Merge pull request #8990 from bananabr/selection

erik-krogh · web-flow · commit 611a412f2ae7 · 2022-05-09T12:22:18.000+02:00
JS: Selection API DOM text source
diff --git a/javascript/ql/lib/change-notes/2022-04-30-xss-selection-source.md b/javascript/ql/lib/change-notes/2022-04-30-xss-selection-source.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query.
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -216,4 +216,32 @@ module XssThroughDom {
       }
     }
   }
+
+  /**
+   * Gets a reference to a value obtained by calling `window.getSelection()`.
+   * https://developer.mozilla.org/en-US/docs/Web/API/Selection
+   */
+  DataFlow::SourceNode getSelectionCall(DataFlow::TypeTracker t) {
+    t.start() and
+    exists(DataFlow::CallNode call |
+      call = DataFlow::globalVarRef("getSelection").getACall()
+      or
+      call = DOM::documentRef().getAMemberCall("getSelection")
+    |
+      result = call
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = getSelectionCall(t2).track(t2, t))
+  }
+
+  /**
+   * A source for text from the DOM from calling `toString()` on a `Selection` object.
+   * The `toString()` method returns the currently selected text in the DOM.
+   * https://developer.mozilla.org/en-US/docs/Web/API/Selection
+   */
+  class SelectionSource extends Source {
+    SelectionSource() {
+      this = getSelectionCall(DataFlow::TypeTracker::end()).getAMethodCall("toString")
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -139,6 +139,17 @@ nodes
 | xss-through-dom.js:122:53:122:67 | ev.target.files |
 | xss-through-dom.js:122:53:122:67 | ev.target.files |
 | xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
+| xss-through-dom.js:130:6:130:68 | linkText |
+| xss-through-dom.js:130:17:130:37 | wSelect ... tring() |
+| xss-through-dom.js:130:17:130:37 | wSelect ... tring() |
+| xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
+| xss-through-dom.js:130:17:130:68 | wSelect ... ) \|\| '' |
+| xss-through-dom.js:130:42:130:62 | dSelect ... tring() |
+| xss-through-dom.js:130:42:130:62 | dSelect ... tring() |
+| xss-through-dom.js:131:19:131:26 | linkText |
+| xss-through-dom.js:131:19:131:26 | linkText |
+| xss-through-dom.js:132:16:132:23 | linkText |
+| xss-through-dom.js:132:16:132:23 | linkText |
 edges
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -225,6 +236,16 @@ edges
 | xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
 | xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
 | xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
+| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:131:19:131:26 | linkText |
+| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:131:19:131:26 | linkText |
+| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:132:16:132:23 | linkText |
+| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:132:16:132:23 | linkText |
+| xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
+| xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
+| xss-through-dom.js:130:17:130:62 | wSelect ... tring() | xss-through-dom.js:130:17:130:68 | wSelect ... ) \|\| '' |
+| xss-through-dom.js:130:17:130:68 | wSelect ... ) \|\| '' | xss-through-dom.js:130:6:130:68 | linkText |
+| xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
+| xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
 #select
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -262,3 +283,7 @@ edges
 | xss-through-dom.js:115:16:115:18 | src | xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:115:16:115:18 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:114:17:114:52 | documen ... k").src | DOM text |
 | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:120:23:120:37 | ev.target.files | DOM text |
 | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:122:53:122:67 | ev.target.files | DOM text |
+| xss-through-dom.js:131:19:131:26 | linkText | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:131:19:131:26 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | DOM text |
+| xss-through-dom.js:131:19:131:26 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:131:19:131:26 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text |
+| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | DOM text |
+| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -122,3 +122,13 @@ class Sub extends Super {
         $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // NOT OK
     }
 })();
+
+(function () {
+	let elem = document.createElement('a');
+	const wSelection = getSelection();
+	const dSelection = document.getSelection();
+	let linkText = wSelection.toString() || dSelection.toString() || '';
+	elem.innerHTML = linkText; // NOT OK
+	$("#id").html(linkText); // NOT OK
+	elem.innerText = linkText; // OK
+})();

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query.