JavaScript DOM XSS via fetch().json() → insertAdjacentHTML not detected by CodeQL #21257
Description
Description of the false positive
We are trying to better understand the design decisions behind JavaScript XSS detection in CodeQL, specifically around taint sources involving network responses.
I have a piece of client-side JavaScript that builds HTML using insertAdjacentHTML with values coming from a fetch().json() response. From an application-security perspective, this is treated as a potential DOM XSS risk in our project, but CodeQL does not report it.
I’d like to confirm whether this behavior is by design, and if so, what the recommended way is to model this trust boundary.
Code samples or links to source code
function loadMessageLogs(pageSize, continuationToken) {
let url = '?handler=LoadMessageLogs&pageSize=' + pageSize;
if (continuationToken)
url += '&continuationToken=' + encodeURIComponent(continuationToken);
fetch(url)
.then(response => response.json())
.then(data => {
const tbody = document.querySelector("#tblMessageLogs tbody");
tbody.innerHTML = "";
if (!data.items || data.items.length === 0) {
messageLogs.hidden = true;
noMessageLogs.hidden = false;
}
else {
data.items.forEach(item => {
const link = `<a href="/MessageLogs/Details/${item.messageId}">View message</a>`;
const row = `<tr>
<td>${item.createdDate}</td>
<td>${item.messageId}</td>
<td>${item.interfaceId ?? ''}</td>
<td>${item.target ?? ''}</td>
<td>${item.mpanCore ?? ''}</td>
<td>${item.meterId ?? ''}</td>
<td>${link}</td>
</tr>`;
tbody.insertAdjacentHTML('beforeend', row);
});
PagingModule.updatePaging(data.continuationToken)
messageLogs.hidden = false;
noMessageLogs.hidden = true;
}
});
}
In our case, data.items[*] ultimately contains data that may originate from user input stored and returned by the backend.
- We are running the javascript-security-extended query suite.
- No XSS issue is reported for this code.