Add a boosted version of XssThroughDOM

Author: tiferet

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll

@@ -0,0 +1,88 @@
+/**
+ * For internal use only.
+ *
+ * A taint-tracking configuration for reasoning about XSS through the DOM.
+ * Defines shared code used by the XSS Through DOM boosted query.
+ */
+
+private import semmle.javascript.heuristics.SyntacticHeuristics
+private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
+private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom
+private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery
+import AdaptiveThreatModeling
+
+class XssThroughDomAtmConfig extends AtmConfig {
+  XssThroughDomAtmConfig() { this = "XssThroughDomAtmConfig" }
+
+  override predicate isKnownSource(DataFlow::Node source) {
+    source instanceof XssThroughDom::Source
+  }
+
+  override EndpointType getASinkEndpointType() { result instanceof XssSinkType }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof DomBasedXss::Sanitizer
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof TypeTestGuard or
+    guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or
+    guard instanceof UnsafeJQuery::NumberGuard or
+    guard instanceof PrefixStringSanitizer or
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
+  }
+
+  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+    DomBasedXss::isOptionallySanitizedEdge(pred, succ)
+  }
+}
+
+/**
+ * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
+ *
+ * This sanitizer helps prune infeasible paths in type-overloaded functions.
+ */
+class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+  override EqualityTest astNode;
+  Expr operand;
+  boolean polarity;
+
+  TypeTestGuard() {
+    exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
+      // typeof x === "string" sanitizes `x` when it evaluates to false
+      tag = "string" and
+      polarity = astNode.getPolarity().booleanNot()
+      or
+      // typeof x === "object" sanitizes `x` when it evaluates to true
+      tag != "string" and
+      polarity = astNode.getPolarity()
+    )
+  }
+
+  override predicate sanitizes(boolean outcome, Expr e) {
+    polarity = outcome and
+    e = operand
+  }
+}
+
+private import semmle.javascript.security.dataflow.Xss::Shared as Shared
+
+private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
+  DomBasedXss::PrefixStringSanitizer {
+  PrefixStringSanitizer() { this = this }
+}
+
+private class PrefixString extends DataFlow::FlowLabel, DomBasedXss::PrefixString {
+  PrefixString() { this = this }
+}
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
+}

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql

@@ -8,6 +8,7 @@ import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionAtm
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAtm
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
 import experimental.adaptivethreatmodeling.XssATM as XssAtm
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
 import experimental.adaptivethreatmodeling.AdaptiveThreatModeling
 
 from string queryName, AtmConfig c, EndpointType e
@@ -23,6 +24,8 @@ where
     c instanceof TaintedPathAtm::TaintedPathAtmConfig
     or
     queryName = "Xss" and c instanceof XssAtm::DomBasedXssAtmConfig
+    or
+    queryName = "XssThroughDom" and c instanceof XssThroughDomAtm::XssThroughDomAtmConfig
   ) and
   e = c.getASinkEndpointType()
 select queryName, e.getEncoding() as label

javascript/ql/experimental/adaptivethreatmodeling/src/XssThroughDomATM.ql

@@ -0,0 +1,25 @@
+/**
+ * For internal use only.
+ *
+ * @name DOM text reinterpreted as HTML (experimental)
+ * @description Reinterpreting text from the DOM as HTML can lead
+ *              to a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @scored
+ * @problem.severity error
+ * @security-severity 6.1
+ * @id js/ml-powered/xss-through-dom
+ * @tags experimental security
+ *       external/cwe/cwe-079 external/cwe/cwe-116
+ */
+
+import javascript
+import ATM::ResultsInfo
+import DataFlow::PathGraph
+import experimental.adaptivethreatmodeling.XssThroughDomATM
+
+from AtmConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink, float score
+where cfg.getAlerts(source, sink, score)
+select sink.getNode(), source, sink,
+  "(Experimental) $@ may be reinterpreted as HTML without escaping meta-characters. Identified using machine learning.",
+  source.getNode(), "DOM text", score