From dc78cd787cebbfb81350e56e451ce0575acf2afd Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 27 Jul 2023 14:11:32 +0200 Subject: [PATCH 1/2] New ruleset: no-backticks-in-js-handlers.yaml --- .../web/no-backticks-in-js-handlers.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml diff --git a/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml b/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml new file mode 100644 index 00000000..c24637a5 --- /dev/null +++ b/assets/semgrep_rules/web/no-backticks-in-js-handlers.yaml @@ -0,0 +1,17 @@ +rules: + - id: no-backticks-in-js-handlers + patterns: + - pattern-either: + - pattern-inside: $HANDLER="..." + - pattern-inside: $HANDLER='...' + - pattern-inside: $HANDLER=... + - pattern-regex: '`{{[^}]+}}`' + - metavariable-regex: + metavariable: $HANDLER + regex: on(abort|auxclick|beforeinput|beforematch|beforetoggle|cancel|canplay|canplaythrough|change|click|close|contextlost|contextmenu|contextrestored|copy|cuechange|cut|dblclick|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|durationchange|emptied|ended|formdata|input|invalid|keydown|keypress|keyup|loadeddata|loadedmetadata|loadstart|mousedown|mouseenter|mouseleave|mousemove|mouseout|mouseover|mouseup|paste|pause|play|playing|progress|ratechange|reset|securitypolicyviolation|seeked|seeking|select|slotchange|stalled|submit|suspend|timeupdate|toggle|volumechange|waiting|webkitAnimationEnd|webkitAnimationIteration|webkitAnimationStart|webkitTransitionEnd|wheel) + message: | + Backtick in JS handler may cause XSS since they are typically not auto escaped in variables. + + Consider using single or double apices, instead of backticks. + languages: [generic] + severity: WARNING From 29ee4de33977baeac08e758bed775fa736b17803 Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Thu, 27 Jul 2023 14:13:07 +0200 Subject: [PATCH 2/2] New test: no-backticks-in-js-handlers.html --- t3sts/semgrep_rules/no-backticks-in-js-handlers.html | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 t3sts/semgrep_rules/no-backticks-in-js-handlers.html diff --git a/t3sts/semgrep_rules/no-backticks-in-js-handlers.html b/t3sts/semgrep_rules/no-backticks-in-js-handlers.html new file mode 100644 index 00000000..807101f3 --- /dev/null +++ b/t3sts/semgrep_rules/no-backticks-in-js-handlers.html @@ -0,0 +1,6 @@ +// ruleid: no-backticks-in-js-handlers +onclick="call('good', `{{var}}`, `{{var}}`)" +// ruleid: no-backticks-in-js-handlers +onclick='call("good", `{{var}}`, `{{var}}`)' +// ruleid: no-backticks-in-js-handlers +onclick=call('good', `{{var}}`, `{{var}}`)