JS: Recognise form input from NgForm

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

@@ -211,6 +211,15 @@ module XssThroughDom {
         )
       }
     }
+
+    /**
+     * An object containing input values from an Angular form, accessed through an `NgForm` object.
+     */
+    class AngularFormSource extends Source {
+      AngularFormSource() {
+        this = API::Node::ofType("@angular/forms", "NgForm").getMember("value").asSource()
+      }
+    }
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected

@@ -5,6 +5,10 @@ nodes
 | angular.ts:16:24:16:35 | target.value |
 | angular.ts:16:24:16:35 | target.value |
 | angular.ts:16:24:16:35 | target.value |
+| angular.ts:20:24:20:33 | form.value |
+| angular.ts:20:24:20:33 | form.value |
+| angular.ts:20:24:20:37 | form.value.foo |
+| angular.ts:20:24:20:37 | form.value.foo |
 | forms.js:8:23:8:28 | values |
 | forms.js:8:23:8:28 | values |
 | forms.js:9:31:9:36 | values |
@@ -173,6 +177,10 @@ nodes
 edges
 | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value |
 | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value |
+| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo |
+| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo |
+| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo |
+| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
@@ -283,6 +291,7 @@ edges
 #select
 | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:24:12:41 | event.target.value | DOM text |
 | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:35 | target.value | DOM text |
+| angular.ts:20:24:20:37 | form.value.foo | angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:33 | form.value | DOM text |
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts

@@ -17,6 +17,6 @@ export class Foo {
     }
 
     blah(form: NgForm) {
-        document.write(form.value.foo); // NOT OK [INCONSISTENCY]
+        document.write(form.value.foo); // NOT OK
     }
 }