Skip to content

Commit 9178f4b

Browse files
committed
add support for the anser library
1 parent 2e266c7 commit 9178f4b

File tree

5 files changed

+61
-0
lines changed

5 files changed

+61
-0
lines changed
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
lgtm,codescanning
2+
* The security queries now track taint through the anser library.
3+
Affected packages are
4+
[anser](https://www.npmjs.com/package/anser)

javascript/ql/src/javascript.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ import semmle.javascript.dataflow.TaintTracking
6868
import semmle.javascript.dataflow.TypeInference
6969
import semmle.javascript.frameworks.Angular2
7070
import semmle.javascript.frameworks.AngularJS
71+
import semmle.javascript.frameworks.Anser
7172
import semmle.javascript.frameworks.AsyncPackage
7273
import semmle.javascript.frameworks.AWS
7374
import semmle.javascript.frameworks.Azure
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
/**
2+
* Provides classes for working with applications using [anser](https://www.npmjs.com/package/anser).
3+
*/
4+
5+
import javascript
6+
7+
/**
8+
* A taint step for the [anser](https://www.npmjs.com/package/anser) library.
9+
*/
10+
private class AnserTaintStep extends TaintTracking::SharedTaintStep {
11+
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
12+
exists(API::CallNode call |
13+
call =
14+
API::moduleImport("anser")
15+
.getMember(["linkify", "ansiToHtml", "ansiToText", "ansiToJson"])
16+
.getACall()
17+
or
18+
call =
19+
API::moduleImport("anser")
20+
.getInstance()
21+
.getMember([
22+
"linkify", "ansiToHtml", "ansiToText", "ansiToJson", "process", "processChunkJson",
23+
"processChunk"
24+
])
25+
.getACall()
26+
|
27+
succ = call and
28+
pred = call.getArgument(0)
29+
)
30+
}
31+
}

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,15 @@ nodes
103103
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
104104
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
105105
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
106+
| xss-through-dom.js:84:8:84:30 | text |
107+
| xss-through-dom.js:84:15:84:30 | $("text").text() |
108+
| xss-through-dom.js:84:15:84:30 | $("text").text() |
109+
| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
110+
| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
111+
| xss-through-dom.js:86:33:86:36 | text |
112+
| xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
113+
| xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
114+
| xss-through-dom.js:87:36:87:39 | text |
106115
edges
107116
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
108117
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -161,6 +170,14 @@ edges
161170
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
162171
| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
163172
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
173+
| xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:86:33:86:36 | text |
174+
| xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:87:36:87:39 | text |
175+
| xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text |
176+
| xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text |
177+
| xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
178+
| xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
179+
| xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
180+
| xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
164181
#select
165182
| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
166183
| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -190,3 +207,5 @@ edges
190207
| xss-through-dom.js:77:4:77:11 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:4:77:11 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |
191208
| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:79:4:79:34 | documen ... t.value | DOM text |
192209
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | DOM text |
210+
| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text |
211+
| xss-through-dom.js:87:16:87:40 | new ans ... s(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:87:16:87:40 | new ans ... s(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,4 +79,10 @@
7979
$(document.my_form.my_input.value); // NOT OK
8080

8181
$("#id").html( $('#foo').prop('innerText') ); // NOT OK
82+
83+
const anser = require("anser");
84+
const text = $("text").text();
85+
86+
$("#id").html(anser.ansiToHtml(text)); // NOT OK
87+
$("#id").html(new anser().process(text)); // NOT OK
8288
})();

0 commit comments

Comments
 (0)