Merge pull request #258 from rebeccahum/rebecca/windowbom_sniff

GaryJones · web-flow · commit 801fb45a6f9a · 2018-11-16T10:59:55.000Z
Add Window object Sniff for JS
diff --git a/WordPress-VIP-Go/ruleset.xml b/WordPress-VIP-Go/ruleset.xml
@@ -87,6 +87,9 @@
 		<type>error</type>
 		<severity>5</severity>
 	</rule>
+	<rule ref="WordPressVIPMinimum.JS.Window">
+		<severity>5</severity>
+	</rule>
 	<rule ref="WordPressVIPMinimum.JS.InnerHTML.innerHTML">
 		<type>error</type>
 		<severity>5</severity>
diff --git a/WordPressVIPMinimum/Sniffs/JS/WindowSniff.php b/WordPressVIPMinimum/Sniffs/JS/WindowSniff.php
@@ -0,0 +1,142 @@
+<?php
+/**
+ * WordPressVIPMinimum_Sniffs_JS_WindowSniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Sniffs\JS;
+
+use PHP_CodeSniffer\Files\File;
+use PHP_CodeSniffer\Sniffs\Sniff;
+use PHP_CodeSniffer\Util\Tokens;
+
+/**
+ * WordPressVIPMinimum_Sniffs_JS_WindowSniff.
+ *
+ * Looks for instances of window properties that should be flagged.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class WindowSniff implements Sniff {
+
+	/**
+	 * A list of tokenizers this sniff supports.
+	 *
+	 * @var array
+	 */
+	public $supportedTokenizers = array(
+		'JS',
+	);
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * @return array
+	 */
+	public function register() {
+		return [
+			T_STRING,
+		];
+	}
+
+	/**
+	 * List of window properties that need to be flagged.
+	 *
+	 * @var array
+	 */
+	private $windowProperties = [
+		'location' => [
+			'href'     => true,
+			'protocol' => true,
+			'host'     => true,
+			'hostname' => true,
+			'pathname' => true,
+			'protocol' => true,
+			'search'   => true,
+			'hash'     => true,
+			'username' => true,
+			'port'     => true,
+			'password' => true,
+		],
+		'name'   => true,
+		'status' => true,
+	];
+
+	/**
+	 * A list of tokens that are allowed in the syntax.
+	 *
+	 * @var array
+	 */
+	private $syntaxTokens = [
+		T_OBJECT_OPERATOR,
+	];
+
+	/**
+	 * Processes this test, when one of its tokens is encountered.
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
+	 * @param int                         $stackPtr  The position of the current token in the
+	 *                                               stack passed in $tokens.
+	 *
+	 * @return void
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+		$tokens = $phpcsFile->getTokens();
+
+		if ( 'window' !== $tokens[ $stackPtr ]['content'] ) {
+			// Doesn't begin with 'window', bail.
+			return;
+		}
+
+		$nextTokenPtr = $phpcsFile->findNext( Tokens::$emptyTokens, ( $stackPtr + 1 ), null, true, null, true );
+		$nextToken = $tokens[ $nextTokenPtr ]['code'];
+		if ( T_OBJECT_OPERATOR !== $nextToken && T_OPEN_SQUARE_BRACKET !== $nextToken ) {
+			// No . or [' next, bail.
+			return;
+		}
+
+		$nextNextTokenPtr = $phpcsFile->findNext( Tokens::$emptyTokens, ( $nextTokenPtr + 1 ), null, true, null, true );
+		if ( false === $nextNextTokenPtr ) {
+			// Something went wrong, bail.
+			return;
+		}
+
+		$nextNextToken = str_replace( [ '"', "'" ], '', $tokens[ $nextNextTokenPtr ]['content'] );
+		if ( ! isset( $this->windowProperties[ $nextNextToken ] ) ) {
+			// Not in $windowProperties, bail.
+			return;
+		}
+
+		$nextNextNextTokenPtr = $phpcsFile->findNext( array_merge( [ T_CLOSE_SQUARE_BRACKET ], Tokens::$emptyTokens ), ( $nextNextTokenPtr + 1 ), null, true, null, true );
+		$nextNextNextToken = $tokens[ $nextNextNextTokenPtr ]['code'];
+
+		$nextNextNextNextToken = false;
+		if ( T_OBJECT_OPERATOR === $nextNextNextToken || T_OPEN_SQUARE_BRACKET === $nextNextNextToken ) {
+			$nextNextNextNextTokenPtr = $phpcsFile->findNext( Tokens::$emptyTokens, ( $nextNextNextTokenPtr + 1 ), null, true, null, true );
+			if ( false === $nextNextNextNextTokenPtr ) {
+				// Something went wrong, bail.
+				return;
+			}
+
+			$nextNextNextNextToken = str_replace( [ '"', "'" ], '', $tokens[ $nextNextNextNextTokenPtr ]['content'] );
+			if ( ! isset( $this->windowProperties[ $nextNextToken ][ $nextNextNextNextToken ] ) ) {
+				// Not in $windowProperties, bail.
+				return;
+			}
+		}
+
+		$windowProperty = 'window.';
+		$windowProperty .= $nextNextNextNextToken ? $nextNextToken . '.' . $nextNextNextNextToken : $nextNextToken;
+
+		$prevTokenPtr = $phpcsFile->findPrevious( Tokens::$emptyTokens, ( $stackPtr - 1 ), null, true, null, true );
+		if ( T_EQUAL === $tokens[ $prevTokenPtr ]['code'] ) {
+			// Variable assignment.
+			$phpcsFile->addWarning( sprintf( 'Data from JS global "' . $windowProperty . '" may contain user-supplied values and should be checked.', $tokens[ $stackPtr ]['content'] ), $stackPtr, 'VarAssignment' );
+			return;
+		}
+
+		$phpcsFile->addError( sprintf( 'Data from JS global "' . $windowProperty . '" may contain user-supplied values and should be sanitized before output to prevent XSS.', $tokens[ $stackPtr ]['content'] ), $stackPtr, $nextNextToken );
+	}
+
+}
diff --git a/WordPressVIPMinimum/Tests/JS/WindowUnitTest.js b/WordPressVIPMinimum/Tests/JS/WindowUnitTest.js
@@ -0,0 +1,38 @@
+var testString = '?url=www.evil.com';
+var url = "javascript:alert( 'xss' )";
+
+window; // Ok.
+window.location.testing; // Ok.
+window.test = 'http://www.google.com' + testString; // Ok.
+const foo = window.location.testing; // Ok.
+
+var bar = window.location.href; // Warning - variable assignment.
+var c=window.location.hash.split("#")[0]; // Warning - variable assignment.
+
+window.location; // Error.
+window.name; // Error.
+window.status; // Error.
+window.location.href = 'http://www.google.com/' + testString; // Error.
+window.location.protocol; // Error.
+window.location.host; // Error.
+window.location.hostname; // Error.
+window.location.pathname; // Error.
+window.location.search; // Error.
+window.location.hash; // Error.
+window.location.username; // Error.
+window.location.password; // Error.
+window.location.port; // Error.
+
+document.theform.reference.onchange = function( url ) {
+    var id = document.theform.reference.selectedIndex;
+    window.name = url; // Error.
+}
+
+window['location']; // Error.
+window.location['href']; // Error.
+window['location']['protocol']; // Error.
+window['location'].host; // Error.
+
+window['location']['test']; // Ok.
+window.location['test']; // Ok.
+window['test'].location; // Ok.
diff --git a/WordPressVIPMinimum/Tests/JS/WindowUnitTest.php b/WordPressVIPMinimum/Tests/JS/WindowUnitTest.php
@@ -0,0 +1,59 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\JS;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+
+/**
+ * Unit test class for the HTML String concatenation in JS sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class WindowUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return [
+			12 => 1,
+			13 => 1,
+			14 => 1,
+			15 => 1,
+			16 => 1,
+			17 => 1,
+			18 => 1,
+			19 => 1,
+			20 => 1,
+			21 => 1,
+			22 => 1,
+			23 => 1,
+			24 => 1,
+			28 => 1,
+			31 => 1,
+			32 => 1,
+			33 => 1,
+			34 => 1,
+		];
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return [
+			9  => 1,
+			10 => 1,
+		];
+	}
+
+}
