Skip to content

Conversation

@asgerf
Copy link
Contributor

@asgerf asgerf commented Oct 19, 2020

The jQuery $() function interprets its input as HTML only if it starts with <.

To avoid FPs from an expression like $(location.hash) which always starts with #, the XSS query treated the .hash property specially, but in a way that could cause FNs for other kinds of sinks, like innerHTML assignments, where it doesn't matter what the string starts with.

This PR moves handling of the jQuery sink into a separate data-flow configuration. Most importantly, this allows us to tweak the jQuery sink handling without interfering with other sinks. We now handle the jQuery sink by requiring that any value derived from .hash must have undergone some transformation before reaching $().

Evaluation (internal link) was quiet.

@asgerf asgerf requested a review from a team as a code owner October 19, 2020 08:16
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice.
I am glad that this multi-Configuration pattern still scales.

* An argument to the jQuery `$` function, which is interpreted as either a selector
* or as an HTML string depending on its first character.
*/
class JQuerySelectorSink extends Sink {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things here:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to JQueryHtmlOrSelector... and shared some logic with AmbiguousHtmlOrSelectorArgument.

/**
* DEPRECATED. Use `HtmlInjectionConfiguration` or `JQuerySelectorInjectionConfiguration`.
*/
deprecated class Configuration = HtmlInjectionConfiguration;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered mentioning this deprecation explicitly in the change notes? I would expect this particular Configuration instance to be the one that is most commonly imported in external queries.

from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where
(
cfg instanceof HtmlInjectionConfiguration or
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In these BDD-times, could you perhaps also check if the compiler stays happy if you include a few more (dummy) configurations in this disjunct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding two more configs seems to trigger the memory limit 😬

@asgerf asgerf force-pushed the js/separate-jquery-config branch from fadc465 to c91cdb5 Compare October 20, 2020 11:02
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I think we should merge regardless of the newly discovered compilation limit, that is not the fault of this PR after all.
I have one more optional comment on the change note.

## Changes to libraries
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, uses of that
class should be replaced with `HtmlInjectionConfiguration`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also point the reader towards our Xss.ql for how to use both configurations at once? That is after all how you would work around this deprecation with a customized XSS query.

@codeql-ci codeql-ci merged commit da58306 into github:main Oct 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants