Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit bd5452f

Browse files
asgerfasgerf
committed
JS: Move VHtmlSourceWrite step into Vue library (as its a shared step)
1 parent 2dcb708 commit bd5452f

2 files changed

Lines changed: 44 additions & 39 deletions

File tree

  • javascript/ql/src/semmle/javascript

javascript/ql/src/semmle/javascript/frameworks/Vue.qll

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -501,6 +501,49 @@ module Vue {
501501
}
502502
}
503503

504+
/**
505+
* A Vue `v-html` attribute.
506+
*/
507+
class VHtmlAttribute extends DataFlow::Node {
508+
HTML::Attribute attr;
509+
510+
VHtmlAttribute() {
511+
this.(DataFlow::HtmlAttributeNode).getAttribute() = attr and attr.getName() = "v-html"
512+
}
513+
514+
/**
515+
* Gets the HTML attribute of this sink.
516+
*/
517+
HTML::Attribute getAttr() { result = attr }
518+
}
519+
520+
/**
521+
* A taint propagating data flow edge through a string interpolation of a
522+
* Vue instance property to a `v-html` attribute.
523+
*
524+
* As an example, `<div v-html="prop"/>` reads the `prop` property
525+
* of `inst = new Vue({ ..., data: { prop: source } })`, if the
526+
* `div` element is part of the template for `inst`.
527+
*/
528+
class VHtmlSourceWrite extends TaintTracking::AdditionalTaintStep {
529+
VHtmlAttribute attr;
530+
531+
VHtmlSourceWrite() {
532+
exists(Vue::Instance instance, string expr |
533+
attr.getAttr().getRoot() =
534+
instance.getTemplateElement().(Vue::Template::HtmlElement).getElement() and
535+
expr = attr.getAttr().getValue() and
536+
// only support for simple identifier expressions
537+
expr.regexpMatch("(?i)[a-z0-9_]+") and
538+
this = instance.getAPropertyValue(expr)
539+
)
540+
}
541+
542+
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
543+
pred = this and succ = attr
544+
}
545+
}
546+
504547
/*
505548
* Provides classes for working with Vue templates.
506549
*/

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

Lines changed: 1 addition & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -338,45 +338,7 @@ module DomBasedXss {
338338
/**
339339
* A Vue `v-html` attribute, viewed as an XSS sink.
340340
*/
341-
class VHtmlSink extends DomBasedXss::Sink {
342-
HTML::Attribute attr;
343-
344-
VHtmlSink() {
345-
this.(DataFlow::HtmlAttributeNode).getAttribute() = attr and attr.getName() = "v-html"
346-
}
347-
348-
/**
349-
* Gets the HTML attribute of this sink.
350-
*/
351-
HTML::Attribute getAttr() { result = attr }
352-
}
353-
354-
/**
355-
* A taint propagating data flow edge through a string interpolation of a
356-
* Vue instance property to a `v-html` attribute.
357-
*
358-
* As an example, `<div v-html="prop"/>` reads the `prop` property
359-
* of `inst = new Vue({ ..., data: { prop: source } })`, if the
360-
* `div` element is part of the template for `inst`.
361-
*/
362-
class VHtmlSourceWrite extends TaintTracking::AdditionalTaintStep {
363-
VHtmlSink attr;
364-
365-
VHtmlSourceWrite() {
366-
exists(Vue::Instance instance, string expr |
367-
attr.getAttr().getRoot() =
368-
instance.getTemplateElement().(Vue::Template::HtmlElement).getElement() and
369-
expr = attr.getAttr().getValue() and
370-
// only support for simple identifier expressions
371-
expr.regexpMatch("(?i)[a-z0-9_]+") and
372-
this = instance.getAPropertyValue(expr)
373-
)
374-
}
375-
376-
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
377-
pred = this and succ = attr
378-
}
379-
}
341+
class VHtmlSink extends Vue::VHtmlAttribute, DomBasedXss::Sink {}
380342

381343
/**
382344
* A property read from a safe property is considered a sanitizer.

0 commit comments

Comments
 (0)