add a js/client-side-unvalidated-url-redirection sink for the history library

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -191,6 +191,21 @@ module ClientSideUrlRedirect {
     }
   }
 
+  /**
+   * A write to the location using the [history](https://npmjs.com/package/history) library
+   */
+  class HistoryWriteUrlSink extends ScriptUrlSink {
+    HistoryWriteUrlSink() {
+      this =
+        API::moduleImport("history")
+            .getMember(["createBrowserHistory", "createHashHistory"])
+            .getReturn()
+            .getMember(["push", "replace"])
+            .getACall()
+            .getArgument(0)
+    }
+  }
+
   /**
    * A call to change the current url with a Next.js router.
    */

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -129,6 +129,12 @@ nodes
 | tst13.js:52:34:52:34 | e |
 | tst13.js:53:28:53:28 | e |
 | tst13.js:53:28:53:28 | e |
+| tst13.js:59:9:59:52 | payload |
+| tst13.js:59:19:59:42 | documen ... .search |
+| tst13.js:59:19:59:42 | documen ... .search |
+| tst13.js:59:19:59:52 | documen ... bstr(1) |
+| tst13.js:61:18:61:24 | payload |
+| tst13.js:61:18:61:24 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -306,6 +312,11 @@ edges
 | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
 | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
 | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
+| tst13.js:59:9:59:52 | payload | tst13.js:61:18:61:24 | payload |
+| tst13.js:59:9:59:52 | payload | tst13.js:61:18:61:24 | payload |
+| tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
+| tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
+| tst13.js:59:19:59:52 | documen ... bstr(1) | tst13.js:59:9:59:52 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -397,6 +408,7 @@ edges
 | tst13.js:44:14:44:20 | payload | tst13.js:2:19:2:42 | documen ... .search | tst13.js:44:14:44:20 | payload | Untrusted URL redirection due to $@. | tst13.js:2:19:2:42 | documen ... .search | user-provided value |
 | tst13.js:50:23:50:23 | e | tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e | Untrusted URL redirection due to $@. | tst13.js:49:32:49:32 | e | user-provided value |
 | tst13.js:53:28:53:28 | e | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e | Untrusted URL redirection due to $@. | tst13.js:52:34:52:34 | e | user-provided value |
+| tst13.js:61:18:61:24 | payload | tst13.js:59:19:59:42 | documen ... .search | tst13.js:61:18:61:24 | payload | Untrusted URL redirection due to $@. | tst13.js:59:19:59:42 | documen ... .search | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:68 | documen ... on.href | user-provided value |
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js

@@ -53,3 +53,10 @@ function foo() {
         self.importScripts(e); // NOT OK
     }
 })();
+
+const history = require('history').createBrowserHistory();
+function bar() {
+    var payload = document.location.search.substr(1);
+
+    history.push(payload); // NOT OK
+}