Add support for unescape in taint tracking.

Napalys · Napalys · commit 3c09df07a48e · 2025-03-13T13:32:47.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -494,7 +494,7 @@ module TaintTracking {
           succ = c and
           c =
             DataFlow::globalVarRef([
-                "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent"
+                "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent", "unescape"
               ]).getACall() and
           pred = c.getArgument(0)
         )
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -223,6 +223,7 @@
 | tst.js:477:18:477:40 | locatio ... bstr(1) | tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:477:18:477:30 | location.hash | user-provided value |
 | tst.js:484:33:484:63 | decodeU ... n.hash) | tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:484:43:484:62 | window.location.hash | user-provided value |
 | tst.js:492:18:492:54 | target. ... "), '') | tst.js:491:16:491:39 | documen ... .search | tst.js:492:18:492:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:491:16:491:39 | documen ... .search | user-provided value |
+| tst.js:501:33:501:62 | unescap ... n.hash) | tst.js:501:42:501:61 | window.location.hash | tst.js:501:33:501:62 | unescap ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:42:501:61 | window.location.hash | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
@@ -745,6 +746,7 @@ edges
 | tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance |  |
 | tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance |  |
 | tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance |  |
+| tst.js:501:42:501:61 | window.location.hash | tst.js:501:33:501:62 | unescap ... n.hash) | provenance |  |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance |  |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance |  |
 | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val | provenance |  |
@@ -1397,6 +1399,8 @@ nodes
 | tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:492:18:492:23 | target | semmle.label | target |
 | tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') |
+| tst.js:501:33:501:62 | unescap ... n.hash) | semmle.label | unescap ... n.hash) |
+| tst.js:501:42:501:61 | window.location.hash | semmle.label | window.location.hash |
 | typeahead.js:20:13:20:45 | target | semmle.label | target |
 | typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search |
 | typeahead.js:21:12:21:17 | target | semmle.label | target |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -607,6 +607,8 @@ nodes
 | tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:492:18:492:23 | target | semmle.label | target |
 | tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') |
+| tst.js:501:33:501:62 | unescap ... n.hash) | semmle.label | unescap ... n.hash) |
+| tst.js:501:42:501:61 | window.location.hash | semmle.label | window.location.hash |
 | typeahead.js:9:28:9:30 | loc | semmle.label | loc |
 | typeahead.js:10:16:10:18 | loc | semmle.label | loc |
 | typeahead.js:20:13:20:45 | target | semmle.label | target |
@@ -1186,6 +1188,7 @@ edges
 | tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance |  |
 | tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance |  |
 | tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance |  |
+| tst.js:501:42:501:61 | window.location.hash | tst.js:501:33:501:62 | unescap ... n.hash) | provenance |  |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | provenance |  |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance |  |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
@@ -498,7 +498,7 @@ function FooBar() {
   this.foo = document;
   var obj = {
     bar: function() {
-      this.foo.body.innerHTML = unescape(window.location.hash); // $ MISSING: Alert
+      this.foo.body.innerHTML = unescape(window.location.hash); // $ Alert
     }
   };
   Object.assign(this, obj);

Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,7 @@ module TaintTracking {`
`494`	`494`	`succ = c and`
`495`	`495`	`c =`
`496`	`496`	`DataFlow::globalVarRef([`
`497`		`- "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent"`
	`497`	`+ "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent", "unescape"`
`498`	`498`	`]).getACall() and`
`499`	`499`	`pred = c.getArgument(0)`
`500`	`500`	`)`
Original file line number	Diff line number	Diff line change
`@@ -498,7 +498,7 @@ function FooBar() {`
`498`	`498`	`this.foo = document;`
`499`	`499`	`var obj = {`
`500`	`500`	`bar: function() {`
`501`		`- this.foo.body.innerHTML = unescape(window.location.hash); // $ MISSING: Alert`
	`501`	`+ this.foo.body.innerHTML = unescape(window.location.hash); // $ Alert`
`502`	`502`	`}`
`503`	`503`	`};`
`504`	`504`	`Object.assign(this, obj);`