JS: Updates to DOM model

asgerf · asgerf · commit 46f88e7ce765 · 2025-04-02T10:14:03.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/DOM.qll b/javascript/ql/lib/semmle/javascript/DOM.qll
@@ -247,7 +247,7 @@ module DOM {
         ]
     |
       (
-        result = documentRef().getAMethodCall(collectionName) or
+        result = domValueRef().getAMethodCall(collectionName) or
         result = DataFlow::globalVarRef(collectionName).getACall()
       )
     )
@@ -441,10 +441,12 @@ module DOM {
   DataFlow::SourceNode domValueRef() {
     result = domValueRef(DataFlow::TypeTracker::end())
     or
-    result.hasUnderlyingType("Element")
+    result.hasUnderlyingType(["Element", "HTMLCollection", "HTMLCollectionOf"])
     or
     result.hasUnderlyingType(any(string s | s.matches("HTML%Element")))
     or
+    result = documentRef()
+    or
     exists(DataFlow::ClassNode cls |
       cls.getASuperClassNode().getALocalSource() =
         DataFlow::globalVarRef(any(string s | s.matches("HTML%Element"))) and
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -53,6 +53,7 @@
 | dates.js:57:31:57:101 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:57:31:57:101 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
 | dates.js:59:31:59:87 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:59:31:59:87 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
 | dates.js:61:31:61:88 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:61:31:61:88 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
+| dom.js:4:20:4:30 | window.name | dom.js:4:20:4:30 | window.name | dom.js:4:20:4:30 | window.name | Cross-site scripting vulnerability due to $@. | dom.js:4:20:4:30 | window.name | user-provided value |
 | dragAndDrop.ts:15:25:15:28 | html | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | user-provided value |
 | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | user-provided value |
 | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value |
@@ -937,6 +938,7 @@ nodes
 | dates.js:61:31:61:88 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` |
 | dates.js:61:42:61:86 | dayjs.s ... (taint) | semmle.label | dayjs.s ... (taint) |
 | dates.js:61:81:61:85 | taint | semmle.label | taint |
+| dom.js:4:20:4:30 | window.name | semmle.label | window.name |
 | dragAndDrop.ts:8:11:8:50 | html | semmle.label | html |
 | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | semmle.label | dataTra ... /html') |
 | dragAndDrop.ts:15:25:15:28 | html | semmle.label | html |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -138,6 +138,7 @@ nodes
 | dates.js:61:31:61:88 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` |
 | dates.js:61:42:61:86 | dayjs.s ... (taint) | semmle.label | dayjs.s ... (taint) |
 | dates.js:61:81:61:85 | taint | semmle.label | taint |
+| dom.js:4:20:4:30 | window.name | semmle.label | window.name |
 | dragAndDrop.ts:8:11:8:50 | html | semmle.label | html |
 | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | semmle.label | dataTra ... /html') |
 | dragAndDrop.ts:15:25:15:28 | html | semmle.label | html |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dom.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dom.js
@@ -1,5 +1,5 @@
 function t1() {
     const elm = document.getElementById("foo");
     const e2 = elm.getElementsByTagName("bar")[0];
-    e2.innerHTML = window.name; // $ MISSING: Alert
+    e2.innerHTML = window.name; // $ Alert
 }

Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ module DOM {`
`247`	`247`	`]`
`248`	`248`	`\|`
`249`	`249`	`(`
`250`		`- result = documentRef().getAMethodCall(collectionName) or`
	`250`	`+ result = domValueRef().getAMethodCall(collectionName) or`
`251`	`251`	`result = DataFlow::globalVarRef(collectionName).getACall()`
`252`	`252`	`)`
`253`	`253`	`)`
`@@ -441,10 +441,12 @@ module DOM {`
`441`	`441`	`DataFlow::SourceNode domValueRef() {`
`442`	`442`	`result = domValueRef(DataFlow::TypeTracker::end())`
`443`	`443`	`or`
`444`		`- result.hasUnderlyingType("Element")`
	`444`	`+ result.hasUnderlyingType(["Element", "HTMLCollection", "HTMLCollectionOf"])`
`445`	`445`	`or`
`446`	`446`	`result.hasUnderlyingType(any(string s \| s.matches("HTML%Element")))`
`447`	`447`	`or`
	`448`	`+ result = documentRef()`
	`449`	`+ or`
`448`	`450`	`exists(DataFlow::ClassNode cls \|`
`449`	`451`	`cls.getASuperClassNode().getALocalSource() =`
`450`	`452`	`DataFlow::globalVarRef(any(string s \| s.matches("HTML%Element"))) and`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`function t1() {`
`2`	`2`	`const elm = document.getElementById("foo");`
`3`	`3`	`const e2 = elm.getElementsByTagName("bar")[0];`
`4`		`- e2.innerHTML = window.name; // $ MISSING: Alert`
	`4`	`+ e2.innerHTML = window.name; // $ Alert`
`5`	`5`	`}`