Merge pull request #18397 from aegilops/angular-sources-sinks

JavaScript CodeQL library updates: new Angular sink(s)

Author: asgerf

Diff for: javascript/ql/lib/change-notes/2025-01-03-angular-source-sink.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added new XSS sink where `innerHTML` or `outerHTML` is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter

Diff for: javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll

@@ -556,6 +556,41 @@ module Angular2 {
     }
   }
 
+  /**
+   * A DOM attribute write, using the AngularJS Renderer2 API: a call to `Renderer2.setProperty`.
+   */
+  class AngularRenderer2AttributeDefinition extends DOM::AttributeDefinition {
+    DataFlow::Node propertyNode;
+    DataFlow::Node valueNode;
+    DataFlow::Node elementNode;
+
+    AngularRenderer2AttributeDefinition() {
+      exists(API::CallNode setProperty |
+        setProperty =
+          API::moduleImport("@angular/core")
+              .getMember("Renderer2")
+              .getInstance()
+              .getMember("setProperty")
+              .getACall() and
+        elementNode = setProperty.getArgument(0) and
+        propertyNode = setProperty.getArgument(1) and
+        valueNode = setProperty.getArgument(2) and
+        this = setProperty.asExpr()
+      )
+    }
+
+    override string getName() { result = propertyNode.getStringValue() }
+
+    /**
+     * Get the `DataFlow::Node` that is affected by this Attribute Definition.
+     *
+     *  Defined instead of defining `getElement()`, which requires returning a DOM element definition, `ElementDefinition`.
+     */
+    DataFlow::Node getElementNode() { result = elementNode }
+
+    override DataFlow::Node getValueNode() { result = valueNode }
+  }
+
   /**
    * A source of DOM events originating from the `$event` variable in an event handler installed in an Angular template.
    */

Diff for: javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -287,6 +287,20 @@ module DomBasedXss {
     }
   }
 
+  /**
+   * A write to the `innerHTML` or `outerHTML` property of a DOM element, viewed as an XSS sink.
+   *
+   * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
+   */
+  class AngularRender2SetPropertyInnerHtmlSink2 extends Sink {
+    AngularRender2SetPropertyInnerHtmlSink2() {
+      exists(Angular2::AngularRenderer2AttributeDefinition attrDef |
+        attrDef.getName() = ["innerHTML", "outerHTML"] and
+        this = attrDef.getValueNode()
+      )
+    }
+  }
+
   /**
    * A value being piped into the `safe` pipe in a template file,
    * disabling subsequent HTML escaping.

Diff for: javascript/ql/src/Security/CWE-079/ExceptionXss.expected

@@ -0,0 +1,6 @@
+nodes
+| examples/ExceptionXssAjv.js:11:18:11:33 | ajv.errorsText() | semmle.label | ajv.errorsText() |
+edges
+subpaths
+#select
+| examples/ExceptionXssAjv.js:11:18:11:33 | ajv.errorsText() | examples/ExceptionXssAjv.js:11:18:11:33 | ajv.errorsText() | examples/ExceptionXssAjv.js:11:18:11:33 | ajv.errorsText() | $@ is reinterpreted as HTML without escaping meta-characters. | examples/ExceptionXssAjv.js:11:18:11:33 | ajv.errorsText() | JSON schema validation error |

Diff for: javascript/ql/src/Security/CWE-079/ReflectedXss.expected

@@ -0,0 +1,8 @@
+edges
+| examples/ReflectedXss.js:6:33:6:45 | req.params.id | examples/ReflectedXss.js:6:14:6:45 | "Unknow ... rams.id | provenance |  |
+nodes
+| examples/ReflectedXss.js:6:14:6:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id |
+| examples/ReflectedXss.js:6:33:6:45 | req.params.id | semmle.label | req.params.id |
+subpaths
+#select
+| examples/ReflectedXss.js:6:14:6:45 | "Unknow ... rams.id | examples/ReflectedXss.js:6:33:6:45 | req.params.id | examples/ReflectedXss.js:6:14:6:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | examples/ReflectedXss.js:6:33:6:45 | req.params.id | user-provided value |

Diff for: javascript/ql/src/Security/CWE-079/StoredXss.expected

@@ -0,0 +1,21 @@
+edges
+| examples/StoredXss.js:5:44:5:52 | fileNames | examples/StoredXss.js:7:9:7:17 | fileNames | provenance |  |
+| examples/StoredXss.js:7:9:7:17 | fileNames | examples/StoredXss.js:7:27:7:34 | fileName | provenance |  |
+| examples/StoredXss.js:7:9:7:17 | fileNames | examples/StoredXss.js:11:9:11:12 | list | provenance |  |
+| examples/StoredXss.js:7:27:7:34 | fileName | examples/StoredXss.js:9:30:9:37 | fileName | provenance |  |
+| examples/StoredXss.js:9:30:9:37 | fileName | examples/StoredXss.js:9:13:9:47 | list | provenance |  |
+| examples/StoredXss.js:11:9:11:12 | list | examples/StoredXss.js:11:9:11:23 | list | provenance |  |
+| examples/StoredXss.js:11:9:11:23 | list | examples/StoredXss.js:12:18:12:21 | list | provenance |  |
+nodes
+| examples/StoredXss.js:5:44:5:52 | fileNames | semmle.label | fileNames |
+| examples/StoredXss.js:7:9:7:17 | fileNames | semmle.label | fileNames |
+| examples/StoredXss.js:7:27:7:34 | fileName | semmle.label | fileName |
+| examples/StoredXss.js:9:13:9:47 | list | semmle.label | list |
+| examples/StoredXss.js:9:30:9:37 | fileName | semmle.label | fileName |
+| examples/StoredXss.js:11:9:11:12 | list | semmle.label | list |
+| examples/StoredXss.js:11:9:11:23 | list | semmle.label | list |
+| examples/StoredXss.js:12:18:12:21 | list | semmle.label | list |
+subpaths
+| examples/StoredXss.js:7:9:7:17 | fileNames | examples/StoredXss.js:7:27:7:34 | fileName | examples/StoredXss.js:9:13:9:47 | list | examples/StoredXss.js:11:9:11:12 | list |
+#select
+| examples/StoredXss.js:12:18:12:21 | list | examples/StoredXss.js:5:44:5:52 | fileNames | examples/StoredXss.js:12:18:12:21 | list | Stored cross-site scripting vulnerability due to $@. | examples/StoredXss.js:5:44:5:52 | fileNames | stored value |

Diff for: javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.expected

@@ -0,0 +1,4 @@
+nodes
+edges
+subpaths
+#select

Diff for: javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.expected

@@ -0,0 +1,10 @@
+edges
+| examples/UnsafeJQueryPlugin.js:1:31:1:37 | options | examples/UnsafeJQueryPlugin.js:3:22:3:28 | options | provenance |  |
+| examples/UnsafeJQueryPlugin.js:3:22:3:28 | options | examples/UnsafeJQueryPlugin.js:3:22:3:43 | options ... elector | provenance |  |
+nodes
+| examples/UnsafeJQueryPlugin.js:1:31:1:37 | options | semmle.label | options |
+| examples/UnsafeJQueryPlugin.js:3:22:3:28 | options | semmle.label | options |
+| examples/UnsafeJQueryPlugin.js:3:22:3:43 | options ... elector | semmle.label | options ... elector |
+subpaths
+#select
+| examples/UnsafeJQueryPlugin.js:3:22:3:43 | options ... elector | examples/UnsafeJQueryPlugin.js:1:31:1:37 | options | examples/UnsafeJQueryPlugin.js:3:22:3:43 | options ... elector | Potential XSS vulnerability in the $@. | examples/UnsafeJQueryPlugin.js:1:22:6:1 | functio ... ext);\\n} | '$.fn.copyText' plugin |

Diff for: javascript/ql/src/Security/CWE-079/Xss.expected

@@ -0,0 +1,4 @@
+nodes
+edges
+subpaths
+#select

Diff for: javascript/ql/src/Security/CWE-079/XssThroughDom.expected

@@ -0,0 +1,10 @@
+edges
+| examples/XssThroughDom.js:2:9:2:44 | target | examples/XssThroughDom.js:3:7:3:12 | target | provenance |  |
+| examples/XssThroughDom.js:2:18:2:44 | $(this) ... arget") | examples/XssThroughDom.js:2:9:2:44 | target | provenance |  |
+nodes
+| examples/XssThroughDom.js:2:9:2:44 | target | semmle.label | target |
+| examples/XssThroughDom.js:2:18:2:44 | $(this) ... arget") | semmle.label | $(this) ... arget") |
+| examples/XssThroughDom.js:3:7:3:12 | target | semmle.label | target |
+subpaths
+#select
+| examples/XssThroughDom.js:3:7:3:12 | target | examples/XssThroughDom.js:2:18:2:44 | $(this) ... arget") | examples/XssThroughDom.js:3:7:3:12 | target | $@ is reinterpreted as HTML without escaping meta-characters. | examples/XssThroughDom.js:2:18:2:44 | $(this) ... arget") | DOM text |