JS: fix FP for js/unsafe-jquery-plugin

esbena · esbena · commit cfd567f01d32 · 2020-01-31T19:33:04.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll
@@ -35,7 +35,7 @@ module UnsafeJQueryPlugin {
     override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
       super.isSanitizerGuard(node) or
       node instanceof IsElementSanitizer or
-      node instanceof IsJQueryObjectSanitizer
+      node instanceof PropertyPrecenseSanitizer
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -171,14 +171,16 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * Expression of form `typeof x.jquery !== "undefined"` or `x.jquery`, which sanitizes `x`.
+   * Expression of like `typeof x.<?> !== "undefined"` or `x.<?>`, which sanitizes `x`, as it is unlikely to be a string afterwards.
    */
-  class IsJQueryObjectSanitizer extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+  class PropertyPrecenseSanitizer extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
     DataFlow::Node input;
     boolean polarity;
 
-    IsJQueryObjectSanitizer() {
-      exists(DataFlow::PropRead read | read.accesses(input, "jquery") |
+    PropertyPrecenseSanitizer() {
+      exists(DataFlow::PropRead read, string name |
+        not name = "length" and read.accesses(input, name)
+      |
         exists(EqualityTest test |
           polarity = test.getPolarity().booleanNot() and
           this = test.flow()
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin.expected
@@ -23,14 +23,6 @@ nodes
 | unsafe-jquery-plugin.js:52:6:52:11 | target |
 | unsafe-jquery-plugin.js:60:6:60:11 | target |
 | unsafe-jquery-plugin.js:60:6:60:11 | target |
-| unsafe-jquery-plugin.js:65:47:65:53 | options |
-| unsafe-jquery-plugin.js:65:47:65:53 | options |
-| unsafe-jquery-plugin.js:67:24:67:44 | $.exten ... ptions) |
-| unsafe-jquery-plugin.js:67:33:67:34 | {} |
-| unsafe-jquery-plugin.js:67:37:67:43 | options |
-| unsafe-jquery-plugin.js:68:45:68:56 | this.options |
-| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent |
-| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent |
 | unsafe-jquery-plugin.js:71:38:71:44 | options |
 | unsafe-jquery-plugin.js:71:38:71:44 | options |
 | unsafe-jquery-plugin.js:72:5:72:11 | options |
@@ -129,8 +121,6 @@ nodes
 | unsafe-jquery-plugin.js:165:7:165:29 | target |
 | unsafe-jquery-plugin.js:165:16:165:22 | options |
 | unsafe-jquery-plugin.js:165:16:165:29 | options.target |
-| unsafe-jquery-plugin.js:167:6:167:11 | target |
-| unsafe-jquery-plugin.js:167:6:167:11 | target |
 | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:170:6:170:11 | target |
 edges
@@ -160,14 +150,6 @@ edges
 | unsafe-jquery-plugin.js:11:7:11:29 | target | unsafe-jquery-plugin.js:60:6:60:11 | target |
 | unsafe-jquery-plugin.js:11:16:11:22 | options | unsafe-jquery-plugin.js:11:16:11:29 | options.target |
 | unsafe-jquery-plugin.js:11:16:11:29 | options.target | unsafe-jquery-plugin.js:11:7:11:29 | target |
-| unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:67:37:67:43 | options |
-| unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:67:37:67:43 | options |
-| unsafe-jquery-plugin.js:67:24:67:44 | $.exten ... ptions) | unsafe-jquery-plugin.js:68:45:68:56 | this.options |
-| unsafe-jquery-plugin.js:67:33:67:34 | {} | unsafe-jquery-plugin.js:67:24:67:44 | $.exten ... ptions) |
-| unsafe-jquery-plugin.js:67:37:67:43 | options | unsafe-jquery-plugin.js:67:24:67:44 | $.exten ... ptions) |
-| unsafe-jquery-plugin.js:67:37:67:43 | options | unsafe-jquery-plugin.js:67:33:67:34 | {} |
-| unsafe-jquery-plugin.js:68:45:68:56 | this.options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent |
-| unsafe-jquery-plugin.js:68:45:68:56 | this.options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent |
 | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:11 | options |
 | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:11 | options |
 | unsafe-jquery-plugin.js:72:5:72:11 | options | unsafe-jquery-plugin.js:72:5:72:15 | options.foo |
@@ -260,8 +242,6 @@ edges
 | unsafe-jquery-plugin.js:163:40:163:46 | options | unsafe-jquery-plugin.js:163:40:163:53 | options.target |
 | unsafe-jquery-plugin.js:163:40:163:53 | options.target | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
 | unsafe-jquery-plugin.js:163:40:163:53 | options.target | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) |
-| unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:167:6:167:11 | target |
-| unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:167:6:167:11 | target |
 | unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:165:7:165:29 | target | unsafe-jquery-plugin.js:170:6:170:11 | target |
 | unsafe-jquery-plugin.js:165:16:165:22 | options | unsafe-jquery-plugin.js:165:16:165:29 | options.target |
@@ -276,7 +256,6 @@ edges
 | unsafe-jquery-plugin.js:48:6:48:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:48:6:48:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:52:6:52:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:52:6:52:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:60:6:60:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:60:6:60:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
-| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... / OK\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:90:6:90:6 | t | unsafe-jquery-plugin.js:84:38:84:44 | options | unsafe-jquery-plugin.js:90:6:90:6 | t | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:84:19:93:2 | functio ... ns);\\n\\t} | '$.fn.my_plugin' plugin |
@@ -291,5 +270,4 @@ edges
 | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:161:5:161:30 | anyPref ... .target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:163:5:163:54 | somethi ... target) | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
-| unsafe-jquery-plugin.js:167:6:167:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:167:6:167:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ module UnsafeJQueryPlugin {`
`35`	`35`	`override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {`
`36`	`36`	`super.isSanitizerGuard(node) or`
`37`	`37`	`node instanceof IsElementSanitizer or`
`38`		`- node instanceof IsJQueryObjectSanitizer`
	`38`	`+ node instanceof PropertyPrecenseSanitizer`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`	`}`