codeql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql at 4e25036cdcb23a43efa5153888ffa7210d2b7590 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/**
 * @name Unsafe HTML constructed from library input
 * @description Using externally controlled strings to construct HTML might allow a malicious
 *              user to perform a cross-site scripting attack.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 6.1
 * @precision high
 * @id js/html-constructed-from-input
 * @tags security
 *       external/cwe/cwe-079
 *       external/cwe/cwe-116
 */

import javascript
import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery
import DataFlow::DeduplicatePathGraph<UnsafeHtmlConstructionFlow::PathNode, UnsafeHtmlConstructionFlow::PathGraph>

from PathNode source, PathNode sink, Sink sinkNode
where
  UnsafeHtmlConstructionFlow::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode()) and
  sink.getNode() = sinkNode
select sinkNode, source, sink,
  "This " + sinkNode.describe() + " which depends on $@ might later allow $@.", source.getNode(),
  "library input", sinkNode.getSink(), sinkNode.getVulnerabilityKind().toLowerCase()