forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDecodingAfterSanitization.ql
More file actions
33 lines (27 loc) · 1.08 KB
/
DecodingAfterSanitization.ql
File metadata and controls
33 lines (27 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/**
* @name Decoding after sanitization
* @description Tracks the return value of 'escapeHtml' into 'decodeURI', indicating
* an ineffective sanitization attempt.
* @kind path-problem
* @problem.severity error
* @tags security
* @id js/examples/decoding-after-sanitization
*/
import javascript
module DecodingAfterSanitizationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
node.(DataFlow::CallNode).getCalleeName() = "escapeHtml"
}
predicate isSink(DataFlow::Node node) {
exists(DataFlow::CallNode call |
call.getCalleeName().matches("decodeURI%") and
node = call.getArgument(0)
)
}
}
module DecodingAfterSanitizationFlow = TaintTracking::Global<DecodingAfterSanitizationConfig>;
import DecodingAfterSanitizationFlow::PathGraph
from DecodingAfterSanitizationFlow::PathNode source, DecodingAfterSanitizationFlow::PathNode sink
where DecodingAfterSanitizationFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "URI decoding invalidates the HTML sanitization performed $@.",
source.getNode(), "here"