File tree Expand file tree Collapse file tree 1 file changed +31
-0
lines changed
javascript/ql/src/semmle/javascript/security/dataflow Expand file tree Collapse file tree 1 file changed +31
-0
lines changed Original file line number Diff line number Diff line change @@ -51,6 +51,37 @@ module CodeInjection {
5151 }
5252 }
5353
54+ /**
55+ * Gets a reference to a `<script />` tag created using `document.createElement`.
56+ */
57+ private DataFlow:: SourceNode scriptTag ( DataFlow:: TypeTracker t ) {
58+ t .start ( ) and
59+ exists ( DataFlow:: CallNode call | call = result |
60+ call = DOM:: documentRef ( ) .getAMethodCall ( "createElement" ) and
61+ call .getArgument ( 0 ) .mayHaveStringValue ( "script" )
62+ )
63+ or
64+ exists ( DataFlow:: TypeTracker t2 | result = scriptTag ( t2 ) .track ( t2 , t ) )
65+ }
66+
67+ /**
68+ * Gets a reference to a `<script />` tag created using `document.createElement`,
69+ * or an element of type `HTMLScriptElement`.
70+ */
71+ private DataFlow:: SourceNode scriptTag ( ) {
72+ result = scriptTag ( DataFlow:: TypeTracker:: end ( ) )
73+ or
74+ result .hasUnderlyingType ( "HTMLScriptElement" )
75+ }
76+
77+ /**
78+ * A write to the `textContent` property of a `<script />` tag,
79+ * seen as a sink for code injection vulnerabilities.
80+ */
81+ class ScriptContentSink extends Sink {
82+ ScriptContentSink ( ) { this = scriptTag ( ) .getAPropertyWrite ( "textContent" ) .getRhs ( ) }
83+ }
84+
5485 /**
5586 * An expression which may be evaluated as JavaScript.
5687 */
You can’t perform that action at this time.
0 commit comments