Merge pull request #2216 from asger-semmle/xss-encodeURIComponent

semmle-qlci · web-flow · commit a778efe71ecd · 2019-10-30T11:49:31.000Z
Approved by max-schaefer
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -39,6 +39,18 @@ module Shared {
       )
     }
   }
+
+  /**
+   * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for
+   * XSS vulnerabilities.
+   */
+  class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {
+    UriEncodingSanitizer() {
+      exists(string name | this = DataFlow::globalVarRef(name).getACall() |
+        name = "encodeURI" or name = "encodeURIComponent"
+      )
+    }
+  }
 }
 
 /** Provides classes and predicates for the DOM-based XSS query. */
@@ -251,6 +263,8 @@ module DomBasedXss {
    * so any such replacement stops taint propagation.
    */
   private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
+
+  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 }
 
 /** Provides classes and predicates for the reflected XSS query. */
@@ -294,6 +308,8 @@ module ReflectedXss {
    * so any such replacement stops taint propagation.
    */
   private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
+
+  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 }
 
 /** Provides classes and predicates for the stored XSS query. */
@@ -320,4 +336,6 @@ module StoredXss {
    * so any such replacement stops taint propagation.
    */
   private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
+
+  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/encodeuri.js b/javascript/ql/test/query-tests/Security/CWE-079/encodeuri.js
@@ -0,0 +1,4 @@
+function test() {
+  let loc = window.location.href;
+  $('<a href="' + encodeURIComponent(loc) + '">click</a>'); // OK
+}

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,18 @@ module Shared {`
`39`	`39`	`)`
`40`	`40`	`}`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ /**`
	`44`	+ * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for
	`45`	`+ * XSS vulnerabilities.`
	`46`	`+ */`
	`47`	`+ class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {`
	`48`	`+ UriEncodingSanitizer() {`
	`49`	`+ exists(string name \| this = DataFlow::globalVarRef(name).getACall() \|`
	`50`	`+ name = "encodeURI" or name = "encodeURIComponent"`
	`51`	`+ )`
	`52`	`+ }`
	`53`	`+ }`
`42`	`54`	`}`
`43`	`55`
`44`	`56`	`/** Provides classes and predicates for the DOM-based XSS query. */`
`@@ -251,6 +263,8 @@ module DomBasedXss {`
`251`	`263`	`* so any such replacement stops taint propagation.`
`252`	`264`	`*/`
`253`	`265`	`private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }`
	`266`	`+`
	`267`	`+ private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }`
`254`	`268`	`}`
`255`	`269`
`256`	`270`	`/** Provides classes and predicates for the reflected XSS query. */`
`@@ -294,6 +308,8 @@ module ReflectedXss {`
`294`	`308`	`* so any such replacement stops taint propagation.`
`295`	`309`	`*/`
`296`	`310`	`private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }`
	`311`	`+`
	`312`	`+ private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }`
`297`	`313`	`}`
`298`	`314`
`299`	`315`	`/** Provides classes and predicates for the stored XSS query. */`
`@@ -320,4 +336,6 @@ module StoredXss {`
`320`	`336`	`* so any such replacement stops taint propagation.`
`321`	`337`	`*/`
`322`	`338`	`private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }`
	`339`	`+`
	`340`	`+ private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }`
`323`	`341`	`}`