JS: Add browser source kinds

asgerf · asgerf · commit fc5c38963975 · 2026-02-25T09:09:51.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
@@ -35,6 +35,18 @@ private class RemoteFlowSourceFromMaD extends RemoteFlowSource {
   override string getSourceType() { result = "Remote flow" }
 }
 
+private class ClientSideRemoteFlowSourceFromMaD extends ClientSideRemoteFlowSource {
+  private ClientSideRemoteFlowKind kind;
+
+  ClientSideRemoteFlowSourceFromMaD() { ModelOutput::sourceNode(this, kind) }
+
+  override ClientSideRemoteFlowKind getKind() { result = kind }
+
+  override string getSourceType() {
+    result = "Source node (" + this.getThreatModel() + ") [from data-extension]"
+  }
+}
+
 /**
  * A threat-model flow source originating from a data extension.
  */
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -30,6 +30,9 @@ private module Cached {
    */
   cached
   abstract class ClientSideRemoteFlowSource extends RemoteFlowSource {
+    cached
+    override string getThreatModel() { result = this.getKind() }
+
     /** Gets a string indicating what part of the browser environment this was derived from. */
     cached
     abstract ClientSideRemoteFlowKind getKind();
@@ -43,35 +46,41 @@ import Cached
 
 /**
  * A type of remote flow source that is specific to the browser environment.
+ *
+ * The underlying string also corresponds to a source kind and threat model kind.
  */
 class ClientSideRemoteFlowKind extends string {
   ClientSideRemoteFlowKind() {
-    this = ["query", "fragment", "path", "url", "name", "message-event"]
+    this =
+      [
+        "browser-url-query", "browser-url-fragment", "browser-url-path", "browser-url",
+        "browser-window-name", "browser-message-event"
+      ]
   }
 
   /**
-   * Holds if this is the `query` kind, describing sources derived from the query parameters of the browser URL,
+   * Holds if this is the `browser-url-query` kind, describing sources derived from the query parameters of the browser URL,
    * such as `location.search`.
    */
-  predicate isQuery() { this = "query" }
+  predicate isQuery() { this = "browser-url-query" }
 
   /**
-   * Holds if this is the `frgament` kind, describing sources derived from the fragment part of the browser URL,
+   * Holds if this is the `browser-url-fragment` kind, describing sources derived from the fragment part of the browser URL,
    * such as `location.hash`.
    */
-  predicate isFragment() { this = "fragment" }
+  predicate isFragment() { this = "browser-url-fragment" }
 
   /**
-   * Holds if this is the `path` kind, describing sources derived from the pathname of the browser URL,
+   * Holds if this is the `browser-url-path` kind, describing sources derived from the pathname of the browser URL,
    * such as `location.pathname`.
    */
-  predicate isPath() { this = "path" }
+  predicate isPath() { this = "browser-url-path" }
 
   /**
-   * Holds if this is the `url` kind, describing sources derived from the browser URL,
+   * Holds if this is the `browser-url` kind, describing sources derived from the browser URL,
    * where the untrusted part of the URL is prefixed by trusted data, such as the scheme and hostname.
    */
-  predicate isUrl() { this = "url" }
+  predicate isUrl() { this = "browser-url" }
 
   /** Holds if this is the `query` or `fragment` kind. */
   predicate isQueryOrFragment() { this.isQuery() or this.isFragment() }
@@ -83,13 +92,13 @@ class ClientSideRemoteFlowKind extends string {
   predicate isPathOrUrl() { this.isPath() or this.isUrl() }
 
   /** Holds if this is the `name` kind, describing sources derived from the window name, such as `window.name`. */
-  predicate isWindowName() { this = "name" }
+  predicate isWindowName() { this = "browser-window-name" }
 
   /**
-   * Holds if this is the `message-event` kind, describing sources derived from cross-window message passing,
+   * Holds if this is the `browser-message-event` kind, describing sources derived from cross-window message passing,
    * such as `event` in `window.onmessage = event => {...}`.
    */
-  predicate isMessageEvent() { this = "message-event" }
+  predicate isMessageEvent() { this = "browser-message-event" }
 }
 
 /**
diff --git a/javascript/ql/test/library-tests/threat-models/default/ActiveKinds.expected b/javascript/ql/test/library-tests/threat-models/default/ActiveKinds.expected
@@ -1,3 +1,10 @@
+| browser |
+| browser-message-event |
+| browser-url |
+| browser-url-fragment |
+| browser-url-path |
+| browser-url-query |
+| browser-window-name |
 | default |
 | remote |
 | request |
diff --git a/shared/threat-models/ext/threat-model-grouping.model.yml b/shared/threat-models/ext/threat-model-grouping.model.yml
@@ -23,6 +23,15 @@ extensions:
       - ["android-external-storage-dir", "android"]
       - ["contentprovider", "android"]
 
+      # Browser sources
+      - ["browser", "remote"]
+      - ["browser-window-name", "browser"]
+      - ["browser-message-event", "browser"]
+      - ["browser-url", "browser"]
+      - ["browser-url-query", "browser-url"]
+      - ["browser-url-path", "browser-url"]
+      - ["browser-url-fragment", "browser-url"]
+
       # Threat models that are not grouped with any other threat models.
       # (Note that all threat models are a child of "all" implicitly, and we
       # make it explicit here just to make sure all threat models are listed.)
