codeql/javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitizationGeneralized.ql at codeql-cli/latest · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
/**
 * @name Decoding after sanitization (generalized)
 * @description Tracks the return value of an HTML sanitizer into an escape-sequence decoder,
 *              indicating an ineffective sanitization attempt.
 * @kind path-problem
 * @problem.severity error
 * @tags security
 * @id js/examples/decoding-after-sanitization-generalized
 */

import javascript

/**
 * A call to a function that may introduce HTML meta-characters by
 * replacing `%3C` or `\u003C` with `<`.
 */
class DecodingCall extends DataFlow::CallNode {
  string kind;
  DataFlow::Node input;

  DecodingCall() {
    this.getCalleeName().matches("decodeURI%") and
    input = this.getArgument(0) and
    kind = "URI decoding"
    or
    input = this.(JsonParserCall).getInput() and
    kind = "JSON parsing"
  }

  /** Gets the decoder kind, to be used in the alert message. */
  string getKind() { result = kind }

  /** Gets the input being decoded. */
  DataFlow::Node getInput() { result = input }
}

module DecodingAfterSanitizationConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) { node instanceof HtmlSanitizerCall }

  predicate isSink(DataFlow::Node node) { node = any(DecodingCall c).getInput() }
}

module DecodingAfterSanitizationFlow = TaintTracking::Global<DecodingAfterSanitizationConfig>;

import DecodingAfterSanitizationFlow::PathGraph

from
  DecodingAfterSanitizationFlow::PathNode source, DecodingAfterSanitizationFlow::PathNode sink,
  DecodingCall decoder
where
  DecodingAfterSanitizationFlow::flowPath(source, sink) and
  decoder.getInput() = sink.getNode()
select sink.getNode(), source, sink, decoder.getKind() + " invalidates $@.", source.getNode(),
  "this HTML sanitization"