JS: fix FP for js/unsafe-jquery-plugin

esbena · esbena · commit 2ad9b843ae03 · 2020-01-31T19:33:04.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll
@@ -32,6 +32,20 @@ module UnsafeJQueryPlugin {
       DataFlow::localFieldStep(src, sink)
     }
 
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      // prefixing prevents forced html/css confusion:
+
+      // prefixing through concatenation:
+      succ.asExpr().(AddExpr).getRightOperand().flow() = pred
+      or
+      // prefixing through a poor-mans templating system:
+      exists(DataFlow::MethodCallNode replace |
+        replace = succ and
+        pred = replace.getArgument(1) and
+        replace.getMethodName() = "replace"
+      )
+    }
+
     override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
       super.isSanitizerGuard(node) or
       node instanceof IsElementSanitizer or
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin.expected
@@ -110,14 +110,6 @@ nodes
 | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a |
 | unsafe-jquery-plugin.js:160:38:160:44 | options |
 | unsafe-jquery-plugin.js:160:38:160:44 | options |
-| unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:161:17:161:23 | options |
-| unsafe-jquery-plugin.js:161:17:161:30 | options.target |
-| unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:163:40:163:46 | options |
-| unsafe-jquery-plugin.js:163:40:163:53 | options.target |
 | unsafe-jquery-plugin.js:165:7:165:29 | target |
 | unsafe-jquery-plugin.js:165:16:165:22 | options |
 | unsafe-jquery-plugin.js:165:16:165:29 | options.target |
@@ -230,18 +222,8 @@ edges
 | unsafe-jquery-plugin.js:157:44:157:50 | options | unsafe-jquery-plugin.js:157:44:157:57 | options.target |
 | unsafe-jquery-plugin.js:157:44:157:57 | options.target | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a |
 | unsafe-jquery-plugin.js:157:44:157:57 | options.target | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:17:161:23 | options |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:17:161:23 | options |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:40:163:46 | options |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:40:163:46 | options |
 | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:165:16:165:22 | options |
 | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:165:16:165:22 | options |
-| unsafe-jquery-plugin.js:161:17:161:23 | options | unsafe-jquery-plugin.js:161:17:161:30 | options.target |
-| unsafe-jquery-plugin.js:161:17:161:30 | options.target | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:161:17:161:30 | options.target | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:163:40:163:46 | options | unsafe-jquery-plugin.js:163:40:163:53 | options.target |
-| unsafe-jquery-plugin.js:163:40:163:53 | options.target | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:163:40:163:53 | options.target | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
 | unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:165:16:165:22 | options | unsafe-jquery-plugin.js:165:16:165:29 | options.target |
@@ -268,6 +250,4 @@ edges
 | unsafe-jquery-plugin.js:155:33:155:38 | target | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:155:33:155:38 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:156:41:156:54 | options.target | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:156:41:156:54 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
-| unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
-| unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
