JS: include referer header as reflected XSS source

asger-semmle · asger-semmle · commit c2a5f99d9caf · 2018-10-04T10:53:10.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -412,6 +412,9 @@ module HTTP {
      *
      * In these cases, the request is technically sent from the user's browser, but
      * the user is not in direct control of the URL or POST body.
+     *
+     * Headers are never considered third-party controllable by this predicate, although the
+     * third party does have some control over the the Referer and Origin headers.
      */
     predicate isThirdPartyControllable() {
       exists (string kind | kind = getKind() |
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
@@ -47,6 +47,8 @@ module ReflectedXss {
   class ThirdPartyRequestInputAccessAsSource extends Source {
     ThirdPartyRequestInputAccessAsSource() {
       this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+      or
+      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,8 @@ module ReflectedXss {`
`47`	`47`	`class ThirdPartyRequestInputAccessAsSource extends Source {`
`48`	`48`	`ThirdPartyRequestInputAccessAsSource() {`
`49`	`49`	`this.(HTTP::RequestInputAccess).isThirdPartyControllable()`
	`50`	`+ or`
	`51`	`+ this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"`
`50`	`52`	`}`
`51`	`53`	`}`
`52`	`54`