have getSourceType() depend on which kind of event it is

Author: erik-krogh

javascript/ql/lib/semmle/javascript/frameworks/DomEvents.qll

@@ -67,26 +67,37 @@ private DataFlow::SourceNode taintedEvent(DataFlow::TypeTracker t, string event)
  * Gets a reference to a DataTransfer object.
  * https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent/clipboardData
  */
-private DataFlow::SourceNode taintedDataTransfer(DataFlow::TypeTracker t) {
+private DataFlow::SourceNode taintedDataTransfer(DataFlow::TypeTracker t, string event) {
   t.start() and
-  result = taintedEvent(DataFlow::TypeTracker::end(), "paste").getAPropertyRead("clipboardData")
+  result = taintedEvent(DataFlow::TypeTracker::end(), event).getAPropertyRead("clipboardData") and
+  event = "paste"
   or
   t.start() and
-  result =
-    taintedEvent(DataFlow::TypeTracker::end(), ["drop", "beforeinput"])
-        .getAPropertyRead("dataTransfer")
+  result = taintedEvent(DataFlow::TypeTracker::end(), event).getAPropertyRead("dataTransfer") and
+  event = ["drop", "beforeinput"]
   or
-  exists(DataFlow::TypeTracker t2 | result = taintedDataTransfer(t2).track(t2, t))
+  exists(DataFlow::TypeTracker t2 | result = taintedDataTransfer(t2, event).track(t2, t))
 }
 
 /**
  * A reference to data from a DataTransfer object, which might originate from e.g. the clipboard.
  * Seen as a source for DOM-based XSS.
  */
 private class TaintedDataTransfer extends RemoteFlowSource {
+  string event;
+
   TaintedDataTransfer() {
-    this = taintedDataTransfer(DataFlow::TypeTracker::end()).getAMethodCall("getData")
+    this = taintedDataTransfer(DataFlow::TypeTracker::end(), event).getAMethodCall("getData")
   }
 
-  override string getSourceType() { result = "Clipboard data" }
+  override string getSourceType() {
+    event = "paste" and
+    result = "Clipboard data"
+    or
+    event = "drop" and
+    result = "Drag&Drop data"
+    or
+    event = "beforeinput" and
+    result = "Input data"
+  }
 }