CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.6.23 (changelog, source)
Index
Search

Module DomBasedXssConfig

A taint-tracking configuration for reasoning about XSS by DOM manipulation.

Both ordinary HTML sinks, URL sinks, and JQuery selector based sinks.

  • HTML sinks are sinks for any tainted value
  • URL sinks are only sinks when the scheme is user controlled
  • JQuery selector sinks are sinks when the tainted value can start with <.

The above is achieved using three flow states:

  • TaintedUrlSuffix: a URL where the attacker only controls a suffix.
  • Taint: a tainted value where the attacker controls part of the value.
  • PrefixLabel: a tainted value where the attacker controls the prefix

Import path

import semmle.javascript.security.dataflow.DomBasedXssQuery

Imports

CommonFlowState

Contains a class with flow states that are used by multiple queries.

Predicates

isAdditionalFlowStep

Holds if data may flow from node1 to node2 in addition to the normal data-flow steps. This step is only applicable in state1 and updates the flow state to state2.

isBarrier

Holds if data flow through node is prohibited. This completely removes node from the data flow graph.

isBarrier

Holds if data flow through node is prohibited when the flow state is state.

isBarrierIn

Holds if data flow into node is prohibited when the target flow state is state.

isSink

Holds if sink is a relevant data flow sink accepting state.

isSource

Holds if source is a relevant data flow source with the given initial state.

observeDiffInformedIncrementalMode

Holds if sources and sinks should be filtered to only include those that may lead to a flow path with either a source or a sink in the location range given by AlertFiltering. This only has an effect when running in diff-informed incremental mode.