-
Notifications
You must be signed in to change notification settings - Fork 282
Expand file tree
/
Copy path07_ReflectedXssWithSanitizer.ql
More file actions
95 lines (81 loc) · 3.03 KB
/
07_ReflectedXssWithSanitizer.ql
File metadata and controls
95 lines (81 loc) · 3.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/**
* @name Reflected cross-site scripting vulnerability
* @kind path-problem
* @problem.severity warning
* @id js/reflected-xss
*/
import javascript
import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss
import DataFlow::PathGraph
/** Gets a data flow node that represents an instance of `swagger-node`. */
DataFlow::Node swaggerInstance() {
result = DataFlow::moduleImport("swagger-node-express")
or
result.getAPredecessor() = swaggerInstance()
or
result.(DataFlow::CallNode).getACallee().getAReturnedExpr() = swaggerInstance().asExpr()
or
result.(DataFlow::MethodCallNode).calls(swaggerInstance(), "createNew")
}
/** An Express route handler installed via `swagger-node`. */
class SwaggerRouteHandler extends Express::RouteHandler, DataFlow::FunctionNode {
SwaggerRouteHandler() {
exists(DataFlow::MethodCallNode addGet, DataFlow::ObjectLiteralNode resource |
addGet.calls(swaggerInstance(), "addGet") and
resource = addGet.getArgument(0).getALocalSource() and
this = resource.getAPropertySource("action")
)
}
override SimpleParameter getRouteHandlerParameter(string kind) {
kind = "request" and result = getParameter(0).getParameter()
or
kind = "response" and result = getParameter(1).getParameter()
}
override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
}
/** Holds if `name` may be an alias for the `send` method on `res`. */
predicate sendMethodName(HTTP::Servers::ResponseSource res, string name) {
name = "send"
or
exists (DataFlow::PropWrite pw |
res.flowsTo(pw.getBase()) and
pw.getPropertyName() = name and
sendMethodRef(pw.getRhs(), res)
)
}
/** Holds if `pr` may be an access to the `send` method on `res`. */
predicate sendMethodRef(DataFlow::PropRead pr, HTTP::Servers::ResponseSource res) {
res.flowsTo(pr.getBase()) and
sendMethodName(res, pr.getPropertyName())
}
/** Recognize potentially aliased calls to `send`. */
class PotentiallyAliasedResponseSendArgument extends HTTP::ResponseSendArgument {
HTTP::RouteHandler rh;
PotentiallyAliasedResponseSendArgument() {
exists (DataFlow::CallNode call, HTTP::Servers::ResponseSource res |
sendMethodRef(call.getCalleeNode(), res) and
rh = res.getRouteHandler() and
this = call.getArgument(0).asExpr()
)
}
override HTTP::RouteHandler getRouteHandler() {
result = rh
}
}
/** A call to `is-var-name`, considered as a sanitizer for untrusted user input. */
class IsVarNameSanitizer extends TaintTracking::AdditionalSanitizerGuardNode, DataFlow::CallNode {
IsVarNameSanitizer() {
this = DataFlow::moduleImport("is-var-name").getACall()
}
override predicate appliesTo(TaintTracking::Configuration cfg) {
any()
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = true and
e = getArgument(0).asExpr()
}
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
source.getNode(), "user-provided value"