slightly expand the $().each model

erik-krogh · erik-krogh · commit ee43db1b5845 · 2020-04-23T16:49:47.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -308,7 +308,10 @@ module DOM {
         or
         // A `this` node from a callback given to a `$().each(callback)` call.
         // purposely not using JQuery::MethodCall to avoid `jquery.each()`. 
-        this = DataFlow::thisNode(JQuery::objectRef().getAMethodCall("each").getCallback(0).getFunction())
+        exists(DataFlow::CallNode eachCall | eachCall = JQuery::objectRef().getAMethodCall("each") |
+          this = DataFlow::thisNode(eachCall.getCallback(0).getFunction()) or
+          this = eachCall.getABoundCallbackParameter(0, 1)
+        )
       }
     }
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -355,6 +355,8 @@ nodes
 | tst.js:362:16:362:21 | target |
 | tst.js:366:21:366:26 | target |
 | tst.js:366:21:366:26 | target |
+| tst.js:369:18:369:23 | target |
+| tst.js:369:18:369:23 | target |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:38 | document.location |
 | typeahead.js:20:22:20:38 | document.location |
@@ -682,6 +684,8 @@ edges
 | tst.js:361:10:361:42 | target | tst.js:362:16:362:21 | target |
 | tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
 | tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
 | tst.js:361:19:361:35 | document.location | tst.js:361:19:361:42 | documen ... .search |
 | tst.js:361:19:361:35 | document.location | tst.js:361:19:361:42 | documen ... .search |
 | tst.js:361:19:361:42 | documen ... .search | tst.js:361:10:361:42 | target |
@@ -789,6 +793,7 @@ edges
 | tst.js:355:12:355:17 | target | tst.js:354:16:354:32 | document.location | tst.js:355:12:355:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:354:16:354:32 | document.location | user-provided value |
 | tst.js:362:16:362:21 | target | tst.js:361:19:361:35 | document.location | tst.js:362:16:362:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.location | user-provided value |
 | tst.js:366:21:366:26 | target | tst.js:361:19:361:35 | document.location | tst.js:366:21:366:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.location | user-provided value |
+| tst.js:369:18:369:23 | target | tst.js:361:19:361:35 | document.location | tst.js:369:18:369:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.location | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
@@ -355,6 +355,8 @@ nodes
 | tst.js:362:16:362:21 | target |
 | tst.js:366:21:366:26 | target |
 | tst.js:366:21:366:26 | target |
+| tst.js:369:18:369:23 | target |
+| tst.js:369:18:369:23 | target |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:10:16:10:18 | loc |
@@ -686,6 +688,8 @@ edges
 | tst.js:361:10:361:42 | target | tst.js:362:16:362:21 | target |
 | tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
 | tst.js:361:10:361:42 | target | tst.js:366:21:366:26 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
+| tst.js:361:10:361:42 | target | tst.js:369:18:369:23 | target |
 | tst.js:361:19:361:35 | document.location | tst.js:361:19:361:42 | documen ... .search |
 | tst.js:361:19:361:35 | document.location | tst.js:361:19:361:42 | documen ... .search |
 | tst.js:361:19:361:42 | documen ... .search | tst.js:361:10:361:42 | target |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/tst.js
@@ -362,9 +362,11 @@ function thisNodes() {
 	    this.html(target); // NOT OK. (this is a jQuery object)
 		this.innerHTML = target // OK. (this is a jQuery object)
 	
-		this.each(function () {
+		this.each(function (i, e) {
 			this.innerHTML = target; // NOT OK. (this is a DOM-node);
 			this.html(target); // OK. (this is a DOM-node);
+			
+			e.innerHTML = target; // NOT OK.
 		});
 	}
 	$.fn[pluginName] = myPlugin; 

Original file line number	Diff line number	Diff line change
`@@ -308,7 +308,10 @@ module DOM {`
`308`	`308`	`or`
`309`	`309`	// A `this` node from a callback given to a `$().each(callback)` call.
`310`	`310`	// purposely not using JQuery::MethodCall to avoid `jquery.each()`.
`311`		`- this = DataFlow::thisNode(JQuery::objectRef().getAMethodCall("each").getCallback(0).getFunction())`
	`311`	`+ exists(DataFlow::CallNode eachCall \| eachCall = JQuery::objectRef().getAMethodCall("each") \|`
	`312`	`+ this = DataFlow::thisNode(eachCall.getCallback(0).getFunction()) or`
	`313`	`+ this = eachCall.getABoundCallbackParameter(0, 1)`
	`314`	`+ )`
`312`	`315`	`}`
`313`	`316`	`}`
`314`	`317`	`}`