add support for domNode.onpaste for copy-paste events

erik-krogh · erik-krogh · commit aafa8ddc9f3f · 2022-04-11T20:10:56.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Clipboard.qll b/javascript/ql/lib/semmle/javascript/frameworks/Clipboard.qll
@@ -32,6 +32,12 @@ private DataFlow::SourceNode pasteEvent(DataFlow::TypeTracker t) {
   )
   or
   t.start() and
+  exists(DataFlow::PropWrite pw | pw = DOM::domValueRef().getAPropertyWrite() |
+    pw.getPropertyName() = "onpaste" and
+    result = pw.getRhs().getABoundFunctionValue(0).getParameter(0)
+  )
+  or
+  t.start() and
   result = jQueryPasteEvent(DataFlow::TypeTracker::end()).getAPropertyRead("originalEvent")
   or
   exists(DataFlow::TypeTracker t2 | result = pasteEvent(t2).track(t2, t))
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -136,6 +136,14 @@ nodes
 | clipboard.ts:33:19:33:68 | e.origi ... /html') |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') |
+| clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') |
+| clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:50:29:50:32 | html |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
@@ -1158,6 +1166,14 @@ edges
 | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') |
 | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
@@ -2109,6 +2125,7 @@ edges
 | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:24:23:24:58 | e.clipb ... /html') | user-provided value |
 | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value |
+| clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value |
 | d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
 | d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
 | d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -136,6 +136,14 @@ nodes
 | clipboard.ts:33:19:33:68 | e.origi ... /html') |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') |
+| clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') |
+| clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:50:29:50:32 | html |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
 | d3.js:4:12:4:22 | window.name |
@@ -1208,6 +1216,14 @@ edges
 | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') |
 | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') |
 | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:15:43:55 | html | clipboard.ts:50:29:50:32 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
+| clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:43:15:43:55 | html |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
 | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts
@@ -31,4 +31,26 @@ document.addEventListener('paste', (e) => {
 
 $("#foo").bind('paste', (e) => {
     $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // NOT OK
-});
+});
+
+(function () {
+    let div = document.createElement("div");
+    div.onpaste = function (e: ClipboardEvent) {
+        const { clipboardData } = e;
+        if (!clipboardData) return;
+
+        const text = clipboardData.getData('text/plain');
+        const html = clipboardData.getData('text/html');
+        if (!text && !html) return;
+
+        e.preventDefault();
+
+        const div = document.createElement('div');
+        if (html) {
+            div.innerHTML = html; // NOT OK
+        } else {
+            div.textContent = text;
+        }
+        document.body.append(div);
+    }
+})();
