File tree Expand file tree Collapse file tree 1 file changed +18
-3
lines changed
javascript/ql/src/semmle/javascript/security/dataflow Expand file tree Collapse file tree 1 file changed +18
-3
lines changed Original file line number Diff line number Diff line change @@ -51,9 +51,7 @@ module ClientSideUrlRedirect {
5151 exists ( MethodCallExpr mce , string methodName |
5252 mce = queryAccess .asExpr ( ) and mce .calls ( nd .asExpr ( ) , methodName )
5353 |
54- methodName = "split" and
55- // exclude `location.href.split('?')[0]`, which can never refer to the query string
56- not exists ( PropAccess pacc | mce = pacc .getBase ( ) | pacc .getPropertyName ( ) = "0" )
54+ methodName = "split"
5755 or
5856 ( methodName = "substring" or methodName = "substr" or methodName = "slice" ) and
5957 // exclude `location.href.substring(0, ...)` and similar, which can
@@ -68,6 +66,23 @@ module ClientSideUrlRedirect {
6866 )
6967 }
7068
69+ /**
70+ * A sanitizer that reads the first part a location split by "?", e.g. `location.href.split('?')[0]`.
71+ */
72+ class QueryPrefixSanitizer extends Sanitizer {
73+ DataFlow:: PropRead read ;
74+
75+ QueryPrefixSanitizer ( ) {
76+ this = read and
77+ read .getPropertyName ( ) = "0" and
78+ exists ( DataFlow:: MethodCallNode splitCall | splitCall = read .getBase ( ) .getALocalSource ( ) |
79+ splitCall .getMethodName ( ) = "split" and
80+ splitCall .getArgument ( 0 ) .mayHaveStringValue ( "?" ) and
81+ splitCall .getReceiver ( ) = [ DOM:: locationRef ( ) , DOM:: locationRef ( ) .getAPropertyRead ( "href" ) ]
82+ )
83+ }
84+ }
85+
7186 /**
7287 * A sink which is used to set the window location.
7388 */
You can’t perform that action at this time.
0 commit comments