Match inline event handlers in JavaScript files #18

yaroslavafenkin · 2024-11-21T15:10:56Z

Addresses #16.

Known limitation:
If JavaScript is poorly formatted may result in false positives. E.g. document. onload=function(){} will get matched.

yaroslavafenkin · 2024-11-21T15:12:32Z

@daniel-beck I've also noticed in Java patterns we don't account for inline handlers being inside single quotes or no quotes at all. Was that intentional by chance?

yaroslavafenkin · 2024-11-21T15:13:34Z

src/main/java/io/jenkins/security/csp/Scanner.java

@@ -123,7 +125,7 @@ private static void visitFile(File file, Set<Match> matches) throws IOException

        if (fileName.endsWith(".java")) {
            final String text = readFileToString(file);
-            printMatches(matchRegexes(JAVA_PATTERNS, text, file));
+            matches.addAll(matchRegexes(JAVA_PATTERNS, text, file));


Unsure if it was done intentionally. Will revert if was.

daniel-beck · 2024-11-22T09:36:40Z

I've also noticed in Java patterns we don't account for inline handlers being inside single quotes or not quotes at all. Was that intentional by chance?

Could you provide a code example where that would happen?

yaroslavafenkin · 2024-11-22T11:50:04Z

I've also noticed in Java patterns we don't account for inline handlers being inside single quotes or not quotes at all. Was that intentional by chance?

Could you provide a code example where that would happen?

https://github.com/jenkinsci/workflow-support-plugin/blob/f8d41ac42279d1811b81b0afb5e6e2e4b95843fe/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java#L86

I can imagine that being

return " onclick='fetch(decodeURIComponent(atob('" + encodeForJavascript(url) + "')), { method: 'post', headers: crumb.wrap({})}); return false'";

or

return " onclick=fetch(decodeURIComponent(atob('" + encodeForJavascript(url) + "')), { method: 'post', headers: crumb.wrap({})}); return false";

daniel-beck · 2024-11-22T14:05:03Z

I don't see the problem. Adding those two suggested lines to the original, I get:

% java -jar target/csp-scanner.jar ~/workflow-support-plugin/                                    
== Inline Event Handler (Java)
File: /Users/danielbeck/workflow-support-plugin/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java +
Line: 86
----
onclick=\"fetch(decodeURIComponent(atob('"
----

== Inline Event Handler (Java)
File: /Users/danielbeck/workflow-support-plugin/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java +
Line: 87
----
onclick='fetch(decodeURIComponent(atob('"
----

== Inline Event Handler (Java)
File: /Users/danielbeck/workflow-support-plugin/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java +
Line: 88
----
onclick=fetch(decodeURIComponent(atob('"
----

Are you misinterpreting the quote matching that accounts for all hits in a Java source file necessarily being part of a double-quoted Java string as being part of the HTML attribute match?

yaroslavafenkin · 2024-11-22T15:43:49Z

I don't see the problem. Adding those two suggested lines to the original, I get:

% java -jar target/csp-scanner.jar ~/workflow-support-plugin/                                    
== Inline Event Handler (Java)
File: /Users/danielbeck/workflow-support-plugin/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java +
Line: 86
----
onclick=\"fetch(decodeURIComponent(atob('"
----

== Inline Event Handler (Java)
File: /Users/danielbeck/workflow-support-plugin/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java +
Line: 87
----
onclick='fetch(decodeURIComponent(atob('"
----

== Inline Event Handler (Java)
File: /Users/danielbeck/workflow-support-plugin/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/POSTHyperlinkNote.java +
Line: 88
----
onclick=fetch(decodeURIComponent(atob('"
----

Are you misinterpreting the quote matching that accounts for all hits in a Java source file necessarily being part of a double-quoted Java string as being part of the HTML attribute match?

Hm, I've also checked and all of the cases are matched. Then I should revisit the regex I'm adding, likely can be simplified.

yaroslavafenkin · 2024-11-22T16:04:16Z

src/main/java/io/jenkins/security/csp/Scanner.java

@@ -36,7 +36,9 @@ public class Scanner {
    // Examples indicate trying to match open-paren would be too restrictive:
    // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#direct_and_indirect_eval
    // geval is defined in hudson-behavior.js
-    protected static final Map<String, Pattern> JS_PATTERNS = Map.of("(g)eval Call", Pattern.compile("\\Wg?eval\\W"));
+    protected static final Map<String, Pattern> JS_PATTERNS = Map.of("(g)eval Call", Pattern.compile("\\Wg?eval\\W"),
+            "Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + ".*?((?<!\\\\)['\"]?)[_\\w]+\\s*\\(", Pattern.CASE_INSENSITIVE),


Suggested change

"Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + ".*?((?<!\\\\)['\"]?)[_\\w]+\\s*\$", Pattern.CASE_INSENSITIVE),

"Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + "=.*(['"]?)[$_\\w]+\\s*\\(", Pattern.CASE_INSENSITIVE),

Could simplify to this. [$_\\w]+ is not a complete regex for valid JS identifiers though. But maybe good enough?

Can also be

Suggested change

"Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + ".*?((?<!\\\$['\"]?)[_\\w]+\\s*\\(", Pattern.CASE_INSENSITIVE),

"Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + "=.*(['"]?)", Pattern.CASE_INSENSITIVE),

This will match the rest of the line after the handler.

Match inline event handlers in JavaScript files

de8678c

yaroslavafenkin commented Nov 21, 2024

View reviewed changes

yaroslavafenkin commented Nov 22, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Match inline event handlers in JavaScript files #18

Match inline event handlers in JavaScript files #18

yaroslavafenkin commented Nov 21, 2024

yaroslavafenkin commented Nov 21, 2024 •

edited

Loading

yaroslavafenkin Nov 21, 2024

daniel-beck commented Nov 22, 2024

yaroslavafenkin commented Nov 22, 2024

daniel-beck commented Nov 22, 2024 •

edited

Loading

yaroslavafenkin commented Nov 22, 2024

yaroslavafenkin Nov 22, 2024

	"Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + ".?((?<!\\\\)['\"]?)[_\\w]+\\s\\(", Pattern.CASE_INSENSITIVE),
	"Inline Event Handler (JavaScript)", Pattern.compile("[\\s+]" + JS_EVENT_ATTRIBUTES + "=.(['"]?)[$_\\w]+\\s\\(", Pattern.CASE_INSENSITIVE),

Match inline event handlers in JavaScript files #18

Are you sure you want to change the base?

Match inline event handlers in JavaScript files #18

Conversation

yaroslavafenkin commented Nov 21, 2024

yaroslavafenkin commented Nov 21, 2024 • edited Loading

yaroslavafenkin Nov 21, 2024

Choose a reason for hiding this comment

daniel-beck commented Nov 22, 2024

yaroslavafenkin commented Nov 22, 2024

daniel-beck commented Nov 22, 2024 • edited Loading

yaroslavafenkin commented Nov 22, 2024

yaroslavafenkin Nov 22, 2024

Choose a reason for hiding this comment

yaroslavafenkin commented Nov 21, 2024 •

edited

Loading

daniel-beck commented Nov 22, 2024 •

edited

Loading