hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git.semmle.com:Semmle/ql into CVE74

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-02-20 12:19:32 +01:00
parent 63036aa444 f6af5da7f7
commit 03e295ef11
9 changed files with 810 additions and 754 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -79,6 +79,8 @@ typeInferenceMismatch
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:45:8:45:8 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
| sanitizer-guards.js:68:11:68:18 | source() | sanitizer-guards.js:75:8:75:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:81:8:81:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:84:10:84:10 | x |
| spread.js:2:15:2:22 | source() | spread.js:4:8:4:19 | { ...taint } |
| spread.js:2:15:2:22 | source() | spread.js:5:8:5:43 | { f: 'h ... orld' } |
| spread.js:2:15:2:22 | source() | spread.js:7:8:7:19 | [ ...taint ] |

3
javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
View File

@@ -54,6 +54,9 @@
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:52:10:52:10 | x |
| sanitizer-guards.js:68:11:68:18 | source() | sanitizer-guards.js:75:8:75:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:81:8:81:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:84:10:84:10 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:86:7:86:7 | x |
| thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
| thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
| tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |

12
javascript/ql/test/library-tests/TaintTracking/sanitizer-guards.js
View File

@@ -74,3 +74,15 @@ function phi2() {
}
sink(x); // NOT OK
}
function falsy() {
let x = source();
sink(x); // NOT OK
if (x) {
sink(x); // OK (for taint-tracking)
} else {
sink(x); // NOT OK
}
}

1492
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View File

File diff suppressed because it is too large Load Diff

25
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
View File

@@ -115,11 +115,34 @@ var server = http.createServer(function(req, res) {
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
if (path) { // sanitization
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
path = path.replace(/\.\./g, ''); // remove all ".."
}
res.write(fs.readFileSync(path)); // OK. Is sanitized above.
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
if (!path) {
} else { // sanitization
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
path = path.replace(/\.\./g, ''); // remove all ".."
}
res.write(fs.readFileSync(path)); // OK. Is sanitized above.
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
require('send')(req, path); // NOT OK
});
var server = http.createServer(function(req, res) {