Description
Hi,
I have a case in which CodeQL has a strange analysis report. The code is like:
let r = require("react");
let qs = require("query-string");
require("react-router-dom"); // this line matters
class C extends r.Component {
render() {
const h = qs.parse(this.props.location.search).url;
window.location.href = h;
}
}
If we review the code manually, the code code defines a React.Component class C, and in its render function, it takes a parameter (url) from the user request and then assigns that into window.location.href
which will trigger the browser redirect to that url.
So, this code contains a URL redirect vulnerability. To detect this, this.props.location.search
should be marked as the source, and the assigned expression should be a sink. CodeQL can detect this by rule ./javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
. However, if I remove the third line which is require("react-router-dom")
, the COdeQL can't detect the vulnerability.
I don't know the QL language very well so I don't know how CodeQL module the react framework. But for this code, its vulnerability should be irrelevant to the third line. So why does that line matter with the CodeQL analysis result?
If I put this code into a directory named 'problemql', the command line I use is:
codeql database create --language=javascript --source-root ./problemql DB
codeql database analyze DB ./codeql-repo/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql --format=csv --output=DB/report.csv
cat DB/report.csv