JS: Make the TaintedUrlSuffix library use optional steps/barriers

Author: asgerf

javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll

@@ -4,6 +4,7 @@
  */
 
 import javascript
+private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 
 /**
  * Provides a flow label for reasoning about URLs with a tainted query and fragment part,
@@ -45,6 +46,11 @@ module TaintedUrlSuffix {
       ]
   }
 
+  predicate isBarrier(Node node, FlowLabel label) {
+    label = label() and
+    DataFlowPrivate::optionalBarrier(node, "tainted-url-suffix")
+  }
+
   /**
    * Holds if there is a flow step `src -> dst` involving the URL suffix taint label.
    *
@@ -57,6 +63,10 @@ module TaintedUrlSuffix {
     TaintTracking::AdditionalTaintStep::step(src, dst) and
     not isSafeLocationProp(dst)
     or
+    srclbl = label() and
+    dstlbl.isTaint() and
+    DataFlowPrivate::optionalStep(src, "tainted-url-suffix", dst)
+    or
     // Transition from URL suffix to full taint when extracting the query/fragment part.
     srclbl = label() and
     dstlbl.isTaint() and

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll

@@ -76,6 +76,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
     isOptionallySanitizedNode(node) and
     lbl = [DataFlow::FlowLabel::taint(), prefixLabel(), TaintedUrlSuffix::label()]
     or
+    TaintedUrlSuffix::isBarrier(node, lbl)
+    or
     node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(lbl)
   }
 

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -514,9 +514,6 @@ nodes
 | tst.js:371:7:371:39 | target | semmle.label | target |
 | tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:374:18:374:23 | target | semmle.label | target |
-| tst.js:377:18:377:39 | documen ... on.href | semmle.label | documen ... on.href |
-| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | semmle.label | documen ... it("?") [ArrayElement] |
-| tst.js:377:18:377:53 | documen ... "?")[0] | semmle.label | documen ... "?")[0] |
 | tst.js:381:7:381:39 | target | semmle.label | target |
 | tst.js:381:7:381:39 | target [taint3] | semmle.label | target [taint3] |
 | tst.js:381:7:381:39 | target [taint8] | semmle.label | target [taint8] |
@@ -549,7 +546,7 @@ nodes
 | tst.js:421:20:421:27 | match[1] | semmle.label | match[1] |
 | tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash |
 | tst.js:424:18:424:48 | window. ... it('#') | semmle.label | window. ... it('#') |
-| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | semmle.label | window. ... it('#') [ArrayElement] |
+| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] |
 | tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] |
 | tst.js:428:7:428:39 | target | semmle.label | target |
 | tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search |
@@ -1115,8 +1112,6 @@ edges
 | tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance |  |
 | tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance |  |
 | tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance |  |
-| tst.js:377:18:377:39 | documen ... on.href | tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | provenance |  |
-| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | tst.js:377:18:377:53 | documen ... "?")[0] | provenance |  |
 | tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance |  |
 | tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance |  |
 | tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance |  |
@@ -1153,11 +1148,11 @@ edges
 | tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | Config |
 | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance |  |
 | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance | Config |
-| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | provenance |  |
+| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config |
 | tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance |  |
 | tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
-| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance |  |
-| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
+| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance |  |
+| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
 | tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance |  |
 | tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance |  |
 | tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance |  |
@@ -1460,7 +1455,6 @@ subpaths
 | tst.js:360:21:360:26 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:360:21:360:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value |
 | tst.js:363:18:363:23 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:363:18:363:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value |
 | tst.js:374:18:374:23 | target | tst.js:371:16:371:39 | documen ... .search | tst.js:374:18:374:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:371:16:371:39 | documen ... .search | user-provided value |
-| tst.js:377:18:377:53 | documen ... "?")[0] | tst.js:377:18:377:39 | documen ... on.href | tst.js:377:18:377:53 | documen ... "?")[0] | Cross-site scripting vulnerability due to $@. | tst.js:377:18:377:39 | documen ... on.href | user-provided value |
 | tst.js:384:18:384:23 | target | tst.js:381:16:381:39 | documen ... .search | tst.js:384:18:384:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value |
 | tst.js:386:18:386:29 | target.taint | tst.js:381:16:381:39 | documen ... .search | tst.js:386:18:386:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value |
 | tst.js:392:18:392:30 | target.taint3 | tst.js:391:19:391:42 | documen ... .search | tst.js:392:18:392:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:391:19:391:42 | documen ... .search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -519,9 +519,6 @@ nodes
 | tst.js:371:7:371:39 | target | semmle.label | target |
 | tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:374:18:374:23 | target | semmle.label | target |
-| tst.js:377:18:377:39 | documen ... on.href | semmle.label | documen ... on.href |
-| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | semmle.label | documen ... it("?") [ArrayElement] |
-| tst.js:377:18:377:53 | documen ... "?")[0] | semmle.label | documen ... "?")[0] |
 | tst.js:381:7:381:39 | target | semmle.label | target |
 | tst.js:381:7:381:39 | target [taint3] | semmle.label | target [taint3] |
 | tst.js:381:7:381:39 | target [taint8] | semmle.label | target [taint8] |
@@ -554,7 +551,7 @@ nodes
 | tst.js:421:20:421:27 | match[1] | semmle.label | match[1] |
 | tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash |
 | tst.js:424:18:424:48 | window. ... it('#') | semmle.label | window. ... it('#') |
-| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | semmle.label | window. ... it('#') [ArrayElement] |
+| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] |
 | tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] |
 | tst.js:428:7:428:39 | target | semmle.label | target |
 | tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search |
@@ -1140,8 +1137,6 @@ edges
 | tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance |  |
 | tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance |  |
 | tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance |  |
-| tst.js:377:18:377:39 | documen ... on.href | tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | provenance |  |
-| tst.js:377:18:377:50 | documen ... it("?") [ArrayElement] | tst.js:377:18:377:53 | documen ... "?")[0] | provenance |  |
 | tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance |  |
 | tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance |  |
 | tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance |  |
@@ -1178,11 +1173,11 @@ edges
 | tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | Config |
 | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance |  |
 | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') | provenance | Config |
-| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | provenance |  |
+| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config |
 | tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance |  |
 | tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
-| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance |  |
-| tst.js:424:18:424:48 | window. ... it('#') [ArrayElement] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
+| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance |  |
+| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | Config |
 | tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance |  |
 | tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance |  |
 | tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance |  |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js

@@ -373,7 +373,7 @@ function test() {
   // NOT OK
   $('myId').html(target)
 
-  // OK [INCONSISTENCY] (TODO: fix)
+  // OK
   $('myid').html(document.location.href.split("?")[0]);
 }