JS: Support [(ngModel)]

asgerf · asgerf · commit 859783c08b1a · 2025-01-17T10:26:57.000+01:00
diff --git a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
@@ -186,7 +186,7 @@ private boolean isAngularTemplateAttributeName(String name) {
 
   /** Attribute names that look valid in HTML or in one of the template languages we support, like Vue and Angular. */
   private static final Pattern VALID_ATTRIBUTE_NAME =
-      Pattern.compile("[*:@]?\\[?\\(?[\\w:_\\-.]+\\]?\\)?");
+      Pattern.compile("[*:@]?\\[?\\(?[\\w:_\\-.]+\\)?\\]?");
 
   /** List of HTML attributes whose value is interpreted as JavaScript. */
   private static final Pattern JS_ATTRIBUTE =
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -270,4 +270,16 @@ module XssThroughDom {
       this = getSelectionCall(DataFlow::TypeTracker::end()).getAMethodCall("toString")
     }
   }
+
+  /**
+   * A source of DOM input originating from an Angular two-way data binding.
+   */
+  private class AngularNgModelSource extends Source {
+    AngularNgModelSource() {
+      exists(Angular2::ComponentClass component, string fieldName |
+        fieldName = component.getATemplateElement().getAttributeByName("[(ngModel)]").getValue() and
+        this = component.getFieldInputNode(fieldName)
+      )
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -1,4 +1,5 @@
 edges
+| angular.ts:12:5:12:23 | field: string = ""; | angular.ts:27:24:27:33 | this.field | provenance |  |
 | angular.ts:23:24:23:33 | form.value | angular.ts:23:24:23:37 | form.value.foo | provenance |  |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values | provenance |  |
 | forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo | provenance |  |
@@ -43,10 +44,12 @@ edges
 | xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg | provenance |  |
 | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg | provenance |  |
 nodes
+| angular.ts:12:5:12:23 | field: string = ""; | semmle.label | field: string = ""; |
 | angular.ts:15:24:15:41 | event.target.value | semmle.label | event.target.value |
 | angular.ts:19:24:19:35 | target.value | semmle.label | target.value |
 | angular.ts:23:24:23:33 | form.value | semmle.label | form.value |
 | angular.ts:23:24:23:37 | form.value.foo | semmle.label | form.value.foo |
+| angular.ts:27:24:27:33 | this.field | semmle.label | this.field |
 | forms.js:8:23:8:28 | values | semmle.label | values |
 | forms.js:9:31:9:36 | values | semmle.label | values |
 | forms.js:9:31:9:40 | values.foo | semmle.label | values.foo |
@@ -132,6 +135,7 @@ subpaths
 | angular.ts:15:24:15:41 | event.target.value | angular.ts:15:24:15:41 | event.target.value | angular.ts:15:24:15:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:15:24:15:41 | event.target.value | DOM text |
 | angular.ts:19:24:19:35 | target.value | angular.ts:19:24:19:35 | target.value | angular.ts:19:24:19:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:19:24:19:35 | target.value | DOM text |
 | angular.ts:23:24:23:37 | form.value.foo | angular.ts:23:24:23:33 | form.value | angular.ts:23:24:23:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:23:24:23:33 | form.value | DOM text |
+| angular.ts:27:24:27:33 | this.field | angular.ts:12:5:12:23 | field: string = ""; | angular.ts:27:24:27:33 | this.field | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:5:12:23 | field: string = ""; | DOM text |
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
@@ -24,6 +24,6 @@ export class Foo {
     }
 
     useField() {
-        document.write(this.field); // NOT OK [INCONSISTENCY]
+        document.write(this.field); // NOT OK
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -270,4 +270,16 @@ module XssThroughDom {`
`270`	`270`	`this = getSelectionCall(DataFlow::TypeTracker::end()).getAMethodCall("toString")`
`271`	`271`	`}`
`272`	`272`	`}`
	`273`	`+`
	`274`	`+ /**`
	`275`	`+ * A source of DOM input originating from an Angular two-way data binding.`
	`276`	`+ */`
	`277`	`+ private class AngularNgModelSource extends Source {`
	`278`	`+ AngularNgModelSource() {`
	`279`	`+ exists(Angular2::ComponentClass component, string fieldName \|`
	`280`	`+ fieldName = component.getATemplateElement().getAttributeByName("[(ngModel)]").getValue() and`
	`281`	`+ this = component.getFieldInputNode(fieldName)`
	`282`	`+ )`
	`283`	`+ }`
	`284`	`+ }`
`273`	`285`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,6 @@ export class Foo {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`useField() {`
`27`		`- document.write(this.field); // NOT OK [INCONSISTENCY]`
	`27`	`+ document.write(this.field); // NOT OK`
`28`	`28`	`}`
`29`	`29`	`}`