[Feature Request] Support Trusted Types in JavaScript queries

[tosmolka]

Hello, I did not find much info about this elsewhere so asking here.

It would be amazing if CodeQL had support for Trusted Types in JavaScript language and we could use CodeQL to query DOM injections sinks and catch violations early. Similar to what tsec is doing in their rules.

I know many sinks (ScriptContentSink, ScriptUrlSink, EvalJavaScriptSink, DomSink, HtmlParserSink, TemplateTagInScriptSink, ...) are already covered to some extend. But it seems we might be missing some sinks (I did not check extensively, maybe SharedWorker constructor, React<iframe srcdoc>, HTMLBaseElement.href, ...).

And I could not find anything related to trusted types (TrustedHTML, TrustedScript, TrustedScriptURL) or other relevant methods (TrustedTypePolicyFactory.createPolicy, TrustedTypePolicy.createHTML, TrustedTypePolicy.createScript, TrustedTypePolicy.createScriptURL).

Now, without this support, it is challenging to continue scanning large and complex JavaScript applications that adopted Trusted Types. CodeQL does not understand "guard" methods and detected issues are not as precise as they could be.

Thanks.

[RasmusWL]

Hi @tosmolka, thanks for your suggestion. I've forwarded this to the JS team 👍

[asgerf]

Hi @tosmolka,

I've opened #7408 which adds sinks at the points where a value is boxed in a trusted type wrapper (i.e. the return value from the policy callback)

CodeQL does not understand "guard" methods and detected issues are not as precise as they could be.

Without more information I can't really help with this. If you're seeing false positives due to a missed sanitizer guard, feel free to open an issue.

[asgerf]

Closing as #7408 has been merged