Merge pull request #13745 from GeekMasher/py-mad-xss

yoff · web-flow · commit a1aa16f901ab · 2023-07-18T13:39:17.000+02:00
Python - Add Models as Data support for Reflected XSS Query
diff --git a/python/ql/lib/change-notes/2023-07-13-mad-xss.md b/python/ql/lib/change-notes/2023-07-13-mad-xss.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Add support for Models as Data for Reflected XSS query
diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
@@ -7,6 +7,7 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
+private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 
@@ -43,6 +44,15 @@ module ReflectedXss {
    */
   class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
 
+  /**
+   * A data flow sink for "reflected cross-site scripting" vulnerabilities.
+   */
+  private class SinkFromModel extends Sink {
+    SinkFromModel() {
+      this = ModelOutput::getASinkNode(["html-injection", "js-injection"]).asSink()
+    }
+  }
+
   /**
    * The body of a HTTP response that will be returned from a server, considered as a flow sink.
    */

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Add support for Models as Data for Reflected XSS query