Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JavaScript CodeQL library updates: new Angular source and sink #18397

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

JavaScript CodeQL library updates: new Angular source and sink #18397

wants to merge 6 commits into from
+56 −0

Conversation

aegilops
Copy link
Contributor

@aegilops aegilops commented Jan 3, 2025
edited
Loading

Pull Request checklist

All query authors

Internal query authors only

  • Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
  • Changes are validated at scale (internal access required).
  • Adding a new query? Consider also adding the query to autofix.

@github-actions github-actions bot added the JS label Jan 3, 2025
@aegilops
Copy link
Contributor Author

aegilops commented Jan 6, 2025

I'm wondering which other properties being set on elements might need to be treated as XSS sinks, so that I don't fix up just innerHTML.

I'll see if I can copy what's done in the existing library.

I'm thinking that a.href and script.src and object.src might need to be XSS sinks, but I don't want to have to think too hard about this and would prefer to just copy existing conclusions!

asgerf
asgerf reviewed Jan 6, 2025
View reviewed changes
javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
.getMember("setProperty")
.getACall() and
this = setProperty.getParameter(2).asSink() and
setProperty.getParameter(1).asSink().asExpr().(StringLiteral).getValue() = "innerHTML"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
setProperty.getParameter(1).asSink().asExpr().(StringLiteral).getValue() = "innerHTML"
setProperty.getArgument(1).getStringValue() = "innerHTML"

javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
/**
* A remote flow source that is a member of an Angular component class.
*/
private class AngularInputUse extends RemoteFlowSource, InputMemberUse {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed internally, I'd prefer to introduce a threat model kind for view component inputs like this, as they're not truly remote inputs.

@asgerf
Copy link
Contributor

asgerf commented Jan 6, 2025

I'm wondering which other properties being set on elements might need to be treated as XSS sinks, so that I don't fix up just innerHTML.

You might be able to model this as an AttributeDefinition instead of directly as a sink. See D3.qll for a simple example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf left review comments

Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aegilops @asgerf