JS: add window.name as DOM-based remote flow source

asger-semmle · asger-semmle · commit 14621760bbcb · 2018-12-12T12:22:39.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -199,4 +199,18 @@ private class PostMessageEventParameter extends RemoteFlowSource {
   override string getSourceType() {
     result = "postMessage event"
   }
-}
+}
+
+/**
+ * An access to `window.name`, which can be controlled by the opener of the window,
+ * even if the window is opened from a foreign domain.
+ */
+private class WindowNameAccess extends RemoteFlowSource {
+  WindowNameAccess() {
+    this = DataFlow::globalVarRef("name")
+  }
+
+  override string getSourceType() {
+    result = "Window name"
+  }
+}
