codeql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql at main · github/codeql · GitHub

Name: codeql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql at main · github/codeql · GitHub
Rating: 4.9 (6106 reviews)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
/**
 * @name Incomplete HTML attribute sanitization
 * @description Writing incompletely sanitized values to HTML
 * attribute strings can lead to a cross-site
 * scripting vulnerability.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 6.1
 * @precision high
 * @id js/incomplete-html-attribute-sanitization
 * @tags security
 * external/cwe/cwe-079
 * external/cwe/cwe-116
 * external/cwe/cwe-020
 */

import javascript
import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationQuery
import semmle.javascript.security.IncompleteBlacklistSanitizer
import DataFlow::DeduplicatePathGraph<IncompleteHtmlAttributeSanitizationFlow::PathNode, IncompleteHtmlAttributeSanitizationFlow::PathGraph>

/**
 * Gets a pretty string of the dangerous characters for `sink`.
 */
stringprettyPrintDangerousCharaters(Sinksink){
result=
strictconcat(strings|
s=describeCharacters(sink.getADangerousCharacter())
|
s,", "orderbys
).regexpReplaceAll(",(?=[^,]+$)"," or")
}

fromPathNodesource,PathNodesink
where
 IncompleteHtmlAttributeSanitizationFlow::flowPath(source.getAnOriginalPathNode(),
sink.getAnOriginalPathNode())
selectsink.getNode(),source,sink,
// this message is slightly sub-optimal as we do not have an easy way
// to get the flow labels that reach the sink, so the message includes
// all of them in a disjunction
"Cross-site scripting vulnerability as the output of $@ may contain "+
prettyPrintDangerousCharaters(sink.getNode())+" when it reaches this attribute definition.",
source.getNode(),"this final HTML sanitizer step"