hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 16:25:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add coverage for express

Browse Source
This commit is contained in:
Maiky
2023-10-16 16:48:32 +02:00
parent c0e6d7c049
commit 07ad596f77
5 changed files with 87 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
javascript/ql/test/experimental/Security/CWE-942/tst.js → javascript/ql/test/experimental/Security/CWE-942/apollo-test.js
View File

36
javascript/ql/test/experimental/Security/CWE-942/express-test Normal file
View File

@@ -0,0 +1,36 @@
const cors = require('cors');
var express = require('express');
var https = require('https'),
url = require('url');
var server = https.createServer(function () { });
server.on('request', function (req, res) {
let user_origin = url.parse(req.url, true).query.origin;
// BAD: CORS too permissive, default value is *
var app1 = express();
app1.use(cors());
// GOOD: restrictive CORS
var app2 = express();
var corsOptions2 = {
origin: ["https://example1.com", "https://example2.com"],
};
app2.use(cors(corsOptions2));
// BAD: CORS too permissive
var app3 = express();
var corsOption3 = {
origin: '*'
};
app3.use(cors(corsOption3));
// BAD: CORS is controlled by user
var app4 = express();
var corsOption4 = {
origin: user_origin
};
app4.use(cors(corsOption4));
});