CWE 830 polish error messages

Stephan Brandauer · Stephan Brandauer · commit 2278e7f6e6ea · 2022-02-22T11:41:54.000+01:00
diff --git a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp
@@ -49,15 +49,15 @@
 
 	<example>
 		<p>
-			The following sample loads the jQuery library from the jQuery CDN without using <code>https</code>
+			The following example loads the jQuery library from the jQuery CDN without using <code>https</code>
 			and without checking subresource integrity.
 		</p>
 
 		<sample src="jquery-http-nocheck.html" />
 
 		<p>
 			Instead, loading jQuery from the same domain using <code>https</code> and checking
-			subresource integrity is recommended, as in the next sample.
+			subresource integrity is recommended, as in the next example.
 		</p>
 
 		<sample src="jquery-https-check.html" />
diff --git a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
@@ -42,11 +42,12 @@ module StaticCreation {
   predicate isCdnUrlWithCheckingRequired(string url) {
     // Some CDN URLs are required to have an integrity attribute. We only add CDNs to that list
     // that recommend integrity-checking.
-    url.regexpMatch("(?i)" +
+    url.regexpMatch("(?i)^https?://" +
         [
-          "^https?://code\\.jquery\\.com/.*\\.js$", "^https?://cdnjs\\.cloudflare\\.com/.*\\.js$",
-          "^https?://cdnjs\\.com/.*\\.js$"
-        ])
+          "code\\.jquery\\.com", //
+          "cdnjs\\.cloudflare\\.com", //
+          "cdnjs\\.com" //
+        ] + "/.*\\.js$")
   }
 
   /** A script element that refers to untrusted content. */
@@ -56,9 +57,7 @@ module StaticCreation {
       isUntrustedSourceUrl(super.getSourcePath())
     }
 
-    override string getProblem() {
-      result = "HTML script element loaded using unencrypted connection."
-    }
+    override string getProblem() { result = "Script loaded using unencrypted connection." }
   }
 
   /** A script element that refers to untrusted content. */
@@ -77,9 +76,7 @@ module StaticCreation {
   class IframeElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::IframeElement {
     IframeElementWithUntrustedContent() { isUntrustedSourceUrl(super.getSourcePath()) }
 
-    override string getProblem() {
-      result = "HTML iframe element loaded using unencrypted connection."
-    }
+    override string getProblem() { result = "Iframe loaded using unencrypted connection." }
   }
 }
 
@@ -153,14 +150,17 @@ module DynamicCreation {
     string name;
 
     IframeOrScriptSrcAssignment() {
+      name = ["script", "iframe"] and
       exists(DataFlow::Node n | n.asExpr() = this |
         isAssignedToSrcAttribute(name, n) and
         n = urlTrackedFromUnsafeSourceLiteral()
       )
     }
 
     override string getProblem() {
-      result = "HTML " + name + " element loaded using unencrypted connection."
+      name = "script" and result = "Script loaded using unencrypted connection."
+      or
+      name = "iframe" and result = "Iframe loaded using unencrypted connection."
     }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected
@@ -1,7 +1,7 @@
-| DynamicCreationOfUntrustedSourceUse.html:19:28:19:129 | ('https ... /ga.js' | HTML script element loaded using unencrypted connection. |
-| DynamicCreationOfUntrustedSourceUse.html:23:26:23:50 | 'http:/ ... e.com/' | HTML iframe element loaded using unencrypted connection. |
-| DynamicCreationOfUntrustedSourceUse.html:34:27:34:40 | getUrl('v123') | HTML iframe element loaded using unencrypted connection. |
-| DynamicCreationOfUntrustedSourceUse.html:38:41:38:76 | 'http:/ ... e.html' | HTML iframe element loaded using unencrypted connection. |
-| StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | <script>...</> | HTML script element loaded using unencrypted connection. |
-| StaticCreationOfUntrustedSourceUse.html:9:9:9:58 | <iframe>...</> | HTML iframe element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:19:28:19:129 | ('https ... /ga.js' | Script loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:23:26:23:50 | 'http:/ ... e.com/' | Iframe loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:34:27:34:40 | getUrl('v123') | Iframe loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:38:41:38:76 | 'http:/ ... e.html' | Iframe loaded using unencrypted connection. |
+| StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | <script>...</> | Script loaded using unencrypted connection. |
+| StaticCreationOfUntrustedSourceUse.html:9:9:9:58 | <iframe>...</> | Iframe loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:21:9:21:155 | <script>...</> | Script loaded from content delivery network with no integrity check. |

Original file line number	Diff line number	Diff line change
`@@ -42,11 +42,12 @@ module StaticCreation {`
`42`	`42`	`predicate isCdnUrlWithCheckingRequired(string url) {`
`43`	`43`	`// Some CDN URLs are required to have an integrity attribute. We only add CDNs to that list`
`44`	`44`	`// that recommend integrity-checking.`
`45`		`- url.regexpMatch("(?i)" +`
	`45`	`+ url.regexpMatch("(?i)^https?://" +`
`46`	`46`	`[`
`47`		`- "^https?://code\\.jquery\\.com/.\\.js$", "^https?://cdnjs\\.cloudflare\\.com/.\\.js$",`
`48`		`- "^https?://cdnjs\\.com/.*\\.js$"`
`49`		`- ])`
	`47`	`+ "code\\.jquery\\.com", //`
	`48`	`+ "cdnjs\\.cloudflare\\.com", //`
	`49`	`+ "cdnjs\\.com" //`
	`50`	`+ ] + "/.*\\.js$")`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`/** A script element that refers to untrusted content. */`
`@@ -56,9 +57,7 @@ module StaticCreation {`
`56`	`57`	`isUntrustedSourceUrl(super.getSourcePath())`
`57`	`58`	`}`
`58`	`59`
`59`		`- override string getProblem() {`
`60`		`- result = "HTML script element loaded using unencrypted connection."`
`61`		`- }`
	`60`	`+ override string getProblem() { result = "Script loaded using unencrypted connection." }`
`62`	`61`	`}`
`63`	`62`
`64`	`63`	`/** A script element that refers to untrusted content. */`
`@@ -77,9 +76,7 @@ module StaticCreation {`
`77`	`76`	`class IframeElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::IframeElement {`
`78`	`77`	`IframeElementWithUntrustedContent() { isUntrustedSourceUrl(super.getSourcePath()) }`
`79`	`78`
`80`		`- override string getProblem() {`
`81`		`- result = "HTML iframe element loaded using unencrypted connection."`
`82`		`- }`
	`79`	`+ override string getProblem() { result = "Iframe loaded using unencrypted connection." }`
`83`	`80`	`}`
`84`	`81`	`}`
`85`	`82`
`@@ -153,14 +150,17 @@ module DynamicCreation {`
`153`	`150`	`string name;`
`154`	`151`
`155`	`152`	`IframeOrScriptSrcAssignment() {`
	`153`	`+ name = ["script", "iframe"] and`
`156`	`154`	`exists(DataFlow::Node n \| n.asExpr() = this \|`
`157`	`155`	`isAssignedToSrcAttribute(name, n) and`
`158`	`156`	`n = urlTrackedFromUnsafeSourceLiteral()`
`159`	`157`	`)`
`160`	`158`	`}`
`161`	`159`
`162`	`160`	`override string getProblem() {`
`163`		`- result = "HTML " + name + " element loaded using unencrypted connection."`
	`161`	`+ name = "script" and result = "Script loaded using unencrypted connection."`
	`162`	`+ or`
	`163`	`+ name = "iframe" and result = "Iframe loaded using unencrypted connection."`
`164`	`164`	`}`
`165`	`165`	`}`
`166`	`166`	`}`