Add test cases ui5/webcomponents-react explore

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json

@@ -0,0 +1,8 @@
+{
+  "env": {
+    "browser": true,
+    "es6": true,
+    "node": true
+  },
+  "extends": "react-app"
+}

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/README.md

@@ -0,0 +1,9 @@
+# Minimal Demo Example of XSS in UI5-Webcomponents for React
+
+This is a minimal example to demonstrate how XSS might happen in an application written with [UI5-Webcomponents for React](https://ui5.github.io/webcomponents-react/).
+
+## Steps to trigger XSS
+
+1. `npm install` and `npm start`, navigate to `localhost:3000`
+2. Input `<img src="nonexistent.jpg" onerror="alert('xss')"/>` in the [`Input` component](https://ui5.github.io/webcomponents/components/Input/)
+

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.expected

@@ -0,0 +1,14 @@
+edges
+| src/App.tsx:7:10:7:13 | todo | src/App.tsx:7:10:7:13 | todo | provenance |  |
+| src/App.tsx:7:10:7:13 | todo | src/App.tsx:27:46:27:49 | todo | provenance |  |
+| src/App.tsx:12:22:12:45 | todoInp ... ?.value | src/App.tsx:12:22:12:51 | todoInp ... e \|\| "" | provenance |  |
+| src/App.tsx:12:22:12:51 | todoInp ... e \|\| "" | src/App.tsx:7:10:7:13 | todo | provenance |  |
+nodes
+| src/App.tsx:7:10:7:13 | todo | semmle.label | todo |
+| src/App.tsx:7:10:7:13 | todo | semmle.label | todo |
+| src/App.tsx:12:22:12:45 | todoInp ... ?.value | semmle.label | todoInp ... ?.value |
+| src/App.tsx:12:22:12:51 | todoInp ... e \|\| "" | semmle.label | todoInp ... e \|\| "" |
+| src/App.tsx:27:46:27:49 | todo | semmle.label | todo |
+subpaths
+#select
+| src/App.tsx:27:46:27:49 | todo | src/App.tsx:12:22:12:45 | todoInp ... ?.value | src/App.tsx:27:46:27:49 | todo | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:12:22:12:45 | todoInp ... ?.value | DOM text |

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.ql

@@ -0,0 +1,27 @@
+/**
+ * @name DOM text reinterpreted as HTML
+ * @description Reinterpreting text from the DOM as HTML
+ *              can lead to a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision high
+ * @id js/xss-through-dom
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+//an exact copy of - https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
+//included for testing purposes only
+
+import javascript
+import semmle.javascript.security.dataflow.XssThroughDomQuery
+import XssThroughDomFlow::PathGraph
+
+from XssThroughDomFlow::PathNode source, XssThroughDomFlow::PathNode sink
+where
+  XssThroughDomFlow::flowPath(source, sink) and
+  not isIgnoredSourceSinkPair(source.getNode(), sink.getNode())
+select sink.getNode(), source, sink,
+  "$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(), "DOM text"

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.qlref

@@ -0,0 +1 @@
+XssThroughDom.ql

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/codeql-pack.lock.yml

@@ -0,0 +1,30 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/concepts:
+    version: 0.0.7
+  codeql/controlflow:
+    version: 2.0.17
+  codeql/dataflow:
+    version: 2.0.17
+  codeql/javascript-all:
+    version: 2.6.13
+  codeql/mad:
+    version: 1.0.33
+  codeql/regex:
+    version: 1.0.33
+  codeql/ssa:
+    version: 2.0.9
+  codeql/threat-models:
+    version: 1.0.33
+  codeql/tutorial:
+    version: 1.0.33
+  codeql/typetracking:
+    version: 2.0.17
+  codeql/util:
+    version: 2.0.20
+  codeql/xml:
+    version: 1.0.33
+  codeql/yaml:
+    version: 1.0.33
+compiled: false