github · aegilops · Jan 3, 2025 · Jan 3, 2025 · Jan 3, 2025 · Jan 3, 2025
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added new XSS sink where `InnerHTML` is assigned to with the Angular Renderer2 API
@@ -554,4 +554,39 @@
       this = API::Node::ofType("@angular/core", "ElementRef").getMember("nativeElement").asSource()
     }
   }
+
+  /**
+   * A DOM attribute write, using the AngularJS Renderer2 API: a call to `Renderer2.setProperty`.
+   */
+  class AngularRenderer2AttributeDefinition extends DOM::AttributeDefinition {
+    DataFlow::Node propertyNode;
+    DataFlow::Node valueNode;
+    DataFlow::Node elementNode;
+
+    AngularRenderer2AttributeDefinition() {
+      exists(API::CallNode setProperty |
+        setProperty =
+          API::moduleImport("@angular/core")
+              .getMember("Renderer2")
+              .getInstance()
+              .getMember("setProperty")
+              .getACall() and
+        elementNode = setProperty.getArgument(0) and
+        propertyNode = setProperty.getArgument(1) and
+        valueNode = setProperty.getArgument(2) and
+        this = setProperty.asExpr()
+      )
+    }
+
+    override string getName() { result = propertyNode.getStringValue() }
+
+    /**
+     * Get the `DataFlow::Node` that is affected by this Attribute Definition.
+     *
+     *  Defined instead of defining `getElement()`, which requires returning a DOM element defintion, `ElementDefinition`.
+     */
+    DataFlow::Node getElementNode() { result = elementNode }
+
+    override DataFlow::Node getValueNode() { result = valueNode }
+  }
 }
@@ -251,6 +251,20 @@ module DomBasedXss {
     }
   }
 
+  /**
+   * A write to the `innerHTML` or `outerHTML` property of a DOM element, viewed as an XSS sink.
+   *
+   * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
+   */
+  class AngularRender2SetPropertyInnerHtmlSink2 extends Sink {
+    AngularRender2SetPropertyInnerHtmlSink2() {
+      exists(Angular2::AngularRenderer2AttributeDefinition attrDef |
+        attrDef.getName() = ["innerHTML", "outerHTML"] and
+        this = attrDef.getValueNode()
+      )
+    }
+  }
+
   /**
    * A value being piped into the `safe` pipe in a template file,
    * disabling subsequent HTML escaping.