included ClipboardEvent and DragEvent as XSS sources

Author: bananabr

javascript/ql/lib/change-notes/2022-04-11-drag-and-drop-data.md

@@ -2,3 +2,4 @@
 category: minorAnalysis
 ---
 * The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
+* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.

javascript/ql/lib/semmle/javascript/frameworks/Clipboard.qll

@@ -32,6 +32,12 @@ private DataFlow::SourceNode pasteEvent(DataFlow::TypeTracker t) {
   )
   or
   t.start() and
+  exists(DataFlow::ParameterNode pn |
+    // https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent
+    pn.hasUnderlyingType("ClipboardEvent") and result = pn
+  )
+  or
+  t.start() and
   exists(DataFlow::PropWrite pw | pw = DOM::domValueRef().getAPropertyWrite() |
     pw.getPropertyName() = "onpaste" and
     result = pw.getRhs().getABoundFunctionValue(0).getParameter(0)

javascript/ql/lib/semmle/javascript/frameworks/DragAndDrop.qll

@@ -32,6 +32,12 @@ private DataFlow::SourceNode dropEvent(DataFlow::TypeTracker t) {
   )
   or
   t.start() and
+  exists(DataFlow::ParameterNode pn |
+    // https://developer.mozilla.org/en-US/docs/Web/API/DragEvent
+    pn.hasUnderlyingType("DragEvent") and result = pn
+  )
+  or
+  t.start() and
   exists(DataFlow::PropWrite pw | pw = DOM::domValueRef().getAPropertyWrite() |
     pw.getPropertyName() = "ondrop" and
     result = pw.getRhs().getABoundFunctionValue(0).getParameter(0)

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -144,6 +144,14 @@ nodes
 | clipboard.ts:50:29:50:32 | html |
 | clipboard.ts:50:29:50:32 | html |
 | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
+| clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:73:29:73:39 | droppedHtml |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
@@ -331,6 +339,14 @@ nodes
 | dragAndDrop.ts:50:29:50:32 | html |
 | dragAndDrop.ts:50:29:50:32 | html |
 | dragAndDrop.ts:50:29:50:32 | html |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1174,6 +1190,14 @@ edges
 | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
 | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
 | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -1381,6 +1405,14 @@ edges
 | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
 | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
 | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -2126,6 +2158,7 @@ edges
 | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value |
 | clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value |
+| clipboard.ts:73:29:73:39 | droppedHtml | clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | clipboard.ts:71:27:71:62 | e.clipb ... /html') | user-provided value |
 | d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
 | d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
 | d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
@@ -2151,6 +2184,7 @@ edges
 | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value |
 | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | user-provided value |
 | dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -144,6 +144,14 @@ nodes
 | clipboard.ts:50:29:50:32 | html |
 | clipboard.ts:50:29:50:32 | html |
 | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') |
+| clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:73:29:73:39 | droppedHtml |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
@@ -331,6 +339,14 @@ nodes
 | dragAndDrop.ts:50:29:50:32 | html |
 | dragAndDrop.ts:50:29:50:32 | html |
 | dragAndDrop.ts:50:29:50:32 | html |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:73:29:73:39 | droppedHtml |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1224,6 +1240,14 @@ edges
 | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
 | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
 | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:13:71:62 | droppedHtml | clipboard.ts:73:29:73:39 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
+| clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:71:13:71:62 | droppedHtml |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -1431,6 +1455,14 @@ edges
 | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
 | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
 | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:43:15:43:54 | html |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:13:71:61 | droppedHtml | dragAndDrop.ts:73:29:73:39 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
+| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts

@@ -53,4 +53,37 @@ $("#foo").bind('paste', (e) => {
         }
         document.body.append(div);
     }
-})();
+})();
+
+async function getClipboardData(e: ClipboardEvent): Promise<Array<File | string>> {
+    // Using a set to filter out duplicates. For some reason, dropping URLs duplicates them 3 times (for me)
+    const dropItems = new Set<File | string>();
+  
+    // First get all files in the drop event
+    if (e.clipboardData.files.length > 0) {
+      // tslint:disable-next-line: prefer-for-of
+      for (let i = 0; i < e.clipboardData.files.length; i++) {
+        const file = e.clipboardData.files[i];
+      }
+    }
+  
+    if (e.clipboardData.types.includes('text/html')) {
+      const droppedHtml = e.clipboardData.getData('text/html');
+      const container = document.createElement('html');
+      container.innerHTML = droppedHtml;
+      const imgs = container.getElementsByTagName('img');
+      if (imgs.length === 1) {
+        const src = imgs[0].src;
+        dropItems.add(src);
+      }
+    } else if (e.clipboardData.types.includes('text/plain')) {
+      const plainText = e.clipboardData.getData('text/plain');
+      // Check if text is an URL
+      if (/^https?:\/\//i.test(plainText)) {
+        dropItems.add(plainText);
+      }
+    }
+  
+    const imageItems = Array.from(dropItems);
+    return imageItems;
+  }

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts

@@ -53,4 +53,37 @@ $("#foo").bind('drop', (e) => {
         }
         document.body.append(div);
     }
-})();
+})();
+
+async function getDropData(e: DragEvent): Promise<Array<File | string>> {
+    // Using a set to filter out duplicates. For some reason, dropping URLs duplicates them 3 times (for me)
+    const dropItems = new Set<File | string>();
+  
+    // First get all files in the drop event
+    if (e.dataTransfer.files.length > 0) {
+      // tslint:disable-next-line: prefer-for-of
+      for (let i = 0; i < e.dataTransfer.files.length; i++) {
+        const file = e.dataTransfer.files[i];
+      }
+    }
+  
+    if (e.dataTransfer.types.includes('text/html')) {
+      const droppedHtml = e.dataTransfer.getData('text/html');
+      const container = document.createElement('html');
+      container.innerHTML = droppedHtml;
+      const imgs = container.getElementsByTagName('img');
+      if (imgs.length === 1) {
+        const src = imgs[0].src;
+        dropItems.add(src);
+      }
+    } else if (e.dataTransfer.types.includes('text/plain')) {
+      const plainText = e.dataTransfer.getData('text/plain');
+      // Check if text is an URL
+      if (/^https?:\/\//i.test(plainText)) {
+        dropItems.add(plainText);
+      }
+    }
+  
+    const imageItems = Array.from(dropItems);
+    return imageItems;
+  }