hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 20:58:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git.semmle.com:Semmle/ql into FalsySanitizer

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-02-07 16:13:02 +01:00
parent 1ece6b9afe 3c8aeb946a
commit 06e13cb3a1
62 changed files with 3424 additions and 1716 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/test/library-tests/frameworks/LazyCache/LazyCache.expected Normal file
View File

@@ -0,0 +1,7 @@
| bar | tst.js:4:11:4:21 | lazy('bar') |
| bar | tst.js:10:1:10:8 | lazy.bar |
| baz-baz | tst.js:5:1:5:22 | lazy('b ... 'BAZ') |
| baz-baz | tst.js:12:1:12:8 | lazy.BAZ |
| foo | tst.js:3:1:3:11 | lazy('foo') |
| foo | tst.js:7:1:7:8 | lazy.foo |
| lazy-cache | tst.js:1:12:1:32 | require ... cache') |

5
javascript/ql/test/library-tests/frameworks/LazyCache/LazyCache.ql Normal file
View File

@@ -0,0 +1,5 @@
import javascript
query DataFlow::Node moduleImport(string name) {
result = DataFlow::moduleImport(name)
}

12
javascript/ql/test/library-tests/frameworks/LazyCache/tst.js Normal file
View File

@@ -0,0 +1,12 @@
let lazy = require('lazy-cache')(require);
lazy('foo');
let bar = lazy('bar');
lazy('baz-baz', 'BAZ');
lazy.foo();
bar();
lazy.bar();
lazy.BAZ();

219
javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected
View File

@@ -953,6 +953,95 @@ nodes
| PrototypePollutionUtility/tests.js:437:24:437:28 | value |
| PrototypePollutionUtility/tests.js:437:24:437:28 | value |
| PrototypePollutionUtility/tests.js:437:24:437:28 | value |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
| PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key |
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:33:446:35 | key |
| PrototypePollutionUtility/tests.js:446:33:446:35 | key |
| PrototypePollutionUtility/tests.js:446:39:446:41 | src |
| PrototypePollutionUtility/tests.js:446:39:446:41 | src |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:43:446:45 | key |
| PrototypePollutionUtility/tests.js:446:43:446:45 | key |
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:449:41:449:43 | src |
| PrototypePollutionUtility/tests.js:449:41:449:43 | src |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:45:449:47 | key |
| PrototypePollutionUtility/tests.js:449:45:449:47 | key |
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:43:450:45 | key |
| PrototypePollutionUtility/tests.js:450:43:450:45 | key |
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key |
| PrototypePollutionUtility/tests.js:459:41:459:43 | dst |
| PrototypePollutionUtility/tests.js:459:41:459:43 | dst |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:45:459:47 | key |
| PrototypePollutionUtility/tests.js:459:45:459:47 | key |
| PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
| examples/PrototypePollutionUtility.js:1:21:1:23 | src |
@@ -2242,6 +2331,132 @@ edges
| PrototypePollutionUtility/tests.js:435:39:435:43 | value | PrototypePollutionUtility/tests.js:430:33:430:35 | src |
| PrototypePollutionUtility/tests.js:435:39:435:43 | value | PrototypePollutionUtility/tests.js:430:33:430:35 | src |
| PrototypePollutionUtility/tests.js:435:39:435:43 | value | PrototypePollutionUtility/tests.js:430:33:430:35 | src |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:446:39:446:41 | src |
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:446:39:446:41 | src |
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:449:41:449:43 | src |
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:449:41:449:43 | src |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
| PrototypePollutionUtility/tests.js:446:33:446:35 | key | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:33:446:35 | key | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
| PrototypePollutionUtility/tests.js:446:39:446:41 | src | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:39:446:41 | src | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
| PrototypePollutionUtility/tests.js:446:43:446:45 | key | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:446:43:446:45 | key | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst | PrototypePollutionUtility/tests.js:459:41:459:43 | dst |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst | PrototypePollutionUtility/tests.js:459:41:459:43 | dst |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst | PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst | PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst | PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:456:38:456:40 | dst | PrototypePollutionUtility/tests.js:461:13:461:15 | dst |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:18:457:22 | value | PrototypePollutionUtility/tests.js:461:24:461:28 | value |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:459:45:459:47 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:459:45:459:47 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:459:45:459:47 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:459:45:459:47 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:17:461:19 | key |
| PrototypePollutionUtility/tests.js:459:41:459:43 | dst | PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:41:459:43 | dst | PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] | PrototypePollutionUtility/tests.js:456:38:456:40 | dst |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] | PrototypePollutionUtility/tests.js:456:38:456:40 | dst |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] | PrototypePollutionUtility/tests.js:456:38:456:40 | dst |
| PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] | PrototypePollutionUtility/tests.js:456:38:456:40 | dst |
| PrototypePollutionUtility/tests.js:459:45:459:47 | key | PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| PrototypePollutionUtility/tests.js:459:45:459:47 | key | PrototypePollutionUtility/tests.js:459:41:459:48 | dst[key] |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:7:13:7:15 | dst |
@@ -2364,4 +2579,8 @@ edges
| PrototypePollutionUtility/tests.js:387:13:387:15 | dst | PrototypePollutionUtility/tests.js:365:14:365:16 | key | PrototypePollutionUtility/tests.js:387:13:387:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:365:21:365:23 | obj | obj | PrototypePollutionUtility/tests.js:387:13:387:15 | dst | dst |
| PrototypePollutionUtility/tests.js:403:13:403:15 | dst | PrototypePollutionUtility/tests.js:397:14:397:16 | key | PrototypePollutionUtility/tests.js:403:13:403:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:397:21:397:23 | src | src | PrototypePollutionUtility/tests.js:403:13:403:15 | dst | dst |
| PrototypePollutionUtility/tests.js:420:13:420:15 | dst | PrototypePollutionUtility/tests.js:414:14:414:16 | key | PrototypePollutionUtility/tests.js:420:13:420:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:414:21:414:23 | src | src | PrototypePollutionUtility/tests.js:420:13:420:15 | dst | dst |
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst | PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:30:449:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:444:12:444:14 | src | src | PrototypePollutionUtility/tests.js:449:30:449:32 | dst | dst |
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst | PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:30:450:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:444:12:444:14 | src | src | PrototypePollutionUtility/tests.js:450:30:450:32 | dst | dst |
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst | PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:30:451:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:444:12:444:14 | src | src | PrototypePollutionUtility/tests.js:451:30:451:32 | dst | dst |
| PrototypePollutionUtility/tests.js:461:13:461:15 | dst | PrototypePollutionUtility/tests.js:457:25:457:27 | key | PrototypePollutionUtility/tests.js:461:13:461:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:457:12:457:14 | src | src | PrototypePollutionUtility/tests.js:461:13:461:15 | dst | dst |
| examples/PrototypePollutionUtility.js:7:13:7:15 | dst | examples/PrototypePollutionUtility.js:2:14:2:16 | key | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | examples/PrototypePollutionUtility.js:2:21:2:23 | src | src | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | dst |

24
javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js
View File

@@ -438,3 +438,27 @@ function copyUsingSafeRead(dst, src) {
}
}
}
function copyUsingForOwn(dst, src) {
let forOwn = import('for-own');
forOwn(src, (value, key, o) => {
if (dst[key]) {
copyUsingForOwn(dst[key], src[key]);
} else {
// Handle a few different ways to access src[key]
if (something()) dst[key] = src[key]; // NOT OK
if (something()) dst[key] = o[key]; // NOT OK
if (something()) dst[key] = value; // NOT OK
}
});
}
function copyUsingUnderscoreOrLodash(dst, src) {
_.each(src, (value, key, o) => {
if (dst[key]) {
copyUsingUnderscoreOrLodash(dst[key], src[key]);
} else {
dst[key] = value; // NOT OK
}
});
}