corrections after code review

erik-krogh · erik-krogh · commit b53759c5a059 · 2021-05-06T22:49:25.000+02:00
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
@@ -4,8 +4,8 @@
 <qhelp>
 <overview>
 	<p>
-		Dynamically constructing HTML with inputs from library functions may 
-		inadvertently leave a client open to XSS attacks.
+		Dynamically constructing HTML with inputs from library functions that are 
+		available to external clients may inadvertently leave a client open to XSS attacks.
 		
 		Clients using the exported function may use inputs containing unsafe HTML,
 		and if these inputs end up in the DOM, the client may be vulnerable to
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -17,6 +17,11 @@ module Markdown {
      * Holds if there is a taint-step from `pred` to `succ` for a taint-preserving markdown parser.
      */
     abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
+
+    /**
+     * Holds if the taint-step preserves HTML.
+     */
+    predicate preservesHTML() { any() }
   }
 
   private class MarkdownStepAsTaintStep extends TaintTracking::SharedTaintStep {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -38,7 +38,7 @@ module UnsafeHtmlConstruction {
     // override to require that there is a path without unmatched return steps
     override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
       super.hasFlowPath(source, sink) and
-      requireMatchedReturn(source, sink)
+      hasPathWithoutUnmatchedReturn(source, sink)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -165,7 +165,7 @@ module UnsafeHtmlConstruction {
     MarkdownSink() {
       exists(DataFlow::Node pred, DataFlow::Node succ, Markdown::MarkdownStep step |
         step.step(pred, succ) and
-        step.preservesHtml() and
+        step.preservesHTML() and
         this = pred and
         succ = isUsedInXssSink(xssSink)
       )
@@ -177,7 +177,9 @@ module UnsafeHtmlConstruction {
   /**
    *  Holds if there is a path without unmatched return steps from `source` to `sink`.
    */
-  predicate hasPathWithoutUnmatchedReturn(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+  predicate hasPathWithoutUnmatchedReturn(
+    DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink
+  ) {
     exists(DataFlow::MidPathNode mid |
       source.getASuccessor*() = mid and
       sink = mid.getASuccessor() and

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ module UnsafeHtmlConstruction {`
`38`	`38`	`// override to require that there is a path without unmatched return steps`
`39`	`39`	`override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {`
`40`	`40`	`super.hasFlowPath(source, sink) and`
`41`		`- requireMatchedReturn(source, sink)`
	`41`	`+ hasPathWithoutUnmatchedReturn(source, sink)`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {`