JS: xss does not flag anymore replace with RegExp unknown flags

Napalys · Napalys · commit c71778f1aa63 · 2024-11-28T11:26:53.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
@@ -36,7 +36,7 @@ module Shared {
    */
   class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
     MetacharEscapeSanitizer() {
-      this.isGlobal() and
+      this.maybeGlobal() and
       (
         RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["<", "'", "\""])
         or
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected
@@ -1 +0,0 @@
-| tst.js:510 | did not expect an alert, but found an alert for HtmlInjection | OK -- currently flagged, but might introduce a lot of false positives. |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -1154,9 +1154,6 @@ nodes
 | tst.js:509:18:509:23 | target |
 | tst.js:509:18:509:54 | target. ... "), '') |
 | tst.js:509:18:509:54 | target. ... "), '') |
-| tst.js:510:18:510:23 | target |
-| tst.js:510:18:510:70 | target. ... )), '') |
-| tst.js:510:18:510:70 | target. ... )), '') |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:45 | documen ... .search |
 | typeahead.js:20:22:20:45 | documen ... .search |
@@ -2341,13 +2338,10 @@ edges
 | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
 | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
 | tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target |
-| tst.js:508:7:508:39 | target | tst.js:510:18:510:23 | target |
 | tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
 | tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
 | tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
 | tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
-| tst.js:510:18:510:23 | target | tst.js:510:18:510:70 | target. ... )), '') |
-| tst.js:510:18:510:23 | target | tst.js:510:18:510:70 | target. ... )), '') |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
@@ -2641,7 +2635,6 @@ edges
 | tst.js:494:18:494:40 | locatio ... bstr(1) | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:494:18:494:30 | location.hash | user-provided value |
 | tst.js:501:33:501:63 | decodeU ... n.hash) | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:43:501:62 | window.location.hash | user-provided value |
 | tst.js:509:18:509:54 | target. ... "), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:509:18:509:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value |
-| tst.js:510:18:510:70 | target. ... )), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:510:18:510:70 | target. ... )), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -1166,9 +1166,6 @@ nodes
 | tst.js:509:18:509:23 | target |
 | tst.js:509:18:509:54 | target. ... "), '') |
 | tst.js:509:18:509:54 | target. ... "), '') |
-| tst.js:510:18:510:23 | target |
-| tst.js:510:18:510:70 | target. ... )), '') |
-| tst.js:510:18:510:70 | target. ... )), '') |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
@@ -2403,13 +2400,10 @@ edges
 | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
 | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
 | tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target |
-| tst.js:508:7:508:39 | target | tst.js:510:18:510:23 | target |
 | tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
 | tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
 | tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
 | tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
-| tst.js:510:18:510:23 | target | tst.js:510:18:510:70 | target. ... )), '') |
-| tst.js:510:18:510:23 | target | tst.js:510:18:510:70 | target. ... )), '') |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
@@ -507,6 +507,6 @@ function Foo() {
 function nonGlobalSanitizer() {
   var target = document.location.search
   $("#foo").html(target.replace(new RegExp("<|>"), '')); // NOT OK
-  $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK -- currently flagged, but might introduce a lot of false positives.
+  $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK -- most likely good. We don't know what the flags are.
   $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); // OK
 }

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ module Shared {`
`36`	`36`	`*/`
`37`	`37`	`class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {`
`38`	`38`	`MetacharEscapeSanitizer() {`
`39`		`- this.isGlobal() and`
	`39`	`+ this.maybeGlobal() and`
`40`	`40`	`(`
`41`	`41`	`RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["<", "'", "\""])`
`42`	`42`	`or`
Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		`-\| tst.js:510 \| did not expect an alert, but found an alert for HtmlInjection \| OK -- currently flagged, but might introduce a lot of false positives. \| \|`
Original file line number	Diff line number	Diff line change
`@@ -507,6 +507,6 @@ function Foo() {`
`507`	`507`	`function nonGlobalSanitizer() {`
`508`	`508`	`var target = document.location.search`
`509`	`509`	`$("#foo").html(target.replace(new RegExp("<\|>"), '')); // NOT OK`
`510`		`- $("#foo").html(target.replace(new RegExp("<\|>", unknownFlags()), '')); // OK -- currently flagged, but might introduce a lot of false positives.`
	`510`	`+ $("#foo").html(target.replace(new RegExp("<\|>", unknownFlags()), '')); // OK -- most likely good. We don't know what the flags are.`
`511`	`511`	`$("#foo").html(target.replace(new RegExp("<\|>", "g"), '')); // OK`
`512`	`512`	`}`