hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add query ID to some alerts

Browse Source
This commit is contained in:
Asger F
2025-02-12 12:40:27 +01:00
parent 86932c51bc
commit 0453ded338
8 changed files with 87 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js
View File

@@ -3,15 +3,15 @@ var express = require('express');
var app = express();
app.get('/some/path', function(req, res) {
var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert
require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert
var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection]
require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection]
var runC = require("vm").runInNewContext;
runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert
runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection]
var vm = require("vm");
vm.compileFunction(req.param("code_compileFunction")); // $ Alert
var script = new vm.Script(req.param("code_Script")); // $ Alert
var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert
vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert
vm.compileFunction(req.param("code_compileFunction")); // $ Alert[js/code-injection]
var script = new vm.Script(req.param("code_Script")); // $ Alert[js/code-injection]
var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert[js/code-injection]
vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert[js/code-injection]
});
const cp = require('child_process');

14
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js
View File

@@ -1,6 +1,6 @@
eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert
eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert[js/code-injection]
setTimeout(document.location.hash); // $ Alert
setTimeout(document.location.hash); // $ Alert[js/code-injection]
setTimeout(document.location.protocol);
@@ -8,15 +8,15 @@ setTimeout(document.location.protocol);
$('. ' + document.location.hostname);
Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert
Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert[js/code-injection]
WebAssembly.compile(document.location.hash); // $ Alert
WebAssembly.compile(document.location.hash); // $ Alert[js/code-injection]
WebAssembly.compileStreaming(document.location.hash); // $ Alert
WebAssembly.compileStreaming(document.location.hash); // $ Alert[js/code-injection]
eval(atob(document.location.hash.substring(1))); // $ Alert
eval(atob(document.location.hash.substring(1))); // $ Alert[js/code-injection]
$('<a>').attr("onclick", location.search.substring(1)); // $ Alert
$('<a>').attr("onclick", location.search.substring(1)); // $ Alert[js/code-injection]
(function test() {
var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1");

16
javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/UnsafeHtmlExpansion.js
View File

@@ -6,28 +6,28 @@
html.replace(
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,
expanded
); // $ Alert
html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // $ Alert
); // $ Alert[js/unsafe-html-expansion]
html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // $ Alert[js/unsafe-html-expansion]
// lib2
html.replace(
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,
expanded
); // $ Alert
html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // $ Alert
); // $ Alert[js/unsafe-html-expansion]
html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // $ Alert[js/unsafe-html-expansion]
// lib3
html.replace(
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,
expanded
); // $ Alert
html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // $ Alert
); // $ Alert[js/unsafe-html-expansion]
html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // $ Alert[js/unsafe-html-expansion]
html.replace(defaultPattern, expanded); // $ Alert
html.replace(defaultPattern, expanded); // $ Alert[js/unsafe-html-expansion]
function getPattern() {
return defaultPattern;
}
html.replace(getPattern(), expanded); // $ Alert
html.replace(getPattern(), expanded); // $ Alert[js/unsafe-html-expansion]
function getExpanded() {
return expanded;

80
javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js
View File

@@ -1,14 +1,14 @@
// CVE-2019-10756
(function(content) {
content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert
content = content.replace(/ on\w+=".*"/g, ""); // $ Alert
content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert
content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/ on\w+=".*"/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return content;
});
(function(content) {
content = content.replace(/<.*cript.*/gi, ""); // $ Alert
content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert
content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert
content = content.replace(/<.*cript.*/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return content;
});
@@ -16,13 +16,13 @@
// CVE-2020-7656
(function(responseText) {
var rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
responseText.replace(rscript, ""); // $ Alert
responseText.replace(rscript, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return responseText;
});
// CVE-2019-1010091
(function(text) {
text = text.replace(/<!--|--!?>/g, ""); // $ Alert
text = text.replace(/<!--|--!?>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return text;
});
(function(text) {
@@ -46,7 +46,7 @@
// CVE-2019-8903
(function(req) {
var REG_TRAVEL = /(\/)?\.\.\//g;
req.url = req.url.replace(REG_TRAVEL, ""); // $ Alert
req.url = req.url.replace(REG_TRAVEL, ""); // $ Alert[js/incomplete-multi-character-sanitization]
});
(function(req) {
var beg;
@@ -61,9 +61,9 @@
// New cases
(function(x) {
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); // $ Alert
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/(\/|\s)on\w+=(\'|")?[^"]*(\'|")?/g, ""); // $ Alert
x = x.replace(/(\/|\s)on\w+=(\'|")?[^"]*(\'|")?/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<\/script>/g, "");
@@ -72,19 +72,19 @@
x = x.replace(/<(ul|ol)><\/(ul|ol)>/gi, "");
x = x.replace(/<li><\/li>/gi, "");
x = x.replace(/<!--(.*?)-->/gm, ""); // $ Alert
x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert
x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert - ng-attributes
x = x.replace(/<!--(.*?)-->/gm, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - ng-attributes
x = x.replace(/(<!--\[CDATA\[|\]\]-->)/g, "\n"); // OK - not a sanitizer
x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // $ SPURIOUS: Alert
x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // $ SPURIOUS: Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script async.+?<\/script>/g, "");
x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // $ Alert
x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // $ Alert - matches "../../"
x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - matches "../../"
x = x.replace(/<script.*>.*<\/script>/gi, ""); // $ Alert
x = x.replace(/<script.*>.*<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/^(\.\.\/?)+/g, "");
@@ -97,17 +97,17 @@
x = x.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, ""); // $ MISSING: Alert
x = x.replace(/\.\./g, "");
x = x.replace(/\.\.\//g, ""); // $ Alert
x = x.replace(/\/\.\./g, ""); // $ Alert
x = x.replace(/\.\.\//g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\/\.\./g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script(.*?)>([\s\S]*?)<\/script>/gi, ""); // $ Alert
x = x.replace(/<script(.*?)>([\s\S]*?)<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<(script|del)(?=[\s>])[\w\W]*?<\/\1\s*>/gi, ""); // $ Alert
x = x.replace(/\<script[\s\S]*?\>[\s\S]*?\<\/script\>/g, ""); // $ Alert
x = x.replace(/<(script|style|title)[^<]+<\/(script|style|title)>/gm, ""); // $ Alert
x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // $ Alert
x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert
x = x.replace(/ ?<!-- ?/g, ""); // $ Alert
x = x.replace(/<(script|del)(?=[\s>])[\w\W]*?<\/\1\s*>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\<script[\s\S]*?\>[\s\S]*?\<\/script\>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<(script|style|title)[^<]+<\/(script|style|title)>/gm, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/ ?<!-- ?/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/require\('\.\.\/common'\);/g, "");
x = x.replace(/\.\.\/\.\.\/lib\//g, "");
@@ -125,32 +125,32 @@
x = x
.replace(/^\.\//, "")
.replace(/\/\.\//, "/")
.replace(/[^\/]*\/\.\.\//, ""); // $ Alert
.replace(/[^\/]*\/\.\.\//, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return x;
});
(function (content) {
content.replace(/<script.*\/script>/gi, ""); // $ Alert
content.replace(/<(script).*\/script>/gi, ""); // $ Alert
content.replace(/.+<(script).*\/script>/gi, ""); // $ Alert
content.replace(/.*<(script).*\/script>/gi, ""); // $ Alert
content.replace(/<script.*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content.replace(/<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content.replace(/.+<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content.replace(/.*<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
});
(function (content) {
content = content.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert
content = content.replace(/<[a-zA-Z\/](.|\n)*?>/g, '') || ' '; // $ Alert
content = content.replace(/<(script|iframe|video)[\s\S]*?<\/(script|iframe|video)>/g, '') // $ Alert
content = content.replace(/<(script|iframe|video)(.|\s)*?\/(script|iframe|video)>/g, '') // $ Alert
content = content.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<[a-zA-Z\/](.|\n)*?>/g, '') || ' '; // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<(script|iframe|video)[\s\S]*?<\/(script|iframe|video)>/g, '') // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<(script|iframe|video)(.|\s)*?\/(script|iframe|video)>/g, '') // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<[^<]*>/g, "");
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert[js/incomplete-multi-character-sanitization]
o.push({specified : 1, nodeName : a});
});
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert[js/incomplete-multi-character-sanitization]
o.push({specified : 1, nodeName : a});
});
});
content = content.replace(/.+?(?=\s)/, '');
});
});

6
javascript/ql/test/query-tests/Security/CWE-200/bufferRead.js
View File

@@ -29,12 +29,12 @@ fs.exists(fileName, function (exists) {
res.setEncoding('utf8');
});
req.write(postData); // $ Alert - write data from file to request body
req.end();
req.write(postData); // $ Alert[js/file-access-to-http] - write data from file to request body
req.end();
});
fs.close(fd);
});
});
}
});
});

26
javascript/ql/test/query-tests/Security/CWE-327/bad-random.js
View File

@@ -1,17 +1,17 @@
const crypto = require('crypto');
var bad = crypto.randomBytes(1)[0] + crypto.randomBytes(1)[0]; // $ Alert
var bad = crypto.randomBytes(1)[0] * crypto.randomBytes(1)[0]; // $ Alert
var bad = crypto.randomBytes(1)[0] + crypto.randomBytes(1)[0]; // $ Alert[js/biased-cryptographic-random]
var bad = crypto.randomBytes(1)[0] * crypto.randomBytes(1)[0]; // $ Alert[js/biased-cryptographic-random]
const buffer = crypto.randomBytes(bytes);
const digits = [];
for (let i = 0; i < buffer.length; ++i) {
digits.push(Math.floor(buffer[i] / 25.6)); // $ Alert
digits.push(Math.floor(buffer[i] / 25.6)); // $ Alert[js/biased-cryptographic-random]
digits.push(buffer[i] % 8); // OK - input is a random byte, so the output is a uniformly random number between 0 and 7.
digits.push(buffer[i] % 100); // $ Alert
digits.push(buffer[i] % 100); // $ Alert[js/biased-cryptographic-random]
}
var bad = Number('0.' + crypto.randomBytes(3).readUIntBE(0, 3)); // $ Alert
var bad = Number('0.' + crypto.randomBytes(3).readUIntBE(0, 3)); // $ Alert[js/biased-cryptographic-random]
var good = Number(10 + crypto.randomBytes(3).readUIntBE(0, 3));
const internals = {};
@@ -70,30 +70,30 @@ function setSteps() {
const buffer = crypto.randomBytes(bytes);
const digits = [];
for (const byte of buffer.values()) {
digits.push(Math.floor(byte / 25.6)); // $ Alert
digits.push(Math.floor(byte / 25.6)); // $ Alert[js/biased-cryptographic-random]
digits.push(byte % 8); // OK - 8 is a power of 2, so the result is unbiased.
digits.push(byte % 100); // $ Alert
digits.push(byte % 100); // $ Alert[js/biased-cryptographic-random]
}
}
const secureRandom = require("secure-random");
var bad = secureRandom(10)[0] + secureRandom(10)[0]; // $ Alert
var bad = secureRandom(10)[0] + secureRandom(10)[0]; // $ Alert[js/biased-cryptographic-random]
var goodRandom1 = 5 + secureRandom(10)[0];
var goodRandom2 = 5 + secureRandom(10)[0];
var bad = goodRandom1 + goodRandom2; // $ Alert
var bad = goodRandom1 + goodRandom2; // $ Alert[js/biased-cryptographic-random]
var dontFlag = bad + bad; // OK - the operands have already been flagged - but flagged anyway due to us not detecting that [INCONSISTENCY].
var dontFlag = bad + bad; // $ Alert[js/biased-cryptographic-random] - OK - the operands have already been flagged - but flagged anyway due to us not detecting that [INCONSISTENCY].
var good = secureRandom(10)[0] / 0xff; // OK - result is not rounded.
var good = Math.ceil(0.5 - (secureRandom(10)[0] / 25.6)); // $ Alert - division generally introduces bias - but not flagged due to not looking through nested arithmetic.
var good = Math.ceil(0.5 - (secureRandom(10)[0] / 25.6)); // $ Alert[js/biased-cryptographic-random] - division generally introduces bias - but not flagged due to not looking through nested arithmetic.
var good = (crypto.randomBytes(1)[0] << 8) + crypto.randomBytes(3)[0]; // OK - bit shifts are usually used to construct larger/smaller numbers,
var good = Math.floor(max * (crypto.randomBytes(1)[0] / 0xff)); // OK - division by 0xff (255) gives a uniformly random number between 0 and 1.
var bad = Math.floor(max * (crypto.randomBytes(1)[0] / 100)); // $ Alert - division by 100 gives bias - but not flagged due to not looking through nested arithmetic.
var bad = Math.floor(max * (crypto.randomBytes(1)[0] / 100)); // $ Alert[js/biased-cryptographic-random] - division by 100 gives bias - but not flagged due to not looking through nested arithmetic.
var crb = crypto.randomBytes(4);
var cryptoRand = 0x01000000 * crb[0] + 0x00010000 * crb[1] + 0x00000100 * crb[2] + 0x00000001 * crb[3]; // OK - producing a larger number from smaller numbers.
@@ -115,7 +115,7 @@ var foo = 0xffffffffffff + 0xfffffffffff + 0xffffffffff + 0xfffffffff + 0xffffff
// Bad documentation example:
const digits = [];
for (let i = 0; i < 10; i++) {
digits.push(crypto.randomBytes(1)[0] % 10); // $ Alert
digits.push(crypto.randomBytes(1)[0] % 10); // $ Alert[js/biased-cryptographic-random]
}
// Good documentation example:

6
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/jsonschema.js
View File

@@ -2,7 +2,7 @@ import Ajv from 'ajv';
let thing = {
type: 'string',
pattern: '(a?a?)*b' // $ Alert
pattern: '(a?a?)*b' // $ Alert[js/redos]
}
new Ajv().addSchema(thing, 'thing');
@@ -12,12 +12,12 @@ export default {
properties: {
foo: {
type: "string",
pattern: "(a?a?)*b" // $ Alert
pattern: "(a?a?)*b" // $ Alert[js/redos]
},
bar: {
type: "object",
patternProperties: {
"(a?a?)*b": { // $ Alert
"(a?a?)*b": { // $ Alert[js/redos]
type: "number"
}
}

12
javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
View File

@@ -4,7 +4,7 @@ var URI = require("urijs");
app.get('/findKey', function(req, res) {
var key = req.param("key"), input = req.param("input");
var re = new RegExp("\\b" + key + "=(.*)\n"); // $ Alert - Unsanitized user input is used to construct a regular expression
var re = new RegExp("\\b" + key + "=(.*)\n"); // $ Alert[js/regex-injection] - Unsanitized user input is used to construct a regular expression
function wrap(s) {
return "\\b" + wrap2(s);
@@ -14,16 +14,16 @@ app.get('/findKey', function(req, res) {
return s + "=(.*)\n";
}
new RegExp(wrap(key)); // $ Alert
new RegExp(wrap(key)); // $ Alert - duplicated to test precision of flow tracking
new RegExp(wrap(key)); // $ Alert[js/regex-injection]
new RegExp(wrap(key)); // $ Alert[js/regex-injection] - duplicated to test precision of flow tracking
function getKey() {
return req.param("key");
}
new RegExp(getKey()); // $ Alert
new RegExp(getKey()); // $ Alert[js/regex-injection]
function mkRegExp(s) {
return new RegExp(s); // $ Alert
return new RegExp(s); // $ Alert[js/regex-injection]
}
mkRegExp(key);
mkRegExp(getKey());
@@ -93,7 +93,7 @@ app.get("argv", function(req, res) {
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]"), "\\$&");
new RegExp(sanitized); // $ Alert[js/regex-injection]
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]", "g"), "\\$&");
new RegExp(sanitized);