Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JavaScript CodeQL library updates: new Angular sink(s) #18397

Draft
wants to merge 22 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
09e4c78
New XSS sink - writing to innerHTML using the Angular Renderer2 API
aegilops Jan 3, 2025
0f64822
New remote source - reading from an @Input() decorated class member
aegilops Jan 3, 2025
a23f4ee
Merge branch 'main' into angular-sources-sinks
aegilops Jan 3, 2025
4773917
Formatting
aegilops Jan 3, 2025
4891c1e
Added QLdoc and simplified QL in source class
aegilops Jan 3, 2025
7128700
Simplified AngularInputUse class
aegilops Jan 3, 2025
aba8be2
Changelog for Angular source/sink update
aegilops Jan 3, 2025
8dac00a
Change from getParameter() to getArgument()
aegilops Jan 6, 2025
e414b8c
Remove @Input() decorated members as remote sources, in favour of a l…
aegilops Jan 6, 2025
6fb2013
Update changelog note to remove new source
aegilops Jan 6, 2025
322c731
Attempt at AttributeDefinition to generalise Angular Renderer2 support
aegilops Jan 6, 2025
564df36
Merge branch 'main' of https://github.com/github/codeql into angular-…
aegilops Jan 6, 2025
820fe6c
Formatting
aegilops Jan 6, 2025
4530118
Comment out hardcoded definition of sink
aegilops Jan 6, 2025
2dc9e7b
Moved def from AngularJSCore to Angular2
aegilops Jan 8, 2025
4b57d5f
Added XSS sink for innerHTML/outerHTML using new Angular attribute def
aegilops Jan 8, 2025
98b4c35
Set doc string on getElementNode predicate
aegilops Jan 9, 2025
62599b2
Formatted
aegilops Jan 9, 2025
e7881a8
Fix typo
aegilops Jan 9, 2025
b07e801
Add new test for new XSS sink, update `expected` to match
aegilops Jan 9, 2025
1ada511
Merge branch 'main' into angular-sources-sinks
aegilops Jan 9, 2025
da68a04
Merge branch 'angular-sources-sinks' of https://github.com/aegilops/c…
aegilops Jan 9, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,26 @@ module DomBasedXss {
}
}

/**
* A write to the `innerHTML` property of a DOM element, viewed as an XSS sink.
*
* Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
*/
class AngularRender2SetPropertyInnerHtmlSink extends Sink {
AngularRender2SetPropertyInnerHtmlSink() {
exists(API::CallNode setProperty |
setProperty =
API::moduleImport("@angular/core")
.getMember("Renderer2")
.getInstance()
.getMember("setProperty")
.getACall() and
this = setProperty.getParameter(2).asSink() and
setProperty.getParameter(1).asSink().asExpr().(StringLiteral).getValue() = "innerHTML"
aegilops marked this conversation as resolved.
Show resolved Hide resolved
)
}
}

/**
* A value being piped into the `safe` pipe in a template file,
* disabling subsequent HTML escaping.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -184,3 +184,39 @@

override string getSourceType() { result = ap.getSourceType() }
}

/**
* Angular @Input() decorator on a member declaration.
*/
Fixed Show fixed Hide fixed
class InputMember extends MemberDeclaration {
InputMember() {
exists(Decorator decorator, Expr expr |
decorator.getElement() = this and
decorator.getExpression() = expr and
expr.(CallExpr).getCallee().(VarRef).getName() = "Input"
)
}
}

/**
* Use of an Angular @Input() member, modelled as `InputMember`.
*/
Fixed Show fixed Hide fixed
Fixed Show fixed Hide fixed
class InputMemberUse extends DataFlow::Node {
InputMemberUse() {
exists(InputMember member, string memberName, ThisExpr ta, FieldAccess fa |
memberName = member.getName() and
fa.getBase() = ta and
fa.getPropertyName() = memberName and
this.asExpr() = fa
)
}
}

/**
* A remote flow source that is a member of an Angular component class.
*/
private class AngularInputUse extends RemoteFlowSource {
Fixed Show fixed Hide fixed
AngularInputUse() { this instanceof InputMemberUse }

override string getSourceType() { result = "Angular @Input()" }
}
Loading