Skip to content

Commit 25f95d9

Browse files
author
Max Schaefer
committed
JavaScript: Be more conservative about templates in AmbiguousIdAttribute.
Previously, we only excluded attributes where the value of the attribute itself suggests templating happening. Now we exclude all attributes in documents where _any_ attribute value suggests templating.
1 parent 9caa9c1 commit 25f95d9

File tree

3 files changed

+33
-11
lines changed

3 files changed

+33
-11
lines changed

change-notes/1.20/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333

3434
| **Query** | **Expected impact** | **Change** |
3535
|--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
36+
| Ambiguous HTML id attribute | Fewer false-positive results | This rule now treats templates more conservatively. |
3637
| Client-side cross-site scripting | More true-positive results, fewer false-positive results. | This rule now recognizes WinJS functions that are vulnerable to HTML injection. It no longer flags certain safe uses of jQuery, and recognizes custom sanitizers. |
3738
| Hard-coded credentials | Fewer false-positive results | This rule no longer flag the empty string as a hardcoded username. |
3839
| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |

javascript/ql/src/DOM/AmbiguousIdAttribute.ql

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,22 +26,19 @@ predicate idAt(
2626
id = attr.getStringValue() and
2727
root = elt.getRoot() and
2828
elt.getLocation().hasLocationInfo(_, line, column, _, _) and
29-
not (
30-
// exclude invalid ids (reported by another query)
31-
DOM::isInvalidHtmlIdAttributeValue(attr, _)
32-
or
33-
// exclude attribute values that look like they might be templated
34-
attr.mayHaveTemplateValue()
35-
)
29+
// exclude invalid ids (reported by another query)
30+
not DOM::isInvalidHtmlIdAttributeValue(attr, _)
3631
)
3732
}
3833

3934
/**
4035
* Holds if attributes `earlier` and `later` are id attributes with the same value in
4136
* the same document, and `earlier` appears textually before `later`.
4237
*/
43-
predicate sameId(DOM::AttributeDefinition earlier, DOM::AttributeDefinition later) {
44-
exists(string id, DOM::ElementDefinition root, int l1, int c1, int l2, int c2 |
38+
predicate sameId(
39+
DOM::ElementDefinition root, DOM::AttributeDefinition earlier, DOM::AttributeDefinition later
40+
) {
41+
exists(string id, int l1, int c1, int l2, int c2 |
4542
idAt(earlier, id, root, l1, c1) and idAt(later, id, root, l2, c2)
4643
|
4744
l1 < l2
@@ -50,6 +47,21 @@ predicate sameId(DOM::AttributeDefinition earlier, DOM::AttributeDefinition late
5047
)
5148
}
5249

53-
from DOM::AttributeDefinition earlier, DOM::AttributeDefinition later
54-
where sameId(earlier, later) and not sameId(_, earlier)
50+
/**
51+
* Holds if any attribute value in `root` looks like it is templated.
52+
*/
53+
predicate mayContainTemplates(DOM::ElementDefinition root) {
54+
exists(DOM::AttributeDefinition attr |
55+
attr.mayHaveTemplateValue() and
56+
root = attr.getElement().getRoot()
57+
)
58+
}
59+
60+
from DOM::ElementDefinition root, DOM::AttributeDefinition earlier, DOM::AttributeDefinition later
61+
where
62+
sameId(root, earlier, later) and
63+
// only flag the first ambiguity if there are many
64+
not sameId(root, _, earlier) and
65+
// exclude templates
66+
not mayContainTemplates(root)
5567
select earlier, "This element has the same id as $@.", later, "another element"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
<html>
2+
<head><title></title></head>
3+
<body>
4+
{% if foo %}
5+
<a href="{{url}}" id="unique">foo</a>
6+
{% else %}
7+
<a href="{{url}}" id="unique">!foo</div>
8+
{% endif %}
9+
</body>

0 commit comments

Comments
 (0)