JavaScript CodeQL library updates: new Angular sink(s)

[aegilops]

Pull Request checklist

All query authors

• A change note is added if necessary. See the documentation in this repository.
• All new queries have appropriate .qhelp. See the documentation in this repository.
• QL tests are added if necessary. See Testing custom queries in the GitHub documentation.
• New and changed queries have correct query metadata. See the documentation in this repository.

Internal query authors only

• Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
• Changes are validated at scale (internal access required).
• Adding a new query? Consider also adding the query to autofix.

[aegilops]

I'm wondering which other properties being set on elements might need to be treated as XSS sinks, so that I don't fix up just innerHTML.

I'll see if I can copy what's done in the existing library.

I'm thinking that a.href and script.src and object.src might need to be XSS sinks, but I don't want to have to think too hard about this and would prefer to just copy existing conclusions!

[asgerf]

I'm wondering which other properties being set on elements might need to be treated as XSS sinks, so that I don't fix up just innerHTML.

You might be able to model this as an AttributeDefinition instead of directly as a sink. See D3.qll for a simple example.

[aegilops]

I'm wondering which other properties being set on elements might need to be treated as XSS sinks, so that I don't fix up just innerHTML.

You might be able to model this as an AttributeDefinition instead of directly as a sink. See D3.qll for a simple example.

I'm not 100% sure how to implement this, but I had a go in AngularJSCore.qll, with AngularRenderer2AttributeDefinition.

I wasn't totally sure how to define getElement(), or if I needed it, or mayHaveTemplateValue(), so I left them undefined.

If I write a simple query to select dom-based XSS sinks, having removed my hardcoded definition of the Angular-Renderer2-innerHTML sink in DomBasedXssCustomizations.qll then I don't find the new sinks I'm hoping to find:

import javascript
import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss

from Sink sink
select sink

I don't know which bit of the library uses the various AttributeDefinition classes to find DOM XSS sinks, so I'm not sure how to debug more precisely.

[asgerf]

Sorry, you'll have to do both:

• Contribute to AttributeDefinition
• Contribute to DomBasedXssCustomizations::Sinks

The reason is that setAttribute("innerHTML", x) does not actually do anything when interacting with the DOM API directly, so AttributeDefinition does not give rise to HTML injection sinks. But it does give rise to a few others like src and event handlers.