require that the plugin and sink are in the same toplevel

erik-krogh · erik-krogh · commit f13a4f5771b8 · 2020-09-04T13:59:16.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -177,7 +177,7 @@ module UnsafeJQueryPlugin {
    */
   class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {
     AmbiguousHtmlOrSelectorArgumentAsSink() {
-      this instanceof AmbiguousHtmlOrSelectorArgument and not isLikelyIntentionalHtmlSink(_, this)
+      this instanceof AmbiguousHtmlOrSelectorArgument and not isLikelyIntentionalHtmlSink(this)
     }
   }
 
@@ -191,15 +191,16 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * Holds if `plugin` likely expects `sink` to be treated as a HTML fragment.
+   * Holds if there exists a jQuery plugin that likely expects `sink` to be treated as a HTML fragment.
    */
-  predicate isLikelyIntentionalHtmlSink(JQuery::JQueryPluginMethod plugin, DataFlow::Node sink) {
-    exists(DataFlow::PropWrite defaultDef, string default, DataFlow::PropRead finalRead |
+  predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {
+    exists(JQuery::JQueryPluginMethod plugin, DataFlow::PropWrite defaultDef, string default, DataFlow::PropRead finalRead |
       hasDefaultOption(plugin, defaultDef) and
       defaultDef.getPropertyName() = finalRead.getPropertyName() and
       defaultDef.getRhs().mayHaveStringValue(default) and
       default.regexpMatch("\\s*<.*") and
-      finalRead.flowsTo(sink)
+      finalRead.flowsTo(sink) and
+      sink.getTopLevel() = plugin.getTopLevel()
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ module UnsafeJQueryPlugin {`
`177`	`177`	`*/`
`178`	`178`	`class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {`
`179`	`179`	`AmbiguousHtmlOrSelectorArgumentAsSink() {`
`180`		`- this instanceof AmbiguousHtmlOrSelectorArgument and not isLikelyIntentionalHtmlSink(_, this)`
	`180`	`+ this instanceof AmbiguousHtmlOrSelectorArgument and not isLikelyIntentionalHtmlSink(this)`
`181`	`181`	`}`
`182`	`182`	`}`
`183`	`183`
`@@ -191,15 +191,16 @@ module UnsafeJQueryPlugin {`
`191`	`191`	`}`
`192`	`192`
`193`	`193`	`/**`
`194`		- * Holds if `plugin` likely expects `sink` to be treated as a HTML fragment.
	`194`	+ * Holds if there exists a jQuery plugin that likely expects `sink` to be treated as a HTML fragment.
`195`	`195`	`*/`
`196`		`- predicate isLikelyIntentionalHtmlSink(JQuery::JQueryPluginMethod plugin, DataFlow::Node sink) {`
`197`		`- exists(DataFlow::PropWrite defaultDef, string default, DataFlow::PropRead finalRead \|`
	`196`	`+ predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {`
	`197`	`+ exists(JQuery::JQueryPluginMethod plugin, DataFlow::PropWrite defaultDef, string default, DataFlow::PropRead finalRead \|`
`198`	`198`	`hasDefaultOption(plugin, defaultDef) and`
`199`	`199`	`defaultDef.getPropertyName() = finalRead.getPropertyName() and`
`200`	`200`	`defaultDef.getRhs().mayHaveStringValue(default) and`
`201`	`201`	`default.regexpMatch("\\s<.") and`
`202`		`- finalRead.flowsTo(sink)`
	`202`	`+ finalRead.flowsTo(sink) and`
	`203`	`+ sink.getTopLevel() = plugin.getTopLevel()`
`203`	`204`	`)`
`204`	`205`	`}`
`205`	`206`	`}`