JS: preserve document.url label out of .href property

asger-semmle · asger-semmle · commit 03b479114fa0 · 2018-10-10T17:05:59.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
@@ -65,6 +65,11 @@ module ClientSideUrlRedirect {
       queryAccess(pred, succ) and
       f instanceof DocumentUrl and
       g = DataFlow::FlowLabel::taint()
+      or
+      // preserve document.url label in step from `location` to `location.href`
+      f instanceof DocumentUrl and
+      g instanceof DocumentUrl and
+      succ.(DataFlow::PropRead).accesses(pred, "href")
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,11 @@ module ClientSideUrlRedirect {`
`65`	`65`	`queryAccess(pred, succ) and`
`66`	`66`	`f instanceof DocumentUrl and`
`67`	`67`	`g = DataFlow::FlowLabel::taint()`
	`68`	`+ or`
	`69`	+ // preserve document.url label in step from `location` to `location.href`
	`70`	`+ f instanceof DocumentUrl and`
	`71`	`+ g instanceof DocumentUrl and`
	`72`	`+ succ.(DataFlow::PropRead).accesses(pred, "href")`
`68`	`73`	`}`
`69`	`74`	`}`
`70`	`75`