include startsWith/endsWith checks in js/missing-origin-check

erik-krogh · erik-krogh · commit 0a26e891a22a · 2022-04-25T15:28:50.000+02:00
diff --git a/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql b/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
@@ -66,6 +66,16 @@ predicate hasOriginCheck(PostMessageHandler handler) {
   or
   // set.includes(event.source)
   exists(InclusionTest test | sourceOrOrigin(handler).flowsTo(test.getContainedNode()))
+  or
+  // "safeOrigin".startsWith(event.origin)
+  exists(StringOps::StartsWith starts |
+    origin(DataFlow::TypeTracker::end(), handler).flowsTo(starts.getSubstring())
+  )
+  or
+  // "safeOrigin".endsWith(event.origin)
+  exists(StringOps::EndsWith ends |
+    origin(DataFlow::TypeTracker::end(), handler).flowsTo(ends.getSubstring())
+  )
 }
 
 from PostMessageHandler handler
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js
@@ -61,4 +61,10 @@ function is_valid_origin(origin) {
         warn("invalid origin: " + origin);
     }
     return valid;
-}
+}
+
+window.onmessage = event => { // OK - the check is OK
+    if ("https://www.example.com".startsWith(event.origin)) {
+      // do something
+    }
+}
