use isLikelyIntentionalHtmlSink in the sink instead of in the where clause

erik-krogh · erik-krogh · commit 6fccf5aa7013 · 2020-09-04T09:26:03.000+02:00
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
@@ -20,7 +20,6 @@ from
   JQuery::JQueryPluginMethod plugin
 where
   cfg.hasFlowPath(source, sink) and
-  source.getNode().(Source).getPlugin() = plugin and
-  not isLikelyIntentionalHtmlSink(plugin, sink.getNode())
+  source.getNode().(Source).getPlugin() = plugin
 select sink.getNode(), source, sink, "Potential XSS vulnerability in the $@.", plugin,
   "'$.fn." + plugin.getPluginName() + "' plugin"
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -171,7 +171,9 @@ module UnsafeJQueryPlugin {
    * An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
    */
   class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {
-    AmbiguousHtmlOrSelectorArgumentAsSink() { this instanceof AmbiguousHtmlOrSelectorArgument }
+    AmbiguousHtmlOrSelectorArgumentAsSink() {
+      this instanceof AmbiguousHtmlOrSelectorArgument and not isLikelyIntentionalHtmlSink(_, this)
+    }
   }
 
   /**
@@ -186,7 +188,7 @@ module UnsafeJQueryPlugin {
   /**
    * Holds if `plugin` likely expects `sink` to be treated as a HTML fragment.
    */
-  predicate isLikelyIntentionalHtmlSink(JQuery::JQueryPluginMethod plugin, Sink sink) {
+  predicate isLikelyIntentionalHtmlSink(JQuery::JQueryPluginMethod plugin, DataFlow::Node sink) {
     exists(DataFlow::PropWrite defaultDef, string default, DataFlow::PropRead finalRead |
       hasDefaultOption(plugin, defaultDef) and
       defaultDef.getPropertyName() = finalRead.getPropertyName() and
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/unsafe-jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/unsafe-jquery-plugin.js
@@ -103,7 +103,7 @@
 			menu: '<div></div>',
 			target: '.my_plugin'
 		}, options);
-		$(options.menu); // OK - but is flagged [INCONSISTENCY]
+		$(options.menu); // OK
 		$(options.target); // NOT OK
 	};
 
@@ -113,7 +113,7 @@
 	};
 	$.fn.my_plugin = function my_plugin(options) {
 		options = $.extend({}, $.fn.my_plugin.defaults, options);
-		$(options.menu); // OK - but is flagged [INCONSISTENCY]
+		$(options.menu); // OK
 		$(options.target); // NOT OK
 	};
 
