 | documen ... on.hash |
+| react.js:34:43:34:59 | document.location |
+| react.js:34:43:34:59 | document.location |
+| react.js:34:43:34:64 | documen ... on.hash |
+| react.js:34:43:34:64 | documen ... on.hash |
 | sanitizer.js:2:9:2:25 | url |
 | sanitizer.js:2:15:2:25 | window.name |
 | sanitizer.js:2:15:2:25 | window.name |
@@ -205,6 +213,14 @@ edges
 | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
 | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
 | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash |
+| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
+| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
+| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
+| react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash |
+| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
+| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
+| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
+| react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -376,6 +392,8 @@ edges
 | electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection due to $@. | electron.js:4:12:4:22 | window.name | user-provided value |
 | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:76 | document.location | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:10:60:10:76 | document.location | user-provided value |
 | react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
+| react.js:28:43:28:64 | documen ... on.hash | react.js:28:43:28:59 | document.location | react.js:28:43:28:64 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
+| react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js

@@ -19,4 +19,19 @@ export default Application
 import Link from 'next/link'
 export function NextLink() {
     return <Link href={document.location.hash}><a>this page!</a></Link>;
-}
+}
+
+import { useRouter } from 'next/router'
+
+export function nextRouter() {
+  const router = useRouter();
+  return <span onClick={() => router.push(document.location.hash)}>Click to XSS 1</span>
+}
+
+import { withRouter } from 'next/router'
+
+function Page({ router }) {
+  return <span onClick={() => router.push(document.location.hash)}>Click to XSS 2</span>
+}
+
+export const pageWithRouter = withRouter(Page);