JS: Port ExceptionXss

asgerf · asgerf · commit d7b4e0c206c7 · 2023-10-13T13:15:03.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll
@@ -126,10 +126,41 @@ private DataFlow::Node getExceptionTarget(DataFlow::Node pred) {
 
 /**
  * A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
- * Flow labels are used to ensure that we only report taint-flow that has been thrown in
+ * Flow states are used to ensure that we only report taint-flow that has been thrown in
  * an exception.
  */
-class Configuration extends TaintTracking::Configuration {
+module ExceptionXssConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source.(Source).getAFlowLabel() = label
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink instanceof XssShared::Sink and not label instanceof NotYetThrown
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof XssShared::Sanitizer }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::FlowLabel inlbl, DataFlow::Node succ, DataFlow::FlowLabel outlbl
+  ) {
+    inlbl instanceof NotYetThrown and
+    (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
+    canThrowSensitiveInformation(pred) and
+    succ = getExceptionTarget(pred)
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about XSS with possible exceptional flow.
+ */
+module ExceptionXssFlow = TaintTracking::GlobalWithState<ExceptionXssConfig>;
+
+/**
+ * DEPRECATED. Use the `ExceptionXssFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "ExceptionXss" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
@@ -145,12 +176,10 @@ class Configuration extends TaintTracking::Configuration {
   override predicate isAdditionalFlowStep(
     DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
   ) {
-    inlbl instanceof NotYetThrown and
-    (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
-    canThrowSensitiveInformation(pred) and
-    succ = getExceptionTarget(pred)
+    ExceptionXssConfig::isAdditionalFlowStep(pred, inlbl, succ, outlbl)
     or
     // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
+    // Note: this step is not needed in StateConfigSig module since flow states inherit taint steps.
     this.isAdditionalFlowStep(pred, succ) and
     inlbl instanceof NotYetThrown and
     outlbl instanceof NotYetThrown
diff --git a/javascript/ql/src/Security/CWE-079/ExceptionXss.ql b/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
@@ -14,10 +14,10 @@
 
 import javascript
 import semmle.javascript.security.dataflow.ExceptionXssQuery
-import DataFlow::PathGraph
+import DataFlow::DeduplicatePathGraph<ExceptionXssFlow::PathNode, ExceptionXssFlow::PathGraph>
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from PathNode source, PathNode sink
+where ExceptionXssFlow::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode())
 select sink.getNode(), source, sink,
   "$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(),
   source.getNode().(Source).getDescription()
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected
