Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Add Angular2 DOM sources #18458

Merged
merged 11 commits into from
Jan 17, 2025
Merged

JS: Add Angular2 DOM sources #18458

merged 11 commits into from
Jan 17, 2025

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Jan 9, 2025
edited
Loading

Adds support for a few sources of form inputs and DOM objects coming from Angular:

  • Recognise $event inside an Angular event handler as a source of DOM events
  • Recognise NgForm.value as a source of form input
  • Recognise [(ngModel)] two-way data binding as a source of form input

@asgerf asgerf marked this pull request as ready for review January 10, 2025 09:46
@Copilot Copilot bot review requested due to automatic review settings January 10, 2025 09:46
@asgerf asgerf requested a review from a team as a code owner January 10, 2025 09:46
Copilot
Copilot AI reviewed Jan 10, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 4 out of 8 changed files in this pull request and generated no comments.

Files not reviewed (4)
  • javascript/ql/lib/semmle/javascript/DOM.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll: Language not supported
  • javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected: Language not supported

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
erik-krogh
erik-krogh previously approved these changes Jan 10, 2025
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Optional comment about the tests.

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
}

useField() {
document.write(this.field); // NOT OK
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe add a negative example?
Add a field name otherField and test that it's safe.

Similarly a setOtherInput(..) method where the parameter is safe to use.

@asgerf asgerf force-pushed the js/angular2-xss-through-dom branch from 19f8d62 to 2c65946 Compare January 17, 2025 09:33
@asgerf
Copy link
Contributor Author

asgerf commented Jan 17, 2025

Rebased on main as there were many conflicts in the .expected file, and added a few more tests as suggested.

@asgerf asgerf merged commit 0d52541 into github:main Jan 17, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asgerf @erik-krogh