add xss-through-dom source from react-final-form

erik-krogh · erik-krogh · commit 458dda9d2571 · 2021-02-10T14:17:49.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -136,5 +136,23 @@ module XssThroughDom {
         this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
       }
     }
+
+    /**
+     * An object containing input values from a form build with `react-final-form`.
+     */
+    class ReactFinalFormSource extends Source {
+      ReactFinalFormSource() {
+        exists(JSXElement elem |
+          DataFlow::moduleMember("react-final-form", "Form").flowsToExpr(elem.getNameExpr())
+        |
+          this =
+            elem.getAttributeByName("onSubmit")
+                .getValue()
+                .flow()
+                .getAFunctionValue()
+                .getParameter(0)
+        )
+      }
+    }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -25,6 +25,11 @@ nodes
 | forms.js:35:19:35:24 | values |
 | forms.js:35:19:35:30 | values.email |
 | forms.js:35:19:35:30 | values.email |
+| forms.js:44:21:44:26 | values |
+| forms.js:44:21:44:26 | values |
+| forms.js:45:21:45:26 | values |
+| forms.js:45:21:45:33 | values.stooge |
+| forms.js:45:21:45:33 | values.stooge |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -97,6 +102,10 @@ edges
 | forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
 | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
 | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
+| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
+| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
+| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
+| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -122,6 +131,7 @@ edges
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
 | forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
 | forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
+| forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text |
 | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
 | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
 | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
@@ -37,3 +37,18 @@ const FormikEnhanced = withFormik({
     $("#id").html(submitForm.email); // OK 
 })
 
+import { Form } from 'react-final-form'
+
+const App = () => (
+  <Form
+    onSubmit={async values => {
+      $("#id").html(values.stooge); // NOT OK
+    }}
+    initialValues={{ stooge: 'larry', employed: false }}
+    render={({ handleSubmit, form, submitting, pristine, values }) => (
+      <form onSubmit={handleSubmit}>
+        <input type="text" name="stooge"></input>
+      </form>
+    )}
+  />
+)

Original file line number	Diff line number	Diff line change
`@@ -136,5 +136,23 @@ module XssThroughDom {`
`136`	`136`	`this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")`
`137`	`137`	`}`
`138`	`138`	`}`
	`139`	`+`
	`140`	`+ /**`
	`141`	+ * An object containing input values from a form build with `react-final-form`.
	`142`	`+ */`
	`143`	`+ class ReactFinalFormSource extends Source {`
	`144`	`+ ReactFinalFormSource() {`
	`145`	`+ exists(JSXElement elem \|`
	`146`	`+ DataFlow::moduleMember("react-final-form", "Form").flowsToExpr(elem.getNameExpr())`
	`147`	`+ \|`
	`148`	`+ this =`
	`149`	`+ elem.getAttributeByName("onSubmit")`
	`150`	`+ .getValue()`
	`151`	`+ .flow()`
	`152`	`+ .getAFunctionValue()`
	`153`	`+ .getParameter(0)`
	`154`	`+ )`
	`155`	`+ }`
	`156`	`+ }`
`139`	`157`	`}`
`140`	`158`	`}`