hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add isMiddlewareSetup() hook to Routing model

Browse Source
This commit is contained in:
Asger F
2025-04-22 12:00:02 +02:00
parent 5c3556da66
commit 00661b62dc
5 changed files with 77 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -51,8 +51,14 @@
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
| fastify.js:71:34:71:51 | request.storedCode | fastify.js:66:24:66:36 | request.query | fastify.js:71:34:71:51 | request.storedCode | This code execution depends on a $@. | fastify.js:66:24:66:36 | request.query | user-provided value |
| fastify.js:71:34:71:51 | request.storedCode | fastify.js:66:24:66:47 | request ... redCode | fastify.js:71:34:71:51 | request.storedCode | This code execution depends on a $@. | fastify.js:66:24:66:47 | request ... redCode | user-provided value |
| fastify.js:71:34:71:51 | request.storedCode | fastify.js:71:34:71:51 | request.storedCode | fastify.js:71:34:71:51 | request.storedCode | This code execution depends on a $@. | fastify.js:71:34:71:51 | request.storedCode | user-provided value |
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:79:20:79:32 | request.query | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:79:20:79:32 | request.query | user-provided value |
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:79:20:79:42 | request ... plyCode | user-provided value |
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:84:30:84:43 | reply.userCode | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:84:30:84:43 | reply.userCode | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:99:30:99:52 | reply.l ... tedCode | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
@@ -136,6 +142,12 @@ edges
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:57:21:57:39 | request.query.input | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:66:24:66:36 | request.query | fastify.js:66:24:66:47 | request ... redCode | provenance | |
| fastify.js:66:24:66:47 | request ... redCode | fastify.js:71:34:71:51 | request.storedCode | provenance | |
| fastify.js:79:20:79:32 | request.query | fastify.js:79:20:79:42 | request ... plyCode | provenance | |
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -250,8 +262,14 @@ nodes
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
| fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
| fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
| fastify.js:66:24:66:36 | request.query | semmle.label | request.query |
| fastify.js:66:24:66:47 | request ... redCode | semmle.label | request ... redCode |
| fastify.js:71:34:71:51 | request.storedCode | semmle.label | request.storedCode |
| fastify.js:79:20:79:32 | request.query | semmle.label | request.query |
| fastify.js:79:20:79:42 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:84:30:84:43 | reply.userCode | semmle.label | reply.userCode |
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |

12
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -45,6 +45,12 @@ edges
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:57:21:57:39 | request.query.input | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:66:24:66:36 | request.query | fastify.js:66:24:66:47 | request ... redCode | provenance | |
| fastify.js:66:24:66:47 | request ... redCode | fastify.js:71:34:71:51 | request.storedCode | provenance | |
| fastify.js:79:20:79:32 | request.query | fastify.js:79:20:79:42 | request ... plyCode | provenance | |
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -161,8 +167,14 @@ nodes
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
| fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
| fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
| fastify.js:66:24:66:36 | request.query | semmle.label | request.query |
| fastify.js:66:24:66:47 | request ... redCode | semmle.label | request ... redCode |
| fastify.js:71:34:71:51 | request.storedCode | semmle.label | request.storedCode |
| fastify.js:79:20:79:32 | request.query | semmle.label | request.query |
| fastify.js:79:20:79:42 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:84:30:84:43 | reply.userCode | semmle.label | reply.userCode |
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |

6
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js
View File

@@ -63,7 +63,7 @@ fastify.get('/dangerous', async (request, reply) => {
// Store user input in request object
fastify.addHook('preHandler', async (request, reply) => {
request.storedCode = request.query.storedCode;
request.storedCode = request.query.storedCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-request', async (request, reply) => {
// Use the stored code from previous hook
@@ -76,7 +76,7 @@ fastify.get('/flow-through-request', async (request, reply) => {
// Store user input in reply object
fastify.addHook('onRequest', async (request, reply) => {
reply.userCode = request.query.replyCode;
reply.userCode = request.query.replyCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-reply', async (request, reply) => {
// Use the code stored in reply object
@@ -91,7 +91,7 @@ fastify.get('/flow-through-reply', async (request, reply) => {
// Store user input in reply object
fastify.addHook('onRequest', async (request, reply) => {
reply.locals = reply.locals || {};
reply.locals.nestedCode = request.query.replyCode;
reply.locals.nestedCode = request.query.replyCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-reply', async (request, reply) => {
// Use the code stored in reply object