improve error message in CWE-830

Stephan Brandauer · Stephan Brandauer · commit 8cafa6d56232 · 2022-02-22T11:41:53.000+01:00
diff --git a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
@@ -52,18 +52,27 @@ abstract class IncludesUntrustedContent extends HTML::Element {
 class ScriptElementWithUntrustedContent extends IncludesUntrustedContent, HTML::ScriptElement {
   ScriptElementWithUntrustedContent() {
     not exists(string digest | not digest = "" | this.getIntegrityDigest() = digest) and
-    (
-      isUntrustedSourceUrl(this.getSourcePath())
-      or
-      isCdnUrlWithCheckingRequired(this.getSourcePath())
-    )
+    isUntrustedSourceUrl(this.getSourcePath())
   }
 
   override string getProblem() {
     result = "script elements should use an HTTPS url and/or use the integrity attribute"
   }
 }
 
+/** A script element that refers to untrusted content. */
+class CDNScriptElementWithUntrustedContent extends IncludesUntrustedContent, HTML::ScriptElement {
+  CDNScriptElementWithUntrustedContent() {
+    not exists(string digest | not digest = "" | this.getIntegrityDigest() = digest) and
+    isCdnUrlWithCheckingRequired(this.getSourcePath())
+  }
+
+  override string getProblem() {
+    result =
+      "script elements that depend on this CDN should use an HTTPS url and use the integrity attribute"
+  }
+}
+
 /** An iframe element that includes untrusted content. */
 class IframeElementWithUntrustedContent extends HTML::IframeElement, IncludesUntrustedContent {
   IframeElementWithUntrustedContent() { isUntrustedSourceUrl(this.getSourcePath()) }
diff --git a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected
@@ -1,3 +1,4 @@
 | FunctionalityFromUntrustedSource.html:6:9:6:56 | <script>...</> | HTML-element uses untrusted content (script elements should use an HTTPS url and/or use the integrity attribute) |
 | FunctionalityFromUntrustedSource.html:9:9:9:58 | <iframe>...</> | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
 | FunctionalityFromUntrustedSource.html:11:9:11:53 | <iframe>...</> | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
+| FunctionalityFromUntrustedSource.html:20:9:20:155 | <script>...</> | HTML-element uses untrusted content (script elements that depend on this CDN should use an HTTPS url and use the integrity attribute) |
