Skip to content

Commit c2175b6

Browse files
authored
Merge pull request #4263 from erik-krogh/importScripts
Approved by esbena
2 parents 5079deb + fa255f3 commit c2175b6

File tree

5 files changed

+42
-0
lines changed

5 files changed

+42
-0
lines changed

change-notes/1.26/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
| Unused loop iteration variable (`js/unused-loop-variable`) | Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
3636
| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
3737
| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
38+
| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
3839

3940

4041
## Changes to libraries

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,15 @@ module ClientSideUrlRedirect {
132132
}
133133
}
134134

135+
/**
136+
* An argument to `importScripts(..)` - which is used inside `WebWorker`s to import new scripts - viewed as a `ScriptUrlSink`.
137+
*/
138+
class ImportScriptsSink extends ScriptUrlSink {
139+
ImportScriptsSink() {
140+
this = DataFlow::globalVarRef("importScripts").getACall().getAnArgument()
141+
}
142+
}
143+
135144
/**
136145
* A script or iframe `src` attribute, viewed as a `ScriptUrlSink`.
137146
*/

javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -199,6 +199,11 @@ class PostMessageEventHandler extends Function {
199199
addEventListener.getArgument(0).mayHaveStringValue("message") and
200200
addEventListener.getArgument(1).getABoundFunctionValue(paramIndex).getFunction() = this
201201
)
202+
or
203+
exists(DataFlow::Node rhs |
204+
rhs = DataFlow::globalObjectRef().getAPropertyWrite("onmessage").getRhs() and
205+
rhs.getABoundFunctionValue(paramIndex).getFunction() = this
206+
)
202207
}
203208

204209
/**

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,14 @@ nodes
113113
| tst13.js:40:15:40:21 | payload |
114114
| tst13.js:44:14:44:20 | payload |
115115
| tst13.js:44:14:44:20 | payload |
116+
| tst13.js:49:32:49:32 | e |
117+
| tst13.js:49:32:49:32 | e |
118+
| tst13.js:50:23:50:23 | e |
119+
| tst13.js:50:23:50:23 | e |
120+
| tst13.js:52:34:52:34 | e |
121+
| tst13.js:52:34:52:34 | e |
122+
| tst13.js:53:28:53:28 | e |
123+
| tst13.js:53:28:53:28 | e |
116124
| tst.js:2:19:2:69 | /.*redi ... n.href) |
117125
| tst.js:2:19:2:72 | /.*redi ... ref)[1] |
118126
| tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -234,6 +242,14 @@ edges
234242
| tst13.js:2:19:2:35 | document.location | tst13.js:2:19:2:42 | documen ... .search |
235243
| tst13.js:2:19:2:42 | documen ... .search | tst13.js:2:19:2:52 | documen ... bstr(1) |
236244
| tst13.js:2:19:2:52 | documen ... bstr(1) | tst13.js:2:9:2:52 | payload |
245+
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
246+
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
247+
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
248+
| tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e |
249+
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
250+
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
251+
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
252+
| tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
237253
| tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
238254
| tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
239255
| tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -276,5 +292,7 @@ edges
276292
| tst13.js:36:21:36:27 | payload | tst13.js:2:19:2:35 | document.location | tst13.js:36:21:36:27 | payload | Untrusted URL redirection due to $@. | tst13.js:2:19:2:35 | document.location | user-provided value |
277293
| tst13.js:40:15:40:21 | payload | tst13.js:2:19:2:35 | document.location | tst13.js:40:15:40:21 | payload | Untrusted URL redirection due to $@. | tst13.js:2:19:2:35 | document.location | user-provided value |
278294
| tst13.js:44:14:44:20 | payload | tst13.js:2:19:2:35 | document.location | tst13.js:44:14:44:20 | payload | Untrusted URL redirection due to $@. | tst13.js:2:19:2:35 | document.location | user-provided value |
295+
| tst13.js:50:23:50:23 | e | tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e | Untrusted URL redirection due to $@. | tst13.js:49:32:49:32 | e | user-provided value |
296+
| tst13.js:53:28:53:28 | e | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e | Untrusted URL redirection due to $@. | tst13.js:52:34:52:34 | e | user-provided value |
279297
| tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
280298
| tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,3 +44,12 @@ function foo() {
4444
el.src = payload;
4545
document.body.appendChild(el); // NOT OK
4646
}
47+
48+
(function () {
49+
self.onmessage = function (e) {
50+
importScripts(e); // NOT OK
51+
}
52+
window.onmessage = function (e) {
53+
self.importScripts(e); // NOT OK
54+
}
55+
})();

0 commit comments

Comments
 (0)