Skip to content

Commit 28a73c1

Browse files
asgerfasgerf
committed
JS: Add test case
1 parent 6aac353 commit 28a73c1

File tree

2 files changed

+49
-2
lines changed

2 files changed

+49
-2
lines changed

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,26 @@ nodes
7272
| jquery.js:8:18:8:34 | "XSS: " + tainted |
7373
| jquery.js:8:18:8:34 | "XSS: " + tainted |
7474
| jquery.js:8:28:8:34 | tainted |
75+
| jquery.js:10:5:10:40 | "<b>" + ... "</b>" |
76+
| jquery.js:10:5:10:40 | "<b>" + ... "</b>" |
77+
| jquery.js:10:13:10:20 | location |
78+
| jquery.js:10:13:10:20 | location |
79+
| jquery.js:10:13:10:31 | location.toString() |
80+
| jquery.js:14:19:14:58 | decodeU ... n.hash) |
81+
| jquery.js:14:19:14:58 | decodeU ... n.hash) |
82+
| jquery.js:14:38:14:52 | window.location |
83+
| jquery.js:14:38:14:52 | window.location |
84+
| jquery.js:14:38:14:57 | window.location.hash |
85+
| jquery.js:15:19:15:60 | decodeU ... search) |
86+
| jquery.js:15:19:15:60 | decodeU ... search) |
87+
| jquery.js:15:38:15:52 | window.location |
88+
| jquery.js:15:38:15:52 | window.location |
89+
| jquery.js:15:38:15:59 | window. ... .search |
90+
| jquery.js:16:19:16:64 | decodeU ... ring()) |
91+
| jquery.js:16:19:16:64 | decodeU ... ring()) |
92+
| jquery.js:16:38:16:52 | window.location |
93+
| jquery.js:16:38:16:52 | window.location |
94+
| jquery.js:16:38:16:63 | window. ... tring() |
7595
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
7696
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
7797
| nodemailer.js:13:50:13:66 | req.query.message |
@@ -598,6 +618,22 @@ edges
598618
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
599619
| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
600620
| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
621+
| jquery.js:10:13:10:20 | location | jquery.js:10:13:10:31 | location.toString() |
622+
| jquery.js:10:13:10:20 | location | jquery.js:10:13:10:31 | location.toString() |
623+
| jquery.js:10:13:10:31 | location.toString() | jquery.js:10:5:10:40 | "<b>" + ... "</b>" |
624+
| jquery.js:10:13:10:31 | location.toString() | jquery.js:10:5:10:40 | "<b>" + ... "</b>" |
625+
| jquery.js:14:38:14:52 | window.location | jquery.js:14:38:14:57 | window.location.hash |
626+
| jquery.js:14:38:14:52 | window.location | jquery.js:14:38:14:57 | window.location.hash |
627+
| jquery.js:14:38:14:57 | window.location.hash | jquery.js:14:19:14:58 | decodeU ... n.hash) |
628+
| jquery.js:14:38:14:57 | window.location.hash | jquery.js:14:19:14:58 | decodeU ... n.hash) |
629+
| jquery.js:15:38:15:52 | window.location | jquery.js:15:38:15:59 | window. ... .search |
630+
| jquery.js:15:38:15:52 | window.location | jquery.js:15:38:15:59 | window. ... .search |
631+
| jquery.js:15:38:15:59 | window. ... .search | jquery.js:15:19:15:60 | decodeU ... search) |
632+
| jquery.js:15:38:15:59 | window. ... .search | jquery.js:15:19:15:60 | decodeU ... search) |
633+
| jquery.js:16:38:16:52 | window.location | jquery.js:16:38:16:63 | window. ... tring() |
634+
| jquery.js:16:38:16:52 | window.location | jquery.js:16:38:16:63 | window. ... tring() |
635+
| jquery.js:16:38:16:63 | window. ... tring() | jquery.js:16:19:16:64 | decodeU ... ring()) |
636+
| jquery.js:16:38:16:63 | window. ... tring() | jquery.js:16:19:16:64 | decodeU ... ring()) |
601637
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
602638
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
603639
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
@@ -1038,6 +1074,10 @@ edges
10381074
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
10391075
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
10401076
| jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
1077+
| jquery.js:10:5:10:40 | "<b>" + ... "</b>" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "<b>" + ... "</b>" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value |
1078+
| jquery.js:14:19:14:58 | decodeU ... n.hash) | jquery.js:14:38:14:52 | window.location | jquery.js:14:19:14:58 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | jquery.js:14:38:14:52 | window.location | user-provided value |
1079+
| jquery.js:15:19:15:60 | decodeU ... search) | jquery.js:15:38:15:52 | window.location | jquery.js:15:19:15:60 | decodeU ... search) | Cross-site scripting vulnerability due to $@. | jquery.js:15:38:15:52 | window.location | user-provided value |
1080+
| jquery.js:16:19:16:64 | decodeU ... ring()) | jquery.js:16:38:16:52 | window.location | jquery.js:16:19:16:64 | decodeU ... ring()) | Cross-site scripting vulnerability due to $@. | jquery.js:16:38:16:52 | window.location | user-provided value |
10411081
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
10421082
| optionalSanitizer.js:17:20:17:20 | x | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:17:20:17:20 | x | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
10431083
| optionalSanitizer.js:32:18:32:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:32:18:32:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,17 @@
11
function test() {
22
var tainted = document.location.search
33

4-
$(tainted); // NOT OK
4+
$(tainted); // OK - location.search starts with '?'
55
$("body", tainted); // OK
66
$("." + tainted); // OK
77
$("<div id=\"" + tainted + "\">"); // NOT OK
88
$("body").html("XSS: " + tainted); // NOT OK
9-
$(window.location.hash); // OK
9+
$(window.location.hash); // OK - location.hash starts with '#'
10+
$("<b>" + location.toString() + "</b>"); // NOT OK
11+
12+
// Not related to jQuery, but the handling of $() should not affect this sink
13+
let elm = document.getElementById('x');
14+
elm.innerHTML = decodeURIComponent(window.location.hash); // NOT OK
15+
elm.innerHTML = decodeURIComponent(window.location.search); // NOT OK
16+
elm.innerHTML = decodeURIComponent(window.location.toString()); // NOT OK
1017
}

0 commit comments

Comments
 (0)