Xss through DOM

Author: erik-krogh

javascript/ql/src/Security/CWE-079/XssThroughDom.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Cross-site scripting through DOM
+ * @description Writing user controlled DOM to HTML can allow for
+ *              a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision medium
+ * @id js/xss-through-dom
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.XssThroughDom::XssThroughDom
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "DOM text"

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -413,3 +413,9 @@ module StoredXss {
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 }
+
+/** Provides classes and predicates for the XSS through DOM query. */
+module XssThroughDom {
+  /** A data flow source for XSS through DOM vulnerabilities. */
+  abstract class Source extends Shared::Source { }
+}

javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll

@@ -0,0 +1,141 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about
+ * cross-site scripting vulnerabilities through the DOM.
+ */
+
+import javascript
+
+/**
+ * Classes and predicates for the XSS through DOM query.
+ */
+module XssThroughDom {
+  import Xss::XssThroughDom
+  private import semmle.javascript.security.dataflow.Xss::DomBasedXss as DomBasedXss
+  private import semmle.javascript.dataflow.InferredTypes
+
+  /**
+   * A taint-tracking configuration for reasoning about XSS through the DOM.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "XssThroughDOM" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node) or
+      node instanceof DomBasedXss::Sanitizer
+    }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof TypeTestGuard or
+      guard instanceof HasNodePropertySanitizerGuard
+    }
+  }
+
+  /**
+   * Gets an attribute name that could store user controlled data.
+   *
+   * Attributes such as "id", "href", and "src" are often used as input to HTML.
+   * However, they are either rarely controlable by a user, or already a sink for other XSS vulnerabilities.
+   * Such attributes are therefore ignored.
+   */
+  bindingset[result]
+  string unsafeAttributeName() {
+    result.regexpMatch("data-.*") or
+    result = ["name", "value"]
+  }
+
+  /**
+   * A source for text from the DOM from a JQuery method call.
+   */
+  class JQueryTextSource extends Source, JQuery::MethodCall {
+    JQueryTextSource() {
+      (
+        this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
+        or
+        this.getMethodName() = "attr" and
+        this.getNumArgument() = 1 and
+        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
+        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+      ) and
+      // looks like a $("<p>" + ... ) source, which is benign for this query.
+      not this
+          .getReceiver()
+          .(DataFlow::CallNode)
+          .getAnArgument()
+          .(StringOps::ConcatenationRoot)
+          .getConstantStringParts()
+          .substring(0, 1) = "<"
+    }
+  }
+
+  /**
+   * A source for text from the DOM from a DOM property read or call to `getAttribute()`.
+   */
+  class DOMTextSource extends Source {
+    DOMTextSource() {
+      exists(DataFlow::PropRead read | read = this |
+        read.getBase().getALocalSource() = DOM::domValueRef() and
+        exists(string propName | propName = ["innerText", "textContent", "value", "name"] |
+          read.getPropertyName() = propName or
+          read.getPropertyNameExpr().flow().mayHaveStringValue(propName)
+        )
+      )
+      or
+      exists(DataFlow::MethodCallNode mcn | mcn = this |
+        mcn.getReceiver().getALocalSource() = DOM::domValueRef() and
+        mcn.getMethodName() = "getAttribute" and
+        mcn.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+      )
+    }
+  }
+
+  /**
+   * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
+   *
+   * This sanitizer helps prune infeasible paths in type-overloaded functions.
+   */
+  class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+    override EqualityTest astNode;
+    TypeofExpr typeof;
+    boolean polarity;
+
+    TypeTestGuard() {
+      astNode.getAnOperand() = typeof and
+      (
+        // typeof x === "string" sanitizes `x` when it evaluates to false
+        astNode.getAnOperand().getStringValue() = "string" and
+        polarity = astNode.getPolarity().booleanNot()
+        or
+        // typeof x === "object" sanitizes `x` when it evaluates to true
+        astNode.getAnOperand().getStringValue() != "string" and
+        polarity = astNode.getPolarity()
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      polarity = outcome and
+      e = typeof.getOperand()
+    }
+  }
+
+  /**
+   * The precense of a `nodeType` or `jquery` property indicates that the value is a DOM node, and not the text of a DOM node.
+   *
+   * This sanitizer helps prune infeasible paths in type-overloaded functions.
+   */
+  class HasNodePropertySanitizerGuard extends TaintTracking::SanitizerGuardNode {
+    DataFlow::PropRead read;
+
+    HasNodePropertySanitizerGuard() {
+      read = this and
+      read.getPropertyName() = ["nodeType", "jquery"]
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      e = read.getBase().asExpr() and outcome = true
+    }
+  }
+}

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.expected

@@ -0,0 +1,63 @@
+nodes
+| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
+| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
+| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
+| xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
+| xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
+| xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
+| xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
+| xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
+| xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
+| xss-through-dom.js:11:3:11:42 | documen ... nerText |
+| xss-through-dom.js:11:3:11:42 | documen ... nerText |
+| xss-through-dom.js:11:3:11:42 | documen ... nerText |
+| xss-through-dom.js:19:3:19:44 | documen ... Content |
+| xss-through-dom.js:19:3:19:44 | documen ... Content |
+| xss-through-dom.js:19:3:19:44 | documen ... Content |
+| xss-through-dom.js:23:3:23:48 | documen ... ].value |
+| xss-through-dom.js:23:3:23:48 | documen ... ].value |
+| xss-through-dom.js:23:3:23:48 | documen ... ].value |
+| xss-through-dom.js:27:3:27:61 | documen ... arget') |
+| xss-through-dom.js:27:3:27:61 | documen ... arget') |
+| xss-through-dom.js:27:3:27:61 | documen ... arget') |
+| xss-through-dom.js:51:30:51:48 | $("textarea").val() |
+| xss-through-dom.js:51:30:51:48 | $("textarea").val() |
+| xss-through-dom.js:51:30:51:48 | $("textarea").val() |
+| xss-through-dom.js:54:31:54:49 | $("textarea").val() |
+| xss-through-dom.js:54:31:54:49 | $("textarea").val() |
+| xss-through-dom.js:54:31:54:49 | $("textarea").val() |
+| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
+| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
+| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
+| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
+| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
+| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
+| xss-through-dom.js:61:30:61:69 | $(docum ... value") |
+| xss-through-dom.js:61:30:61:69 | $(docum ... value") |
+| xss-through-dom.js:61:30:61:69 | $(docum ... value") |
+edges
+| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
+| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
+| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
+| xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText |
+| xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content |
+| xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value |
+| xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') |
+| xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() |
+| xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() |
+| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
+| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
+| xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") |
+#select
+| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text |
+| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text |
+| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text |
+| xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:11:3:11:42 | documen ... nerText | DOM text |
+| xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:19:3:19:44 | documen ... Content | DOM text |
+| xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:23:3:23:48 | documen ... ].value | DOM text |
+| xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:27:3:27:61 | documen ... arget') | DOM text |
+| xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:51:30:51:48 | $("textarea").val() | DOM text |
+| xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:54:31:54:49 | $("textarea").val() | DOM text |
+| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | DOM text |
+| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | DOM text |
+| xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | Cross-site scripting vulnerability due to $@. | xss-through-dom.js:61:30:61:69 | $(docum ... value") | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom.qlref

@@ -0,0 +1 @@
+Security/CWE-079/XssThroughDom.ql

javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js

@@ -0,0 +1,62 @@
+(function () {
+	$("#id").html($("textarea").val()); // NOT OK.
+	
+	$("#id").html($(".some-element").text()); // NOT OK.
+	
+	$("#id").html($(".some-element").attr("foo", "bar")); // OK.
+	$("#id").html($(".some-element").attr({"foo": "bar"})); // OK.
+	$("#id").html($(".some-element").attr("data-target")); // NOT OK.
+	
+	$("#id").html(
+		document.getElementById("foo").innerText // NOT OK.	
+	);
+	
+	$("#id").html(
+		document.getElementById("foo").innerHTML // OK - only repeats existing XSS. 	
+	);
+	
+	$("#id").html(
+		document.getElementById("foo").textContent // NOT OK. 	
+	);
+	
+	$("#id").html(
+		document.querySelectorAll("textarea")[0].value // NOT OK. 	
+	);
+	
+	$("#id").html(
+		document.getElementById('div1').getAttribute('data-target') // NOT OK
+	);
+	
+	function safe1(x) { // overloaded function. 
+		if (x.jquery) {
+			var foo = $(x); // OK
+		}
+		 	
+	}
+	safe1($("textarea").val());
+	
+	function safe2(x) { // overloaded function. 
+		if (typeof x === "object") {
+			var foo = $(x); // OK
+		} 	
+	}
+	safe2($("textarea").val());
+	
+
+	$("#id").html(
+		$("<p>" + something() + "</p>").text() // OK - this is for a flow-step to catch, not this query.
+	);
+	
+	
+	$("#id").get(0).innerHTML = $("textarea").val(); // NOT OK.
+	
+	var base = $("#id");
+	base[html ? 'html' : 'text']($("textarea").val()); // NOT OK.
+	
+	$("#id").get(0).innerHTML = $("input").get(0).name; // NOT OK.
+	$("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // NOT OK.
+	
+	$("#id").get(0).innerHTML = $("input").getAttribute("id"); // OK.
+	
+	$("#id").get(0).innerHTML = $(document).find("option").attr("value"); // NOT OK. 
+})();