Merge pull request #4546 from toufik-airane/main

asgerf · web-flow · commit 254072dd6d92 · 2020-12-03T13:20:46.000Z
JS: Add ElectronShellOpenExternalSink class for Electron framework security
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
@@ -60,4 +60,15 @@ module ClientSideUrlRedirect {
       guard instanceof HostnameSanitizerGuard
     }
   }
+
+  /**
+   * Improper use of openExternal can be leveraged to compromise the user's host.
+   * When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.
+   */
+  class ElectronShellOpenExternalSink extends Sink {
+    ElectronShellOpenExternalSink() {
+      this =
+        DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -60,4 +60,15 @@ module ClientSideUrlRedirect {`
`60`	`60`	`guard instanceof HostnameSanitizerGuard`
`61`	`61`	`}`
`62`	`62`	`}`
	`63`	`+`
	`64`	`+ /**`
	`65`	`+ * Improper use of openExternal can be leveraged to compromise the user's host.`
	`66`	`+ * When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.`
	`67`	`+ */`
	`68`	`+ class ElectronShellOpenExternalSink extends Sink {`
	`69`	`+ ElectronShellOpenExternalSink() {`
	`70`	`+ this =`
	`71`	`+ DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)`
	`72`	`+ }`
	`73`	`+ }`
`63`	`74`	`}`