Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ff3950c

Browse files
erik-krogherik-krogh
committed
add model for formik
1 parent d1087d4 commit ff3950c

3 files changed

Lines changed: 132 additions & 0 deletions

File tree

javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,4 +96,45 @@ module XssThroughDom {
9696
e = operand
9797
}
9898
}
99+
100+
/**
101+
* A module for form inputs seen as sources for xss-through-dom.
102+
*/
103+
module Forms {
104+
/**
105+
* A reference to an import of `Formik`.
106+
*/
107+
private DataFlow::SourceNode formik() {
108+
result = DataFlow::moduleImport("formik")
109+
or
110+
result = DataFlow::globalVarRef("Formik")
111+
}
112+
113+
/**
114+
* An object containing input values from a form build with `Formik`.
115+
*/
116+
class FormikSource extends Source {
117+
FormikSource() {
118+
exists(JSXElement elem |
119+
formik().getAPropertyRead("Formik").flowsToExpr(elem.getNameExpr())
120+
|
121+
this =
122+
elem.getAttributeByName(["validate", "onSubmit"])
123+
.getValue()
124+
.flow()
125+
.getAFunctionValue()
126+
.getParameter(0)
127+
)
128+
or
129+
this =
130+
formik()
131+
.getAMemberCall("withFormik")
132+
.getOptionArgument(0, ["validate", "handleSubmit"])
133+
.getAFunctionValue()
134+
.getParameter(0)
135+
or
136+
this = formik().getAMemberCall("useFormikContext").getAPropertyRead("values")
137+
}
138+
}
139+
}
99140
}

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,30 @@
11
nodes
2+
| forms.js:8:23:8:28 | values |
3+
| forms.js:8:23:8:28 | values |
4+
| forms.js:9:31:9:36 | values |
5+
| forms.js:9:31:9:40 | values.foo |
6+
| forms.js:9:31:9:40 | values.foo |
7+
| forms.js:11:24:11:29 | values |
8+
| forms.js:11:24:11:29 | values |
9+
| forms.js:12:31:12:36 | values |
10+
| forms.js:12:31:12:40 | values.bar |
11+
| forms.js:12:31:12:40 | values.bar |
12+
| forms.js:24:15:24:20 | values |
13+
| forms.js:24:15:24:20 | values |
14+
| forms.js:25:23:25:28 | values |
15+
| forms.js:25:23:25:34 | values.email |
16+
| forms.js:25:23:25:34 | values.email |
17+
| forms.js:28:20:28:25 | values |
18+
| forms.js:28:20:28:25 | values |
19+
| forms.js:29:23:29:28 | values |
20+
| forms.js:29:23:29:34 | values.email |
21+
| forms.js:29:23:29:34 | values.email |
22+
| forms.js:34:11:34:53 | values |
23+
| forms.js:34:13:34:18 | values |
24+
| forms.js:34:13:34:18 | values |
25+
| forms.js:35:19:35:24 | values |
26+
| forms.js:35:19:35:30 | values.email |
27+
| forms.js:35:19:35:30 | values.email |
228
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
329
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
430
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
@@ -50,6 +76,27 @@ nodes
5076
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
5177
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
5278
edges
79+
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
80+
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
81+
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
82+
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
83+
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
84+
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
85+
| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
86+
| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
87+
| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
88+
| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
89+
| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
90+
| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
91+
| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
92+
| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
93+
| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
94+
| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
95+
| forms.js:34:11:34:53 | values | forms.js:35:19:35:24 | values |
96+
| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
97+
| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
98+
| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
99+
| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
53100
| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
54101
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
55102
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
@@ -70,6 +117,11 @@ edges
70117
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
71118
| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
72119
#select
120+
| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
121+
| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
122+
| forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
123+
| forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text |
124+
| forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text |
73125
| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
74126
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
75127
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
import React from 'react';
2+
import { Formik, withFormik, useFormikContext } from 'formik';
3+
4+
const FormikBasic = () => (
5+
<div>
6+
<Formik
7+
initialValues={{ email: '', password: '' }}
8+
validate={values => {
9+
$("#id").html(values.foo); // NOT OK
10+
}}
11+
onSubmit={(values, { setSubmitting }) => {
12+
$("#id").html(values.bar); // NOT OK
13+
}}
14+
>
15+
{(inputs) => (
16+
<form onSubmit={handleSubmit}></form>
17+
)}
18+
</Formik>
19+
</div>
20+
);
21+
22+
const FormikEnhanced = withFormik({
23+
mapPropsToValues: () => ({ name: '' }),
24+
validate: values => {
25+
$("#id").html(values.email); // NOT OK
26+
},
27+
28+
handleSubmit: (values, { setSubmitting }) => {
29+
$("#id").html(values.email); // NOT OK
30+
}
31+
})(MyForm);
32+
33+
(function () {
34+
const { values, submitForm } = useFormikContext();
35+
$("#id").html(values.email); // NOT OK
36+
37+
$("#id").html(submitForm.email); // OK
38+
})
39+

0 commit comments

Comments
 (0)