Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 46b90e5

Browse files
asgerfasgerf
committed
JS: Port ReflectedXss
1 parent e091fde commit 46b90e5

3 files changed

Lines changed: 246 additions & 369 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,30 @@
55

66
import javascript
77
import ReflectedXssCustomizations::ReflectedXss
8-
private import Xss::Shared as Shared
8+
private import Xss::Shared as SharedXss
99

1010
/**
11-
* A taint-tracking configuration for reasoning about XSS.
11+
* A taint-tracking configuration for reasoning about reflected XSS.
1212
*/
13-
class Configuration extends TaintTracking::Configuration {
13+
module ReflectedXssConfig implements DataFlow::ConfigSig {
14+
predicate isSource(DataFlow::Node source) { source instanceof Source }
15+
16+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
17+
18+
predicate isBarrier(DataFlow::Node node) {
19+
node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
20+
}
21+
}
22+
23+
/**
24+
* Taint-tracking for reasoning about reflected XSS.
25+
*/
26+
module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;
27+
28+
/**
29+
* DEPRECATED. Use the `ReflectedXssFlow` module instead.
30+
*/
31+
deprecated class Configuration extends TaintTracking::Configuration {
1432
Configuration() { this = "ReflectedXss" }
1533

1634
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -28,11 +46,10 @@ class Configuration extends TaintTracking::Configuration {
2846
}
2947
}
3048

31-
private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
49+
private class QuoteGuard extends SharedXss::QuoteGuard {
3250
QuoteGuard() { this = this }
3351
}
3452

35-
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
36-
{
53+
private class ContainsHtmlGuard extends SharedXss::ContainsHtmlGuard {
3754
ContainsHtmlGuard() { this = this }
3855
}

javascript/ql/src/Security/CWE-079/ReflectedXss.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@
1414

1515
import javascript
1616
import semmle.javascript.security.dataflow.ReflectedXssQuery
17-
import DataFlow::PathGraph
17+
import ReflectedXssFlow::PathGraph
1818

19-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
20-
where cfg.hasFlowPath(source, sink)
19+
from ReflectedXssFlow::PathNode source, ReflectedXssFlow::PathNode sink
20+
where ReflectedXssFlow::flowPath(source, sink)
2121
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
2222
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)