add a taint-step through URL.createObjectURL for js/xss-through-dom

erik-krogh · erik-krogh · commit 0435cee57f11 · 2022-04-06T12:18:47.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll
@@ -36,6 +36,11 @@ class Configuration extends TaintTracking::Configuration {
     DomBasedXss::isOptionallySanitizedEdge(pred, succ)
   }
 
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    succ = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and
+    pred = succ.(DataFlow::InvokeNode).getArgument(0)
+  }
+
   override predicate hasFlowPath(DataFlow::SourcePathNode src, DataFlow::SinkPathNode sink) {
     super.hasFlowPath(src, sink) and
     // filtering away readings of `src` that end in a URL sink.
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -134,6 +134,11 @@ nodes
 | xss-through-dom.js:120:23:120:40 | ev.target.files[0] |
 | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
 | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
+| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
+| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
+| xss-through-dom.js:122:53:122:67 | ev.target.files |
+| xss-through-dom.js:122:53:122:67 | ev.target.files |
+| xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
 edges
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -216,6 +221,10 @@ edges
 | xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:40 | ev.target.files[0] |
 | xss-through-dom.js:120:23:120:40 | ev.target.files[0] | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
 | xss-through-dom.js:120:23:120:40 | ev.target.files[0] | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
+| xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
+| xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
+| xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
+| xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
 #select
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -252,3 +261,4 @@ edges
 | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" | xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:109:45:109:55 | this.el.src | DOM text |
 | xss-through-dom.js:115:16:115:18 | src | xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:115:16:115:18 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:114:17:114:52 | documen ... k").src | DOM text |
 | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:120:23:120:37 | ev.target.files | DOM text |
+| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:122:53:122:67 | ev.target.files | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -118,5 +118,7 @@ class Sub extends Super {
 
     $("input.foo")[0].onchange = function (ev) {
         $("#id").html(ev.target.files[0].name); // NOT OK.
+
+        $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // NOT OK
     }
 })();

Original file line number	Diff line number	Diff line change
`@@ -118,5 +118,7 @@ class Sub extends Super {`
`118`	`118`
`119`	`119`	`$("input.foo")[0].onchange = function (ev) {`
`120`	`120`	`$("#id").html(ev.target.files[0].name); // NOT OK.`
	`121`	`+`
	`122`	`+ $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // NOT OK`
`121`	`123`	`}`
`122`	`124`	`})();`