JS: add RemoteServerResponse as a heuristic remote flow source

Esben Sparre Andreasen · Esben Sparre Andreasen · commit e41080fb4083 · 2019-09-11T09:38:18.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll b/javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll
@@ -31,4 +31,25 @@ private class JSONStringifyAsCommandInjectionSource extends HeuristicSource,
   JSONStringifyAsCommandInjectionSource() {
     this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
   }
+
+  override string getSourceType() { result = "a string from JSON.stringify" }
+}
+
+/**
+ * A response from a remote server.
+ */
+class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {
+  RemoteServerResponse() {
+    exists(ClientRequest r |
+      this = r.getAResponseDataNode() and
+      not exists(string url, string protocolPattern |
+        // exclude URLs to the current host
+        r.getUrl().mayHaveStringValue(url) and
+        protocolPattern = "(?[a-z+]{3,10}:)" and
+        not url.regexpMatch(protocolPattern + "?//.*")
+      )
+    )
+  }
+
+  override string getSourceType() { result = "a response from a remote server" }
 }
