Skip to content

Strange behavior on analyzing react framework #17398

Closed
@Anemone95

Description

@Anemone95

Hi,

I have a case in which CodeQL has a strange analysis report. The code is like:

let r = require("react");
let qs = require("query-string");
require("react-router-dom"); // this line matters
class C extends r.Component {
    render() {
        const h = qs.parse(this.props.location.search).url;
        window.location.href = h;
    }
}

If we review the code manually, the code code defines a React.Component class C, and in its render function, it takes a parameter (url) from the user request and then assigns that into window.location.href which will trigger the browser redirect to that url.

So, this code contains a URL redirect vulnerability. To detect this, this.props.location.search should be marked as the source, and the assigned expression should be a sink. CodeQL can detect this by rule ./javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql. However, if I remove the third line which is require("react-router-dom"), the COdeQL can't detect the vulnerability.

I don't know the QL language very well so I don't know how CodeQL module the react framework. But for this code, its vulnerability should be irrelevant to the third line. So why does that line matter with the CodeQL analysis result?

If I put this code into a directory named 'problemql', the command line I use is:

codeql database create --language=javascript --source-root ./problemql DB
codeql database analyze DB ./codeql-repo/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql --format=csv --output=DB/report.csv 
cat DB/report.csv

Metadata

Metadata

Assignees

Labels

JSquestionFurther information is requested

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions