JS: add query "Unsafe jQuery plugin"

Author: esbena

change-notes/1.24/analysis-javascript.md

@@ -28,6 +28,7 @@
 | Regular expression always matches (`js/regex/always-matches`) | correctness, regular-expressions | Highlights regular expression checks that trivially succeed by matching an empty substring. Results are shown on LGTM by default. |
 | Missing await (`js/missing-await`) | correctness | Highlights expressions that operate directly on a promise object in a nonsensical way, instead of awaiting its result. Results are shown on LGTM by default. |
 | Prototype pollution in utility function (`js/prototype-pollution-utility`) | security, external/cwe/cwe-400, external/cwe/cwe-471 | Highlights recursive copying operations that are susceptible to prototype pollution. Results are shown on LGTM by default. |
+| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | Highlights potential XSS vulnerabilities in unsafely designed jQuery plugins. |
 
 ## Changes to existing queries
 

javascript/config/suites/javascript/security

@@ -14,6 +14,7 @@
 + semmlecode-javascript-queries/Security/CWE-079/ReflectedXss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-079/StoredXss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-079/Xss.ql: /Security/CWE/CWE-079
++ semmlecode-javascript-queries/Security/CWE-079/UnsafeJQueryPlugin.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-089/SqlInjection.ql: /Security/CWE/CWE-089
 + semmlecode-javascript-queries/Security/CWE-094/CodeInjection.ql: /Security/CWE/CWE-094
 + semmlecode-javascript-queries/Security/CWE-094/UnsafeDynamicMethodAccess.ql: /Security/CWE/CWE-094

javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp

@@ -0,0 +1,98 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+
+			Library plugins, such as those for the jQuery library, are often
+			configurable through options provided by the clients of the
+			plugin.
+
+			Clients, however, do not know the implementation details of the
+			plugin, so it is important to document the capabilities of each
+			option.  Of particular importance is the documentation for the plugin
+			options that the client is responsible for sanitizing.
+
+			Otherwise, the plugin may write user input (for example, a URL query
+			parameter) to a web page without properly sanitizing the input first,
+			which allows for a cross-site scripting vulnerability in the client
+			application.
+
+		</p>
+	</overview>
+
+	<recommendation>
+		<p>
+
+			Document all options that can lead to cross-site scripting attacks.
+
+		</p>
+	</recommendation>
+
+	<example>
+		<p>
+
+			The following example shows a jQuery plugin that selects a DOM
+			element, and copies its text content another DOM element.  The
+			selection is performed by using the plugin option
+			<code>sourceSelector</code> as a CSS selector.
+
+		</p>
+
+		<sample src="examples/UnsafeJQueryPlugin.js" />
+
+		<p>
+
+			This is however not a safe plugin, since the call to
+			<code>jQuery</code> interprets <code>sourceSelector</code> as HTML if
+			it is a string that starts with <code>&lt;</code>.
+
+		</p>
+
+		<p>
+
+			Instead of documenting that the client is responsible for
+			sanitizing <code>sourceSelector</code>, the plugin can use
+			<code>jQuery.find</code> to always interpret
+			<code>sourceSelector</code> as a CSS selector:
+
+		</p>
+
+		<sample src="examples/UnsafeJQueryPlugin_safe.js" />
+
+
+	</example>
+
+	<references>
+		<li>
+			OWASP:
+			<a href="https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet">DOM based
+			XSS Prevention Cheat Sheet</a>.
+		</li>
+		<li>
+			OWASP:
+			<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
+			(Cross Site Scripting) Prevention Cheat Sheet</a>.
+		</li>
+		<li>
+			OWASP
+			<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
+		</li>
+		<li>
+			OWASP
+			<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+			Scripting</a>.
+		</li>
+		<li>
+			Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+		</li>
+		<li>
+			jQuery: <a href="https://learn.jquery.com/plugins/basic-plugin-creation/">Plugin creation</a>.
+		</li>
+		<li>
+			Bootstrap:	<a href="https://github.com/twbs/bootstrap/pull/27047">XSS vulnerable bootstrap plugins</a>.
+		</li>
+	</references>
+</qhelp>

javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Unsafe jQuery plugin
+ * @description A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/unsafe-jquery-plugin
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ *       frameworks/jquery
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.UnsafeJQueryPlugin::UnsafeJQueryPlugin
+import DataFlow::PathGraph
+
+from
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, JQueryPluginMethod plugin
+where
+  cfg.hasFlowPath(source, sink) and
+  source.getNode().(Source).getPlugin() = plugin and
+  not isLikelyIntentionalHtmlSink(plugin, sink.getNode())
+select sink.getNode(), source, sink, "Potential XSS vulnerability in the $@.", plugin,
+  "'$.fn." + plugin.getPluginName() + "' plugin"

javascript/ql/src/Security/CWE-079/examples/UnsafeJQueryPlugin.js

@@ -0,0 +1,6 @@
+jQuery.fn.copyText = function(options) {
+	// BAD may evaluate `options.sourceSelector` as HTML
+	var source = jQuery(options.sourceSelector),
+	    text = source.text();
+	jQuery(this).text(text);
+}

javascript/ql/src/Security/CWE-079/examples/UnsafeJQueryPlugin_safe.js

@@ -0,0 +1,6 @@
+jQuery.fn.copyText = function(options) {
+	// GOOD may not evaluate `options.sourceSelector` as HTML
+	var source = jQuery.find(options.sourceSelector),
+	    text = source.text();
+	jQuery(this).text(text);
+}

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll

@@ -0,0 +1,41 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about DOM-based
+ * cross-site scripting vulnerabilities in unsafe jQuery plugins.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.Xss
+
+module UnsafeJQueryPlugin {
+  import UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin
+
+  /**
+   * A taint-tracking configuration for reasoning about XSS in unsafe jQuery plugins.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "UnsafeJQueryPlugin" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof DomBasedXss::Sanitizer
+      or
+      node instanceof Sanitizer
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+      // jQuery plugins tend to be implemented as classes that store data in fields initialized by the constructor.
+      DataFlow::localFieldStep(src, sink)
+    }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
+      super.isSanitizerGuard(node) or
+      node instanceof IsElementSanitizer or
+      node instanceof IsJQueryObjectSanitizer
+    }
+  }
+}