only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class

Author: erik-krogh

javascript/ql/src/semmle/javascript/JSX.qll

@@ -65,6 +65,12 @@ class JSXElement extends JSXNode {
   }
 
   override string getAPrimaryQlClass() { result = "JSXElement" }
+
+  /**
+   * Holds if this JSX element is a HTML element.
+   * That is, the name starts with a lowercase letter.
+   */
+  predicate isHTMLElement() { getName().regexpMatch("[a-z].*") }
 }
 
 /**

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -173,7 +173,10 @@ module ClientSideUrlRedirect {
   class ReactAttributeWriteUrlSink extends ScriptUrlSink {
     ReactAttributeWriteUrlSink() {
       exists(JSXAttribute attr |
-        attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl()
+        attr.getName() = DOM::getAPropertyNameInterpretedAsJavaScriptUrl() and
+        attr.getElement().isHTMLElement()
+        or
+        DataFlow::moduleImport("next/link").flowsToExpr(attr.getElement().getNameExpr())
       |
         this = attr.getValue().flow()
       )

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -21,6 +21,11 @@ nodes
 | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:74 | documen ... bstr(1) |
 | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:40:19:40:35 | document.location |
+| react.js:40:19:40:35 | document.location |
+| react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:50 | documen ... bstr(1) |
+| react.js:40:19:40:50 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url |
 | sanitizer.js:2:15:2:25 | window.name |
 | sanitizer.js:2:15:2:25 | window.name |
@@ -223,6 +228,10 @@ edges
 | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
 | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
+| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -396,6 +405,7 @@ edges
 | react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
 | react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:59 | document.location | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
 | react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:59 | document.location | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
+| react.js:40:19:40:50 | documen ... bstr(1) | react.js:40:19:40:35 | document.location | react.js:40:19:40:50 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:40:19:40:35 | document.location | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js

@@ -34,4 +34,12 @@ function Page({ router }) {
   return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span>
 }
 
-export const pageWithRouter = withRouter(Page);
+export const pageWithRouter = withRouter(Page);
+
+export function plainLink() {
+  return <a href={document.location.hash.substr(1)}>my plain link!</a>;
+}
+
+export function someUnknown() {
+  return <FOO data={document.location.hash.substr(1)}>is safe.</FOO>;
+}