add a sanitizer guard for safe attribute string concatenations

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll

@@ -24,6 +24,10 @@ module DomBasedXss {
       node instanceof Sanitizer
     }
 
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof SanitizerGuard
+    }
+
     override predicate isAdditionalLoadStoreStep(
       DataFlow::Node pred, DataFlow::Node succ, string predProp, string succProp
     ) {

javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll

@@ -22,5 +22,9 @@ module ReflectedXss {
       super.isSanitizer(node) or
       node instanceof Sanitizer
     }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof SanitizerGuard
+    }
   }
 }

javascript/ql/src/semmle/javascript/security/dataflow/StoredXss.qll

@@ -22,6 +22,10 @@ module StoredXss {
       super.isSanitizer(node) or
       node instanceof Sanitizer
     }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof SanitizerGuard
+    }
   }
 
   /** A file name, considered as a flow source for stored XSS. */

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -23,6 +23,9 @@ module Shared {
   /** A sanitizer for XSS vulnerabilities. */
   abstract class Sanitizer extends DataFlow::Node { }
 
+  /** A sanitizer guard for XSS vulnerabilities. */
+  abstract class SanitizerGuard extends TaintTracking::SanitizerGuardNode { }
+
   /**
    * A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
    * XSS vulnerabilities.
@@ -51,10 +54,30 @@ module Shared {
       )
     }
   }
+
+  private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHTML
+
+  /**
+   * A guard that checks if a string can contain quotes, which is a guard for strings that are inside a HTML attribute.
+   */
+  class QuoteGuard extends SanitizerGuard, StringOps::Includes {
+    QuoteGuard() {
+      this.getSubstring().mayHaveStringValue("\"") and
+      this
+          .getBaseString()
+          .getALocalSource()
+          .flowsTo(any(IncompleteHTML::HtmlAttributeConcatenation attributeConcat))
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      e = this.getBaseString().getEnclosingExpr() and outcome = this.getPolarity().booleanNot()
+    }
+  }
 }
 
 /** Provides classes and predicates for the DOM-based XSS query. */
 module DomBasedXss {
+  // StringReplaceCallSequence
   /** A data flow source for DOM-based XSS vulnerabilities. */
   abstract class Source extends Shared::Source { }
 
@@ -64,6 +87,9 @@ module DomBasedXss {
   /** A sanitizer for DOM-based XSS vulnerabilities. */
   abstract class Sanitizer extends Shared::Sanitizer { }
 
+  /** A sanitizer guard for DOM-based XSS vulnerabilities. */
+  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
+
   /**
    * An expression whose value is interpreted as HTML
    * and may be inserted into the DOM through a library.
@@ -302,6 +328,8 @@ module DomBasedXss {
   private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
+
+  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
 }
 
 /** Provides classes and predicates for the reflected XSS query. */
@@ -315,6 +343,9 @@ module ReflectedXss {
   /** A sanitizer for reflected XSS vulnerabilities. */
   abstract class Sanitizer extends Shared::Sanitizer { }
 
+  /** A sanitizer guard for reflected XSS vulnerabilities. */
+  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
+
   /**
    * An expression that is sent as part of an HTTP response, considered as an XSS sink.
    *
@@ -401,6 +432,8 @@ module ReflectedXss {
   private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
+
+  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
 }
 
 /** Provides classes and predicates for the stored XSS query. */
@@ -414,6 +447,9 @@ module StoredXss {
   /** A sanitizer for stored XSS vulnerabilities. */
   abstract class Sanitizer extends Shared::Sanitizer { }
 
+  /** A sanitizer guard for stored XSS vulnerabilities. */
+  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
+
   /** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
   private class AnySink extends Sink {
     AnySink() { this instanceof Shared::Sink }
@@ -429,6 +465,8 @@ module StoredXss {
   private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
+
+  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
 }
 
 /** Provides classes and predicates for the XSS through DOM query. */

javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll

@@ -31,7 +31,8 @@ module XssThroughDom {
 
     override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
       guard instanceof TypeTestGuard or
-      guard instanceof UnsafeJQuery::PropertyPresenceSanitizer
+      guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or
+      guard instanceof DomBasedXss::SanitizerGuard
     }
   }
 

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -53,6 +53,11 @@ nodes
 | stored-xss.js:5:20:5:52 | session ... ssion') |
 | stored-xss.js:8:20:8:48 | localSt ... local') |
 | stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:10:9:10:44 | href |
+| stored-xss.js:10:16:10:44 | localSt ... local') |
+| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
+| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
+| stored-xss.js:12:35:12:38 | href |
 | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:3:16:3:32 | document.location |
@@ -431,6 +436,11 @@ edges
 | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
 | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
 | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:10:16:10:44 | localSt ... local') |
+| stored-xss.js:10:9:10:44 | href | stored-xss.js:12:35:12:38 | href |
+| stored-xss.js:10:16:10:44 | localSt ... local') | stored-xss.js:10:9:10:44 | href |
+| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
+| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
 | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
 | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
@@ -732,6 +742,7 @@ edges
 | react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:55 | document.location | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:55 | document.location | user-provided value |
 | stored-xss.js:8:20:8:48 | localSt ... local') | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:8:20:8:48 | localSt ... local') | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:51 | document.location | user-provided value |
+| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:51 | document.location | user-provided value |
 | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | Cross-site scripting vulnerability due to $@. | string-manipulations.js:3:16:3:32 | document.location | user-provided value |
 | string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | Cross-site scripting vulnerability due to $@. | string-manipulations.js:4:16:4:32 | document.location | user-provided value |
 | string-manipulations.js:5:16:5:47 | documen ... lueOf() | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:47 | documen ... lueOf() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:5:16:5:32 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected

@@ -53,6 +53,11 @@ nodes
 | stored-xss.js:5:20:5:52 | session ... ssion') |
 | stored-xss.js:8:20:8:48 | localSt ... local') |
 | stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:10:9:10:44 | href |
+| stored-xss.js:10:16:10:44 | localSt ... local') |
+| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
+| stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
+| stored-xss.js:12:35:12:38 | href |
 | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:3:16:3:32 | document.location |
@@ -435,6 +440,11 @@ edges
 | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
 | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
 | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:10:16:10:44 | localSt ... local') |
+| stored-xss.js:10:9:10:44 | href | stored-xss.js:12:35:12:38 | href |
+| stored-xss.js:10:16:10:44 | localSt ... local') | stored-xss.js:10:9:10:44 | href |
+| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
+| stored-xss.js:12:35:12:38 | href | stored-xss.js:12:20:12:54 | "<a hre ... ar</a>" |
 | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location |
 | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
 | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |

javascript/ql/test/query-tests/Security/CWE-079/stored-xss.js

@@ -6,4 +6,25 @@
     $('myId').html(localStorage.getItem('session')); // OK
     $('myId').html(sessionStorage.getItem('local')); // OK
     $('myId').html(localStorage.getItem('local')); // NOT OK
+
+    var href = localStorage.getItem('local');
+
+    $('myId').html("<a href=\"" + href + ">foobar</a>"); // NOT OK
+
+    if (href.indexOf("\"") !== -1) {
+        return;
+    }
+    $('myId').html("<a href=\"" + href + "/>"); // OK
+
+    var href2 = localStorage.getItem('local');
+    if (href2.indexOf("\"") !== -1) {
+        return;
+    }
+    $('myId').html("\n<a href=\"" + href2 + ">foobar</a>"); // OK
+
+    var href3 = localStorage.getItem('local');
+    if (href3.indexOf("\"") !== -1) {
+        return;
+    }
+    $('myId').html('\r\n<a href="/' + href3 + '">' + "something" + '</a>'); // OK
 });