JS: Add event handler sink to code injection

asger-semmle · asger-semmle · commit fa95871f460a · 2019-09-06T14:33:00.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -101,4 +101,18 @@ module CodeInjection {
       )
     }
   }
+
+  /**
+   * An event handler attribute as a code injection sink.
+   */
+  class EventHandlerAttributeSink extends Sink {
+    EventHandlerAttributeSink() {
+      exists(DOM::AttributeDefinition def |
+        def.getName().regexpMatch("(?i)on.+") and
+        this = def.getValueNode() and
+        // JSX event handlers are functions, not strings
+        not def instanceof JSXAttribute
+      )
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -101,4 +101,18 @@ module CodeInjection {`
`101`	`101`	`)`
`102`	`102`	`}`
`103`	`103`	`}`
	`104`	`+`
	`105`	`+ /**`
	`106`	`+ * An event handler attribute as a code injection sink.`
	`107`	`+ */`
	`108`	`+ class EventHandlerAttributeSink extends Sink {`
	`109`	`+ EventHandlerAttributeSink() {`
	`110`	`+ exists(DOM::AttributeDefinition def \|`
	`111`	`+ def.getName().regexpMatch("(?i)on.+") and`
	`112`	`+ this = def.getValueNode() and`
	`113`	`+ // JSX event handlers are functions, not strings`
	`114`	`+ not def instanceof JSXAttribute`
	`115`	`+ )`
	`116`	`+ }`
	`117`	`+ }`
`104`	`118`	`}`