JS: Include $().prop() source in XssThroughDom

Author: asgerf

javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

@@ -40,10 +40,16 @@ module XssThroughDom {
       (
         this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
         or
-        this.getMethodName() = "attr" and
-        this.getNumArgument() = 1 and
-        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
-        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+        exists(string methodName, string value |
+          this.getMethodName() = methodName and
+          this.getNumArgument() = 1 and
+          forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
+          this.getArgument(0).mayHaveStringValue(value)
+        |
+          methodName = "attr" and value = unsafeAttributeName()
+          or
+          methodName = "prop" and value = unsafeDomPropertyName()
+        )
       ) and
       // looks like a $("<p>" + ... ) source, which is benign for this query.
       not exists(DataFlow::Node prefix |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected

@@ -100,6 +100,9 @@ nodes
 | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value |
+| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
+| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
+| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
 edges
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -157,6 +160,7 @@ edges
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
+| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
 #select
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -185,3 +189,4 @@ edges
 | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | DOM text |
 | xss-through-dom.js:77:4:77:11 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:4:77:11 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:79:4:79:34 | documen ... t.value | DOM text |
+| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js

@@ -77,4 +77,6 @@
 	$(selector); // NOT OK
 
 	$(document.my_form.my_input.value); // NOT OK
+
+	$("#id").html( $('#foo').prop('innerText') ); // NOT OK
 })();