@@ -284,12 +284,25 @@ module DOM {
284284 )
285285 }
286286
287+ module DomValueSource {
288+ /**
289+ * A data flow node that should be considered a source of DOM values.
290+ */
291+ abstract class Range extends DataFlow:: Node { }
292+
293+ private class DefaultRange extends Range {
294+ DefaultRange ( ) {
295+ this .asExpr ( ) .( VarAccess ) .getVariable ( ) instanceof DOMGlobalVariable or
296+ this = domValueRef ( ) .getAPropertyRead ( ) or
297+ this = domElementCreationOrQuery ( ) or
298+ this = domElementCollection ( )
299+ }
300+ }
301+ }
302+
287303 /** Gets a data flow node that refers directly to a value from the DOM. */
288304 DataFlow:: SourceNode domValueSource ( ) {
289- result .asExpr ( ) .( VarAccess ) .getVariable ( ) instanceof DOMGlobalVariable or
290- result = domValueRef ( ) .getAPropertyRead ( ) or
291- result = domElementCreationOrQuery ( ) or
292- result = domElementCollection ( )
305+ result instanceof DomValueSource:: Range
293306 }
294307
295308 /** Gets a data flow node that may refer to a value from the DOM. */
@@ -303,11 +316,34 @@ module DOM {
303316 /** Gets a data flow node that may refer to a value from the DOM. */
304317 DataFlow:: SourceNode domValueRef ( ) { result = domValueRef ( DataFlow:: TypeTracker:: end ( ) ) }
305318
319+ module LocationSource {
320+ /**
321+ * A data flow node that should be considered a source of the DOM `location` object.
322+ *
323+ * Can be subclassed to add additional such nodes.
324+ */
325+ abstract class Range extends DataFlow:: Node { }
326+
327+ private class DefaultRange extends Range {
328+ DefaultRange ( ) {
329+ exists ( string propName | this = documentRef ( ) .getAPropertyRead ( propName ) |
330+ propName = "documentURI" or
331+ propName = "documentURIObject" or
332+ propName = "location" or
333+ propName = "referrer" or
334+ propName = "URL"
335+ )
336+ or
337+ this = DOM:: domValueRef ( ) .getAPropertyRead ( "baseUri" )
338+ or
339+ this = DataFlow:: globalVarRef ( "location" )
340+ }
341+ }
342+ }
343+
306344 /** Gets a data flow node that directly refers to a DOM `location` object. */
307345 DataFlow:: SourceNode locationSource ( ) {
308- result = domValueRef ( ) .getAPropertyRead ( "location" )
309- or
310- result = DataFlow:: globalVarRef ( "location" )
346+ result instanceof LocationSource:: Range
311347 }
312348
313349 /** Gets a reference to a DOM `location` object. */
@@ -321,12 +357,32 @@ module DOM {
321357 /** Gets a reference to a DOM `location` object. */
322358 DataFlow:: SourceNode locationRef ( ) { result = locationRef ( DataFlow:: TypeTracker:: end ( ) ) }
323359
360+ module DocumentSource {
361+ /**
362+ * A data flow node that should be considered a source of the `document` object.
363+ *
364+ * Can be subclassed to add additional such nodes.
365+ */
366+ abstract class Range extends DataFlow:: Node { }
367+
368+ private class DefaultRange extends Range {
369+ DefaultRange ( ) { this = DataFlow:: globalVarRef ( "document" ) }
370+ }
371+ }
372+
373+ /**
374+ * Gets a direct reference to the `document` object.
375+ */
376+ DataFlow:: SourceNode documentSource ( ) {
377+ result instanceof DocumentSource:: Range
378+ }
379+
324380 /**
325381 * Gets a reference to the `document` object.
326382 */
327383 private DataFlow:: SourceNode documentRef ( DataFlow:: TypeTracker t ) {
328384 t .start ( ) and
329- result = DataFlow :: globalVarRef ( "document" )
385+ result instanceof DocumentSource :: Range
330386 or
331387 exists ( DataFlow:: TypeTracker t2 | result = documentRef ( t2 ) .track ( t2 , t ) )
332388 }
0 commit comments