codeql/javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitization.ql at sauyon/java-spring-stringutils · ByteDecoder/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
/**
 * @name Decoding after sanitization
 * @description Tracks the return value of 'escapeHtml' into 'decodeURI', indicating
 *              an ineffective sanitization attempt.
 * @kind path-problem
 * @problem.severity error
 * @tags security
 * @id js/examples/decoding-after-sanitization
 */

import javascript
import DataFlow
import DataFlow::PathGraph

class DecodingAfterSanitization extends TaintTracking::Configuration {
  DecodingAfterSanitization() { this = "DecodingAfterSanitization" }

  override predicate isSource(Node node) { node.(CallNode).getCalleeName() = "escapeHtml" }

  override predicate isSink(Node node) {
    exists(CallNode call |
      call.getCalleeName().matches("decodeURI%") and
      node = call.getArgument(0)
    )
  }
}

from DecodingAfterSanitization cfg, PathNode source, PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "URI decoding invalidates the HTML sanitization performed $@.",
  source.getNode(), "here"