CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.3.1-dev (changelog, source)
Search

Module ClientSideUrlRedirect

Import path

import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations

Imports

CommonFlowState

Contains a class with flow states that are used by multiple queries.

Predicates

isPrefixExtraction

Holds if node extracts a part of a URL that does not contain the suffix.

untrustedUrlSubstring

Holds if substring refers to a substring of base which is considered untrusted when base is the current URL.

Classes

AttributeUrlSink

A write to a href or similar attribute viewed as a ScriptUrlSink.

AttributeWriteUrlSink

A write of an attribute which may execute JavaScript code or exfiltrate data to an attacker controlled site.

ElectronShellOpenExternalSink

The first argument to a call to openExternal seen as a sink for unvalidated URL redirection. Improper use of openExternal can be leveraged to compromise the user’s host. When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.

HistoryWriteUrlSink

A write to the location using the history library

ImportScriptsSink

An argument to importScripts(..) - which is used inside WebWorkers to import new scripts - viewed as a ScriptUrlSink.

LocationSink

A sink which is used to set the window location.

NextRoutePushUrlSink

A call to change the current url with a Next.js router.

ReactAttributeWriteUrlSink

A write to an React attribute which may execute JavaScript code.

RemoteFlowSourceAsSource

DEPRECATED: Use ActiveThreatModelSource from Concepts instead!

Sanitizer

A sanitizer for unvalidated URL redirect vulnerabilities.

ScriptUrlSink

An expression that may be interpreted as the URL of a script.

Sink

A data flow sink for unvalidated URL redirect vulnerabilities.

Source

A data flow source for unvalidated URL redirect vulnerabilities.

WebWorkerScriptUrlSink

An argument expression to new Worker(...), viewed as a ScriptUrlSink.

Aliases

DocumentUrl

DEPRECATED. Replaced by functionality from the TaintedUrlSuffix library.