Merge pull request #3679 from asger-semmle/js/dom-value-ref-restriction

Approved by erik-krogh, esbena

Author: semmle-qlci

javascript/ql/src/semmle/javascript/DOM.qll

@@ -291,11 +291,27 @@ module DOM {
      */
     abstract class Range extends DataFlow::Node { }
 
+    private string getADomPropertyName() {
+      exists(ExternalInstanceMemberDecl decl |
+        result = decl.getName() and
+        isDomRootType(decl.getDeclaringType().getASupertype*())
+      )
+    }
+
     private class DefaultRange extends Range {
       DefaultRange() {
         this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
         or
-        this = domValueRef().getAPropertyRead()
+        exists(DataFlow::PropRead read |
+          this = read and
+          read = domValueRef().getAPropertyRead()
+        |
+          not read.mayHavePropertyName(_)
+          or
+          read.mayHavePropertyName(getADomPropertyName())
+          or
+          read.mayHavePropertyName(any(string s | exists(s.toInt())))
+        )
         or
         this = domElementCreationOrQuery()
         or

javascript/ql/test/library-tests/DOM/Customizations.expected

@@ -4,3 +4,5 @@ test_locationRef
 | customization.js:3:3:3:14 | doc.location |
 test_domValueRef
 | customization.js:4:3:4:28 | doc.get ... 'test') |
+| tst.js:49:3:49:8 | window |
+| tst.js:50:3:50:8 | window |

javascript/ql/test/library-tests/DOM/externs/externs.js

@@ -0,0 +1,10 @@
+/** @externs */
+
+/**
+ * @constructor
+ * @name EventTarget
+ */
+function EventTarget() {}
+
+/** @type {EventTarget} */
+var window;

javascript/ql/test/library-tests/DOM/tst.js

@@ -39,3 +39,13 @@
     factory2();
 
 })();
+
+(function pollute() {
+  class C {
+    foo() {
+      this.x; // Should not be a domValueRef
+    }
+  }
+  window.myApp = new C();
+  window.myApp.foo();
+})();

javascript/ql/test/query-tests/Security/CWE-079/externs.js

@@ -25,6 +25,24 @@
 function EventTarget() {}
 
 /**
- * @type {!EventTarget}
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
  */
 var document;