@@ -11,7 +11,44 @@ private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizati
1111/**
1212 * A taint-tracking configuration for reasoning about XSS through the DOM.
1313 */
14- class Configuration extends TaintTracking:: Configuration {
14+ module XssThroughDomConfig implements DataFlow:: ConfigSig {
15+ // NOTE: Gained FP in Lucifier due to spurious source but with more data flow (I think).
16+ // TODO: Seen unexplained FP in meteor, likely due to spurious flow into a callback coming from another call site
17+ predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
18+
19+ predicate isSink ( DataFlow:: Node sink ) { sink instanceof DomBasedXss:: Sink }
20+
21+ predicate isBarrier ( DataFlow:: Node node ) {
22+ node instanceof DomBasedXss:: Sanitizer or
23+ DomBasedXss:: isOptionallySanitizedNode ( node ) or
24+ node = DataFlow:: MakeBarrierGuard< BarrierGuard > :: getABarrierNode ( ) or
25+ node = DataFlow:: MakeBarrierGuard< UnsafeJQuery:: BarrierGuard > :: getABarrierNode ( )
26+ }
27+
28+ predicate isAdditionalFlowStep ( DataFlow:: Node pred , DataFlow:: Node succ ) {
29+ succ = DataFlow:: globalVarRef ( "URL" ) .getAMemberCall ( "createObjectURL" ) and
30+ pred = succ .( DataFlow:: InvokeNode ) .getArgument ( 0 )
31+ }
32+ }
33+
34+ /**
35+ * Taint-tracking configuration for reasoning about XSS through the DOM.
36+ */
37+ module XssThroughDomFlow = TaintTracking:: Global< XssThroughDomConfig > ;
38+
39+ /**
40+ * Holds if the `source,sink` pair should not be reported.
41+ */
42+ bindingset [ source, sink]
43+ predicate isIgnoredSourceSinkPair ( Source source , DomBasedXss:: Sink sink ) {
44+ source .( DomPropertySource ) .getPropertyName ( ) = "src" and
45+ sink instanceof DomBasedXss:: WriteUrlSink
46+ }
47+
48+ /**
49+ * DEPRECATED. Use the `XssThroughDomFlow` module instead.
50+ */
51+ deprecated class Configuration extends TaintTracking:: Configuration {
1552 Configuration ( ) { this = "XssThroughDOM" }
1653
1754 override predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
@@ -49,36 +86,33 @@ class Configuration extends TaintTracking::Configuration {
4986}
5087
5188/** A test for the value of `typeof x`, restricting the potential types of `x`. */
52- class TypeTestGuard extends TaintTracking :: SanitizerGuardNode , DataFlow:: ValueNode {
89+ class TypeTestGuard extends BarrierGuardLegacy , DataFlow:: ValueNode {
5390 override EqualityTest astNode ;
5491 Expr operand ;
5592 boolean polarity ;
5693
5794 TypeTestGuard ( ) { TaintTracking:: isStringTypeGuard ( astNode , operand , polarity ) }
5895
59- override predicate sanitizes ( boolean outcome , Expr e ) {
96+ override predicate blocksExpr ( boolean outcome , Expr e ) {
6097 polarity = outcome and
6198 e = operand
6299 }
63100}
64101
65102private import semmle.javascript.security.dataflow.Xss:: Shared as Shared
66103
67- private class PrefixStringSanitizer extends TaintTracking:: SanitizerGuardNode ,
68- DomBasedXss:: PrefixStringSanitizer
69- {
104+ private class PrefixStringSanitizer extends DomBasedXss:: PrefixStringSanitizer {
70105 PrefixStringSanitizer ( ) { this = this }
71106}
72107
73108private class PrefixString extends DataFlow:: FlowLabel , DomBasedXss:: PrefixString {
74109 PrefixString ( ) { this = this }
75110}
76111
77- private class QuoteGuard extends TaintTracking :: SanitizerGuardNode , Shared:: QuoteGuard {
112+ private class QuoteGuard extends Shared:: QuoteGuard {
78113 QuoteGuard ( ) { this = this }
79114}
80115
81- private class ContainsHtmlGuard extends TaintTracking:: SanitizerGuardNode , Shared:: ContainsHtmlGuard
82- {
116+ private class ContainsHtmlGuard extends Shared:: ContainsHtmlGuard {
83117 ContainsHtmlGuard ( ) { this = this }
84118}
0 commit comments