File tree Expand file tree Collapse file tree 2 files changed +26
-1
lines changed
javascript/ql/src/semmle/javascript/security/dataflow Expand file tree Collapse file tree 2 files changed +26
-1
lines changed Original file line number Diff line number Diff line change @@ -145,4 +145,17 @@ module ClientSideUrlRedirect {
145145 )
146146 }
147147 }
148+
149+ /**
150+ * A write of an attribute which may execute JavaScript code or
151+ * exfiltrate data to an attacker controlled site.
152+ */
153+ class AttributeWriteUrlSink extends ScriptUrlSink , DataFlow:: ValueNode {
154+ AttributeWriteUrlSink ( ) {
155+ exists ( DomPropWriteNode pw |
156+ pw .interpretsValueAsJavaScript ( ) and
157+ this = DataFlow:: valueNode ( pw .getRhs ( ) )
158+ )
159+ }
160+ }
148161}
Original file line number Diff line number Diff line change @@ -90,7 +90,8 @@ class DomMethodCallExpr extends MethodCallExpr {
9090 attr = "formaction" or
9191 attr = "href" or
9292 attr = "src" or
93- attr = "xlink:href"
93+ attr = "xlink:href" or
94+ attr = "data"
9495 |
9596 getArgument ( argPos - 1 ) .getStringValue ( ) .toLowerCase ( ) = attr
9697 )
@@ -116,6 +117,17 @@ class DomPropWriteNode extends Assignment {
116117 lhs .getPropertyName ( ) = "innerHTML" or
117118 lhs .getPropertyName ( ) = "outerHTML"
118119 }
120+
121+ /**
122+ * Holds if the assigned value is interpreted as JavaScript via javascript: protocol.
123+ */
124+ predicate interpretsValueAsJavaScript ( ) {
125+ lhs .getPropertyName ( ) = "action" or
126+ lhs .getPropertyName ( ) = "formaction" or
127+ lhs .getPropertyName ( ) = "href" or
128+ lhs .getPropertyName ( ) = "src" or
129+ lhs .getPropertyName ( ) = "data"
130+ }
119131}
120132
121133/**
You can’t perform that action at this time.
0 commit comments