JS: add RemoteFlowSource.isThirdPartyControllable()

Use it in ReflectedXSS and ServerSideURrlRedirect

Author: asger-semmle

javascript/ql/src/semmle/javascript/frameworks/HTTP.qll

@@ -399,6 +399,13 @@ module HTTP {
      * Note that this predicate is functional.
      */
     abstract string getKind();
+
+    override predicate isThirdPartyControllable() {
+      exists (string kind | kind = getKind() |
+        kind = "parameter" or
+        kind = "url" or
+        kind = "body")
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll

@@ -46,10 +46,7 @@ module ReflectedXss {
   /** A source of remote user input, considered as a flow source for reflected XSS. */
   class RemoteFlowSourceAsSource extends Source {
     RemoteFlowSourceAsSource() {
-      this instanceof RemoteFlowSource and
-      // cookies cannot be controlled by a third-party attacker, and hence are
-      // not relevant for reflected XSS
-      not this.(RemoteFlowSource).getSourceType() = "Server request cookie"
+      this.(RemoteFlowSource).isThirdPartyControllable()
     }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll

@@ -10,8 +10,19 @@ import semmle.javascript.security.dataflow.DOM
 abstract class RemoteFlowSource extends DataFlow::Node {
   /** Gets a string that describes the type of this remote flow source. */
   abstract string getSourceType();
-}
 
+  /**
+   * Holds if this flow source comes from an incoming request, and this part of the
+   * request can be controlled by a third party, that is, an actor other than the one
+   * sending the request.
+   *
+   * Any web site can redirect the visitor's browser to any other domain, and in doing so control
+   * the entire URL and POST body. In this scenario, these values are technically sent by the
+   * user's browser, but the user is not in direct control of these values, so they are considered
+   * third-party controllable.
+   */
+  predicate isThirdPartyControllable() { none() }
+}
 
 /**
  * An access to `document.cookie`, viewed as a source of remote user input.

javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll

@@ -90,9 +90,11 @@ module ServerSideUrlRedirect {
 
   }
 
-  /** A source of remote user input, considered as a flow source for URL redirects. */
+  /** A source of third-party user input, considered as a flow source for URL redirects. */
   class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+    RemoteFlowSourceAsSource() {
+      this.(RemoteFlowSource).isThirdPartyControllable()
+    }
   }
 
   /**