Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JavaScript CodeQL library updates: new Angular sink(s) #18397

Draft
wants to merge 22 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
09e4c78
New XSS sink - writing to innerHTML using the Angular Renderer2 API
aegilops Jan 3, 2025
0f64822
New remote source - reading from an @Input() decorated class member
aegilops Jan 3, 2025
a23f4ee
Merge branch 'main' into angular-sources-sinks
aegilops Jan 3, 2025
4773917
Formatting
aegilops Jan 3, 2025
4891c1e
Added QLdoc and simplified QL in source class
aegilops Jan 3, 2025
7128700
Simplified AngularInputUse class
aegilops Jan 3, 2025
aba8be2
Changelog for Angular source/sink update
aegilops Jan 3, 2025
8dac00a
Change from getParameter() to getArgument()
aegilops Jan 6, 2025
e414b8c
Remove @Input() decorated members as remote sources, in favour of a l…
aegilops Jan 6, 2025
6fb2013
Update changelog note to remove new source
aegilops Jan 6, 2025
322c731
Attempt at AttributeDefinition to generalise Angular Renderer2 support
aegilops Jan 6, 2025
564df36
Merge branch 'main' of https://github.com/github/codeql into angular-…
aegilops Jan 6, 2025
820fe6c
Formatting
aegilops Jan 6, 2025
4530118
Comment out hardcoded definition of sink
aegilops Jan 6, 2025
2dc9e7b
Moved def from AngularJSCore to Angular2
aegilops Jan 8, 2025
4b57d5f
Added XSS sink for innerHTML/outerHTML using new Angular attribute def
aegilops Jan 8, 2025
98b4c35
Set doc string on getElementNode predicate
aegilops Jan 9, 2025
62599b2
Formatted
aegilops Jan 9, 2025
e7881a8
Fix typo
aegilops Jan 9, 2025
b07e801
Add new test for new XSS sink, update `expected` to match
aegilops Jan 9, 2025
1ada511
Merge branch 'main' into angular-sources-sinks
aegilops Jan 9, 2025
da68a04
Merge branch 'angular-sources-sinks' of https://github.com/aegilops/c…
aegilops Jan 9, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: majorAnalysis
---
* Added new XSS sink where `InnerHTML` is assigned to with the Angular Renderer2 API
35 changes: 35 additions & 0 deletions javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll
Original file line number Diff line number Diff line change
Expand Up @@ -554,4 +554,39 @@ module Angular2 {
this = API::Node::ofType("@angular/core", "ElementRef").getMember("nativeElement").asSource()
}
}

/**
* A DOM attribute write, using the AngularJS Renderer2 API: a call to `Renderer2.setProperty`.
*/
class AngularRenderer2AttributeDefinition extends DOM::AttributeDefinition {
DataFlow::Node propertyNode;
DataFlow::Node valueNode;
DataFlow::Node elementNode;

AngularRenderer2AttributeDefinition() {
exists(API::CallNode setProperty |
setProperty =
API::moduleImport("@angular/core")
.getMember("Renderer2")
.getInstance()
.getMember("setProperty")
.getACall() and
elementNode = setProperty.getArgument(0) and
propertyNode = setProperty.getArgument(1) and
valueNode = setProperty.getArgument(2) and
this = setProperty.asExpr()
)
}

override string getName() { result = propertyNode.getStringValue() }

/**
* Get the `DataFlow::Node` that is affected by this Attribute Definition.
*
* Defined instead of defining `getElement()`, which requires returning a DOM element definition, `ElementDefinition`.
*/
DataFlow::Node getElementNode() { result = elementNode }

override DataFlow::Node getValueNode() { result = valueNode }
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,20 @@ module DomBasedXss {
}
}

/**
* A write to the `innerHTML` or `outerHTML` property of a DOM element, viewed as an XSS sink.
*
* Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
*/
class AngularRender2SetPropertyInnerHtmlSink2 extends Sink {
AngularRender2SetPropertyInnerHtmlSink2() {
exists(Angular2::AngularRenderer2AttributeDefinition attrDef |
attrDef.getName() = ["innerHTML", "outerHTML"] and
this = attrDef.getValueNode()
)
}
}

/**
* A value being piped into the `safe` pipe in a template file,
* disabling subsequent HTML escaping.
Expand Down
Loading
Loading