JS: Recognise form input from NgForm

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

@@ -232,6 +232,15 @@ module XssThroughDom {
         )
       }
     }
+
+    /**
+     * An object containing input values from an Angular form, accessed through an `NgForm` object.
+     */
+    class AngularFormSource extends Source {
+      AngularFormSource() {
+        this = API::Node::ofType("@angular/forms", "NgForm").getMember("value").asSource()
+      }
+    }
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected

@@ -1,4 +1,5 @@
 edges
+| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | provenance |  |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values | provenance |  |
 | forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo | provenance |  |
 | forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values | provenance |  |
@@ -44,6 +45,8 @@ edges
 nodes
 | angular.ts:12:24:12:41 | event.target.value | semmle.label | event.target.value |
 | angular.ts:16:24:16:35 | target.value | semmle.label | target.value |
+| angular.ts:20:24:20:33 | form.value | semmle.label | form.value |
+| angular.ts:20:24:20:37 | form.value.foo | semmle.label | form.value.foo |
 | forms.js:8:23:8:28 | values | semmle.label | values |
 | forms.js:9:31:9:36 | values | semmle.label | values |
 | forms.js:9:31:9:40 | values.foo | semmle.label | values.foo |
@@ -128,6 +131,7 @@ subpaths
 #select
 | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:24:12:41 | event.target.value | DOM text |
 | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:35 | target.value | DOM text |
+| angular.ts:20:24:20:37 | form.value.foo | angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:33 | form.value | DOM text |
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts

@@ -17,6 +17,6 @@ export class Foo {
     }
 
     blah(form: NgForm) {
-        document.write(form.value.foo); // NOT OK [INCONSISTENCY]
+        document.write(form.value.foo); // NOT OK
     }
 }