[js/client-side-unvalidated-url-redirection] add interpretsValueAsJavaScript predicate

Author: Raz0r

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -145,4 +145,17 @@ module ClientSideUrlRedirect {
       )
     }
   }
+  
+  /**
+   * A write of an attribute which may execute JavaScript code or 
+   * exfiltrate data to an attacker controlled site.
+   */
+  class AttributeWriteUrlSink extends ScriptUrlSink, DataFlow::ValueNode {
+    AttributeWriteUrlSink() {
+      exists(DomPropWriteNode pw |
+        pw.interpretsValueAsJavaScript() and
+        this = DataFlow::valueNode(pw.getRhs())
+      )
+    }
+  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll

@@ -90,7 +90,8 @@ class DomMethodCallExpr extends MethodCallExpr {
         attr = "formaction" or
         attr = "href" or
         attr = "src" or
-        attr = "xlink:href"
+        attr = "xlink:href" or
+        attr = "data"
       |
         getArgument(argPos - 1).getStringValue().toLowerCase() = attr
       )
@@ -116,6 +117,17 @@ class DomPropWriteNode extends Assignment {
     lhs.getPropertyName() = "innerHTML" or
     lhs.getPropertyName() = "outerHTML"
   }
+
+  /**
+   * Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
+   */
+  predicate interpretsValueAsJavaScript() {
+    lhs.getPropertyName() = "action" or
+    lhs.getPropertyName() = "formaction" or
+    lhs.getPropertyName() = "href" or
+    lhs.getPropertyName() = "src" or
+    lhs.getPropertyName() = "data"
+  }
 }
 
 /**