JS: fix FP for js/unsafe-jquery-plugin

2020-01-27 10:41:47 +01:00 · 2020-01-27 10:41:47 +01:00 · 2ad9b843ae
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll
@ -32,6 +32,20 @@ module UnsafeJQueryPlugin {
      DataFlow::localFieldStep(src, sink)
    }

+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      // prefixing prevents forced html/css confusion:
+
+      // prefixing through concatenation:
+      succ.asExpr().(AddExpr).getRightOperand().flow() = pred
+      or
+      // prefixing through a poor-mans templating system:
+      exists(DataFlow::MethodCallNode replace |
+        replace = succ and
+        pred = replace.getArgument(1) and
+        replace.getMethodName() = "replace"
+      )
+    }
+
    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
      super.isSanitizerGuard(node) or
      node instanceof IsElementSanitizer or
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin.expected
@ -110,14 +110,6 @@ nodes
 | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a |
 | unsafe-jquery-plugin.js:160:38:160:44 | options |
 | unsafe-jquery-plugin.js:160:38:160:44 | options |
-| unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:161:17:161:23 | options |
-| unsafe-jquery-plugin.js:161:17:161:30 | options.target |
-| unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:163:40:163:46 | options |
-| unsafe-jquery-plugin.js:163:40:163:53 | options.target |
 | unsafe-jquery-plugin.js:165:7:165:29 | target |
 | unsafe-jquery-plugin.js:165:16:165:22 | options |
 | unsafe-jquery-plugin.js:165:16:165:29 | options.target |
@ -230,18 +222,8 @@ edges
 | unsafe-jquery-plugin.js:157:44:157:50 | options | unsafe-jquery-plugin.js:157:44:157:57 | options.target |
 | unsafe-jquery-plugin.js:157:44:157:57 | options.target | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a |
 | unsafe-jquery-plugin.js:157:44:157:57 | options.target | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:17:161:23 | options |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:17:161:23 | options |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:40:163:46 | options |
-| unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:40:163:46 | options |
 | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:165:16:165:22 | options |
 | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:165:16:165:22 | options |
-| unsafe-jquery-plugin.js:161:17:161:23 | options | unsafe-jquery-plugin.js:161:17:161:30 | options.target |
-| unsafe-jquery-plugin.js:161:17:161:30 | options.target | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:161:17:161:30 | options.target | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target |
-| unsafe-jquery-plugin.js:163:40:163:46 | options | unsafe-jquery-plugin.js:163:40:163:53 | options.target |
-| unsafe-jquery-plugin.js:163:40:163:53 | options.target | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:163:40:163:53 | options.target | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
 | unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:165:16:165:22 | options | unsafe-jquery-plugin.js:165:16:165:29 | options.target |
@ -268,6 +250,4 @@ edges
 | unsafe-jquery-plugin.js:155:33:155:38 | target | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:155:33:155:38 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:156:41:156:54 | options.target | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:156:41:156:54 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
-| unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
-| unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |