remove postmessage events as source for js/resource-exhaustion

erik-krogh · erik-krogh · commit 4c97f68a3dd0 · 2022-04-13T23:14:42.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
@@ -29,7 +29,11 @@ module ResourceExhaustion {
 
   /** A source of remote user input, considered as a data flow source for resource exhaustion vulnerabilities. */
   class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
-    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
+    RemoteFlowSourceAsSource() {
+      // exclude source that only happen client-side
+      not this instanceof ClientSideRemoteFlowSource and
+      not this = DataFlow::parameterNode(any(PostMessageEventHandler pmeh).getEventParameter())
+    }
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
@@ -98,4 +98,8 @@ function browser() {
     setTimeout(() => {
         console.log("f00");
     }, delay); // OK - source is client side
+
+    window.onmessage = (e) => {
+        setTimeout(() => {}, e.data); // OK - source is client side
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -98,4 +98,8 @@ function browser() {`
`98`	`98`	`setTimeout(() => {`
`99`	`99`	`console.log("f00");`
`100`	`100`	`}, delay); // OK - source is client side`
	`101`	`+`
	`102`	`+ window.onmessage = (e) => {`
	`103`	`+ setTimeout(() => {}, e.data); // OK - source is client side`
	`104`	`+ }`
`101`	`105`	`}`