dompurify-xss

Try in Playground
javascript-client-securitySecurityError

0

No tags

CWE-79

Calling sanitize() with DOMPurify without using RETURN_DOM_FRAGMENT or RETURN_DOM may lead to XSS vulnerabilities.

As recommended by CWE-79, secure and safe code should neutralize input of web page generation.

Ast Rule: function call


dompurify-xss

How to write a rule
function visit(node, filename, code) {
  if (node.functionName && node.functionName.astType === "member" &&
      node.functionName.parent && node.functionName.parent.astType === "string" &&
      node.functionName.parent.value === "DOMPurify" && node.functionName.name.value === "sanitize") {
    	if(node && node.arguments && node.arguments.values && node.arguments.values.length === 2) {
				const secondArgument = node.arguments.values[1].value;
        const noIssue = secondArgument && secondArgument.astType === "object" && secondArgument.elements.some(e => e.name && e.value && (e.name.value === "RETURN_DOM" || e.name.value === "RETURN_DOM_FRAGMENT") && e.value.value == "true");
        
        if (!noIssue) {
          
          const error = buildError(node.functionName.start.line, node.functionName.start.col, 
                                   node.functionName.end.line, node.functionName.end.col, 
                                   "unsafe deserialization", "CRITICAL", "SAFETY");
          if (secondArgument.astType === "object") {
            const lastElement = secondArgument.elements[secondArgument.elements.length - 1];
            const edit = buildEditAdd(secondArgument.start.line, secondArgument.start.col + 1, "RETURN_DOM_FRAGMENT: true, ");
  					const fix = buildFix("add sanitization", [edit]);
            addError(error.addFix(fix));
          } else {
            addError(error);
          }
        	
        }
      } else {
        const error = buildError(node.functionName.start.line, node.functionName.start.col, 
                                 node.functionName.end.line, node.functionName.end.col, 
                                 "unsafe deserialization", "CRITICAL", "SAFETY");
        if (node && node.arguments && node.arguments.values && node.arguments.values.length === 1) {
          	const firstArgument = node.arguments.values[0].value;
            const edit = buildEditAdd(firstArgument.end.line, firstArgument.end.col, ", {RETURN_DOM_FRAGMENT: true}");
  					const fix = buildFix("add sanitization", [edit]);
            addError(error.addFix(fix));
        } else {
          addError(error);
        }
        
      }
  }
}

error1.js

Expected test result: has error

DOMPurify.sanitize(content, {arg: val})

error2.js

Expected test result: has error

DOMPurify.sanitize(content)

pass2.js

Expected test result: no error

DOMPurify.sanitize(content, {RETURN_DOM_FRAGMENT: true})

pass1.js

Expected test result: no error

Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.