simplify TaintedUrlSuffix::source() to only consider window.location based sources

erik-krogh · erik-krogh · commit d8a5947a0854 · 2022-03-16T22:32:09.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll b/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll
@@ -26,13 +26,11 @@ module TaintedUrlSuffix {
    */
   FlowLabel label() { result instanceof TaintedUrlSuffixLabel }
 
-  /**
-   * Gets a remote flow source that is a tainted URL query or fragment part.
-   */
+  /** Gets a remote flow source that is a tainted URL query or fragment part from `window.location`. */
   ClientSideRemoteFlowSource source() {
-    result.getKind().isFragment()
+    result = DOM::locationRef().getAPropertyRead(["search", "hash"])
     or
-    result.getKind().isQuery()
+    result = DOM::locationSource()
     or
     result.getKind().isUrl()
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -28,6 +28,7 @@ nodes
 | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
 | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
 | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
 | angular2-client.ts:24:44:24:69 | this.ro ... .params |
 | angular2-client.ts:24:44:24:69 | this.ro ... .params |
 | angular2-client.ts:24:44:24:69 | this.ro ... .params |
@@ -36,8 +37,11 @@ nodes
 | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams |
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams |
+| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
 | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
 | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
 | angular2-client.ts:26:44:26:71 | this.ro ... ragment |
 | angular2-client.ts:26:44:26:71 | this.ro ... ragment |
 | angular2-client.ts:26:44:26:71 | this.ro ... ragment |
@@ -48,6 +52,7 @@ nodes
 | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
 | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
 | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
+| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
 | angular2-client.ts:30:46:30:59 | map.get('foo') |
 | angular2-client.ts:30:46:30:59 | map.get('foo') |
 | angular2-client.ts:30:46:30:59 | map.get('foo') |
@@ -75,6 +80,8 @@ nodes
 | angular2-client.ts:38:44:38:58 | this.router.url |
 | angular2-client.ts:38:44:38:58 | this.router.url |
 | angular2-client.ts:38:44:38:58 | this.router.url |
+| angular2-client.ts:38:44:38:58 | this.router.url |
+| angular2-client.ts:40:45:40:59 | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url |
@@ -293,7 +300,6 @@ nodes
 | dates.js:61:81:61:85 | taint |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
-| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href |
 | event-handler-receiver.js:2:49:2:61 | location.href |
 | express.js:7:15:7:33 | req.param("wobble") |
@@ -519,28 +525,41 @@ nodes
 | string-manipulations.js:4:16:4:37 | documen ... on.href |
 | string-manipulations.js:4:16:4:37 | documen ... on.href |
 | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:37 | documen ... on.href |
 | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
 | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:6:16:6:37 | documen ... on.href |
 | string-manipulations.js:6:16:6:37 | documen ... on.href |
 | string-manipulations.js:6:16:6:37 | documen ... on.href |
 | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
 | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:43 | documen ... f.sup() |
 | string-manipulations.js:7:16:7:37 | documen ... on.href |
 | string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:8:16:8:37 | documen ... on.href |
 | string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:9:16:9:58 | String. ... n.href) |
 | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:57 | documen ... on.href |
 | string-manipulations.js:9:36:9:57 | documen ... on.href |
 | string-manipulations.js:9:36:9:57 | documen ... on.href |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:44 | documen ... on.href |
 | string-manipulations.js:10:23:10:44 | documen ... on.href |
 | string-manipulations.js:10:23:10:44 | documen ... on.href |
 | tooltip.jsx:6:11:6:30 | source |
@@ -603,11 +622,9 @@ nodes
 | tst.js:5:18:5:23 | target |
 | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
 | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
-| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
 | tst.js:8:37:8:58 | documen ... on.href |
 | tst.js:8:37:8:58 | documen ... on.href |
 | tst.js:8:37:8:114 | documen ... t=")+8) |
-| tst.js:8:37:8:114 | documen ... t=")+8) |
 | tst.js:12:5:12:42 | '<div s ...  'px">' |
 | tst.js:12:5:12:42 | '<div s ...  'px">' |
 | tst.js:12:28:12:33 | target |
@@ -1065,6 +1082,9 @@ edges
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
 | angular2-client.ts:26:44:26:71 | this.ro ... ragment | angular2-client.ts:26:44:26:71 | this.ro ... ragment |
 | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
 | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
@@ -1315,8 +1335,6 @@ edges
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
-| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
-| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
@@ -1534,22 +1552,40 @@ edges
 | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
 | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
 | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
 | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
 | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
 | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
 | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
 | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
@@ -1619,11 +1655,6 @@ edges
 | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
 | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
 | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
-| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
-| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
-| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
-| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
-| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
 | tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
 | tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
 | tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
