JS: introduce Vue XSS sinks

Esben Sparre Andreasen · Esben Sparre Andreasen · commit ea175b2a9ff0 · 2019-02-06T09:38:00.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Vue.qll b/javascript/ql/src/semmle/javascript/frameworks/Vue.qll
@@ -3,7 +3,6 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.DomBasedXss
 
 module Vue {
   /**
@@ -372,5 +371,4 @@ module Vue {
    * A `.vue` file.
    */
   class VueFile extends File { VueFile() { getExtension() = "vue" } }
-
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
@@ -188,4 +188,26 @@ module DomBasedXss {
 
     override string getVulnerabilityKind() { result = "HTML injection" }
   }
+
+
+  /**
+   * A write to the `template` option of a Vue instance, viewed as an XSS sink.
+   */
+  class VueTemplateSink extends DomBasedXss::Sink {
+    VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }
+  }
+
+  /**
+   * The tag name argument to the `createElement` parameter of the
+   * `render` method of a Vue instance, viewed as an XSS sink.
+   */
+  class VueCreateElementSink extends DomBasedXss::Sink {
+    VueCreateElementSink() {
+      exists(Vue::Instance i, DataFlow::FunctionNode f |
+        f.flowsTo(i.getRender()) and
+        this = f.getParameter(0).getACall().getArgument(0)
+      )
+    }
+  }
+
 }
diff --git a/javascript/ql/test/library-tests/frameworks/Vue/XssSink.expected b/javascript/ql/test/library-tests/frameworks/Vue/XssSink.expected
@@ -0,0 +1,2 @@
+| tst.js:5:13:5:13 | a |
+| tst.js:38:12:38:17 | danger |
diff --git a/javascript/ql/test/library-tests/frameworks/Vue/XssSink.ql b/javascript/ql/test/library-tests/frameworks/Vue/XssSink.ql
@@ -0,0 +1,4 @@
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXss
+
+select any(DomBasedXss::Sink s)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| tst.js:5:13:5:13 \| a \|`
	`2`	`+\| tst.js:38:12:38:17 \| danger \|`