From 6b507c6933c15afbcb50f50e26fe625ef386df02 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 26 Mar 2020 15:47:59 +0100
Subject: [PATCH] add urlSuffix support to DomBasedXSS

---
 .../security/dataflow/DomBasedXss.qll         | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
index deca4bd3db4..e190ccf735c 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
@@ -23,5 +23,33 @@ module DomBasedXss {
       or
       node instanceof Sanitizer
     }
+
+    override predicate isAdditionalLoadStoreStep(
+      DataFlow::Node pred, DataFlow::Node succ, string predProp, string succProp
+    ) {
+      exists(DataFlow::PropRead read |
+        pred = read.getBase() and
+        succ = read and
+        read.getPropertyName() = "hash" and
+        predProp = "hash" and
+        succProp = urlSuffixPseudoProperty()
+      )
+    }
+
+    override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      exists(DataFlow::MethodCallNode call, string name |
+        name = "substr" or name = "substring" or name = "slice"
+      |
+        call.getMethodName() = name and
+        not call.getArgument(0).getIntValue() = 0 and
+        pred = call.getReceiver() and
+        succ = call and
+        prop = urlSuffixPseudoProperty()
+      )
+    }
+  }
+
+  private string urlSuffixPseudoProperty() {
+    result = "$UrlSuffix$"
   }
 }