hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #915 from asger-semmle/closure-uri-methods

Browse Source 
Approved by xiemaisi
This commit is contained in:
semmle-qlci
2019-02-11 10:51:07 +00:00
committed by GitHub
parent e4ba5ce608 f6e0ccfcf0
commit 10b00254ec
13 changed files with 292 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
javascript/ql/src/semmle/javascript/Closure.qll
View File

@@ -170,9 +170,11 @@ module Closure {
isLibraryNamespacePath(result) and
node = DataFlow::globalVarRef(result)
or
isLibraryNamespacePath(result) and
exists(DataFlow::PropRead read | node = read |
result = getLibraryAccessPath(read.getBase().getALocalSource()) + "." + read.getPropertyName()
exists(DataFlow::SourceNode base, string basePath, string prop |
basePath = getLibraryAccessPath(base) and
isLibraryNamespacePath(basePath) and
node = base.getAPropertyRead(prop) and
result = basePath + "." + prop
)
or
// Associate an access path with the immediate RHS of a store on a closure namespace.
@@ -194,16 +196,7 @@ module Closure {
}
/**
* Gets a dataflow node that refers to the given Closure module.
* Gets a dataflow node that refers to the given value exported from a Closure module.
*/
DataFlow::SourceNode moduleImport(string moduleName) {
getLibraryAccessPath(result) = moduleName
}
/**
* Gets a dataflow node that refers to the given member of a Closure module.
*/
DataFlow::SourceNode moduleMember(string moduleName, string memberName) {
result = moduleImport(moduleName).getAPropertyRead(memberName)
}
DataFlow::SourceNode moduleImport(string moduleName) { getLibraryAccessPath(result) = moduleName }
}

29
javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -240,7 +240,12 @@ private class SuperAgentUrlRequest extends CustomClientRequest {
* A model of a URL request made using the `XMLHttpRequest` browser class.
*/
private class XMLHttpRequest extends CustomClientRequest {
XMLHttpRequest() { this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation() }
XMLHttpRequest() {
this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation()
or
// closure shim for XMLHttpRequest
this = Closure::moduleImport("goog.net.XmlHttp").getAnInstantiation()
}
override DataFlow::Node getUrl() { result = getAMethodCall("open").getArgument(1) }
@@ -248,3 +253,25 @@ private class XMLHttpRequest extends CustomClientRequest {
override DataFlow::Node getADataNode() { result = getAMethodCall("send").getArgument(0) }
}
/**
* A model of a URL request made using the `XhrIo` class from the closure library.
*/
private class ClosureXhrIoRequest extends CustomClientRequest {
ClosureXhrIoRequest() {
exists(DataFlow::SourceNode xhrIo | xhrIo = Closure::moduleImport("goog.net.XhrIo") |
this = xhrIo.getAMethodCall("send")
or
this = xhrIo.getAnInstantiation().getAMethodCall("send")
)
}
override DataFlow::Node getUrl() { result = getArgument(0) }
override DataFlow::Node getHost() { none() }
override DataFlow::Node getADataNode() {
result = getArgument(2) or
result = getArgument(3)
}
}

85
javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
View File

@@ -309,3 +309,88 @@ module querystring {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) { pred = src and succ = this }
}
}
/**
* Provides steps for the `goog.Uri` class in the closure library.
*/
private module ClosureLibraryUri {
/**
* Taint step from an argument of a `goog.Uri` call to the return value.
*/
private class ArgumentStep extends UriLibraryStep, DataFlow::InvokeNode {
int arg;
ArgumentStep() {
// goog.Uri constructor
this = Closure::moduleImport("goog.Uri").getAnInstantiation() and arg = 0
or
// static methods on goog.Uri
exists(string name | this = Closure::moduleImport("goog.Uri." + name).getACall() |
name = "parse" and arg = 0
or
name = "create" and
(arg = 0 or arg = 2 or arg = 4)
or
name = "resolve" and
(arg = 0 or arg = 1)
)
or
// static methods in goog.uri.utils
arg = 0 and
exists(string name | this = Closure::moduleImport("goog.uri.utils." + name).getACall() |
name = "appendParam" or // preserve taint from the original URI, but not from the appended param
name = "appendParams" or
name = "appendParamsFromMap" or
name = "appendPath" or
name = "getParamValue" or
name = "getParamValues" or
name = "getPath" or
name = "getPathAndAfter" or
name = "getQueryData" or
name = "parseQueryData" or
name = "removeFragment" or
name = "removeParam" or
name = "setParam" or
name = "setParamsFromMap" or
name = "setPath" or
name = "split"
)
}
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
pred = getArgument(arg) and
succ = this
}
}
/**
* Taint steps through chainable setter calls.
*
* Setters mutate the URI object and return the same instance.
*/
private class SetterCall extends DataFlow::MethodCallNode, UriLibraryStep {
DataFlow::NewNode uri;
string name;
SetterCall() {
exists(DataFlow::SourceNode base |
base = Closure::moduleImport("goog.Uri").getAnInstantiation() and
uri = base
or
base.(SetterCall).getUri() = uri
|
this = base.getAMethodCall(name) and
name.matches("set%")
)
}
DataFlow::NewNode getUri() { result = uri }
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
pred = getReceiver() and succ = this
or
(name = "setDomain" or name = "setPath" or name = "setScheme") and
pred = getArgument(0) and succ = uri
}
}
}

1
javascript/ql/test/library-tests/Closure/Uri.expected Normal file
View File

@@ -0,0 +1 @@
| tests/uri.js:5:5:5:11 | net.Uri |

3
javascript/ql/test/library-tests/Closure/Uri.ql Normal file
View File

@@ -0,0 +1,3 @@
import javascript
select Closure::moduleImport("goog.net.Uri")

65
javascript/ql/test/library-tests/Closure/moduleImport.expected
View File

@@ -1,3 +1,59 @@
| goog | tests/es6Module.js:1:1:1:4 | goog |
| goog | tests/es6ModuleDefault.js:1:1:1:4 | goog |
| goog | tests/globalModule.js:1:1:1:4 | goog |
| goog | tests/globalModuleDefault.js:1:1:1:4 | goog |
| goog | tests/googModule.js:1:1:1:4 | goog |
| goog | tests/googModuleDefault.js:1:1:1:4 | goog |
| goog | tests/requireFromEs6.js:3:20:3:23 | goog |
| goog | tests/requireFromEs6.js:4:27:4:30 | goog |
| goog | tests/requireFromEs6.js:6:17:6:20 | goog |
| goog | tests/requireFromEs6.js:7:24:7:27 | goog |
| goog | tests/requireFromEs6.js:9:18:9:21 | goog |
| goog | tests/requireFromEs6.js:10:25:10:28 | goog |
| goog | tests/requireFromGlobalModule.js:1:1:1:4 | goog |
| goog | tests/requireFromGlobalModule.js:2:1:2:4 | goog |
| goog | tests/requireFromGlobalModule.js:4:1:4:4 | goog |
| goog | tests/requireFromGlobalModule.js:5:1:5:4 | goog |
| goog | tests/requireFromGlobalModule.js:7:1:7:4 | goog |
| goog | tests/requireFromGlobalModule.js:8:1:8:4 | goog |
| goog | tests/requireFromGoogModule.js:1:1:1:4 | goog |
| goog | tests/requireFromGoogModule.js:3:20:3:23 | goog |
| goog | tests/requireFromGoogModule.js:4:27:4:30 | goog |
| goog | tests/requireFromGoogModule.js:6:17:6:20 | goog |
| goog | tests/requireFromGoogModule.js:7:24:7:27 | goog |
| goog | tests/requireFromGoogModule.js:9:18:9:21 | goog |
| goog | tests/requireFromGoogModule.js:10:25:10:28 | goog |
| goog | tests/uri.js:1:1:1:4 | goog |
| goog | tests/uri.js:3:11:3:14 | goog |
| goog.declareModuleId | tests/es6Module.js:1:1:1:20 | goog.declareModuleId |
| goog.declareModuleId | tests/es6ModuleDefault.js:1:1:1:20 | goog.declareModuleId |
| goog.module | tests/googModule.js:1:1:1:11 | goog.module |
| goog.module | tests/googModuleDefault.js:1:1:1:11 | goog.module |
| goog.module | tests/requireFromGoogModule.js:1:1:1:11 | goog.module |
| goog.module | tests/uri.js:1:1:1:11 | goog.module |
| goog.net | tests/uri.js:3:11:3:34 | goog.re ... g.net') |
| goog.net.Uri | tests/uri.js:5:5:5:11 | net.Uri |
| goog.provide | tests/globalModule.js:1:1:1:12 | goog.provide |
| goog.provide | tests/globalModuleDefault.js:1:1:1:12 | goog.provide |
| goog.require | tests/requireFromEs6.js:3:20:3:31 | goog.require |
| goog.require | tests/requireFromEs6.js:4:27:4:38 | goog.require |
| goog.require | tests/requireFromEs6.js:6:17:6:28 | goog.require |
| goog.require | tests/requireFromEs6.js:7:24:7:35 | goog.require |
| goog.require | tests/requireFromEs6.js:9:18:9:29 | goog.require |
| goog.require | tests/requireFromEs6.js:10:25:10:36 | goog.require |
| goog.require | tests/requireFromGlobalModule.js:1:1:1:12 | goog.require |
| goog.require | tests/requireFromGlobalModule.js:2:1:2:12 | goog.require |
| goog.require | tests/requireFromGlobalModule.js:4:1:4:12 | goog.require |
| goog.require | tests/requireFromGlobalModule.js:5:1:5:12 | goog.require |
| goog.require | tests/requireFromGlobalModule.js:7:1:7:12 | goog.require |
| goog.require | tests/requireFromGlobalModule.js:8:1:8:12 | goog.require |
| goog.require | tests/requireFromGoogModule.js:3:20:3:31 | goog.require |
| goog.require | tests/requireFromGoogModule.js:4:27:4:38 | goog.require |
| goog.require | tests/requireFromGoogModule.js:6:17:6:28 | goog.require |
| goog.require | tests/requireFromGoogModule.js:7:24:7:35 | goog.require |
| goog.require | tests/requireFromGoogModule.js:9:18:9:29 | goog.require |
| goog.require | tests/requireFromGoogModule.js:10:25:10:36 | goog.require |
| goog.require | tests/uri.js:3:11:3:22 | goog.require |
| x | tests/globalModule.js:3:1:3:1 | x |
| x | tests/globalModuleDefault.js:3:1:3:1 | x |
| x | tests/requireFromGlobalModule.js:10:1:10:1 | x |
@@ -26,6 +82,9 @@
| x.y.z.es6 | tests/requireFromGlobalModule.js:7:1:7:25 | goog.re ... z.es6') |
| x.y.z.es6 | tests/requireFromGlobalModule.js:16:1:16:9 | x.y.z.es6 |
| x.y.z.es6 | tests/requireFromGoogModule.js:6:17:6:41 | goog.re ... z.es6') |
| x.y.z.es6.fun | tests/requireFromEs6.js:15:1:15:13 | es6Module.fun |
| x.y.z.es6.fun | tests/requireFromGlobalModule.js:16:1:16:13 | x.y.z.es6.fun |
| x.y.z.es6.fun | tests/requireFromGoogModule.js:15:1:15:13 | es6Module.fun |
| x.y.z.es6default | tests/requireFromEs6.js:7:24:7:55 | goog.re ... fault') |
| x.y.z.es6default | tests/requireFromGlobalModule.js:8:1:8:32 | goog.re ... fault') |
| x.y.z.es6default | tests/requireFromGlobalModule.js:17:1:17:16 | x.y.z.es6default |
@@ -36,6 +95,9 @@
| x.y.z.global | tests/requireFromGlobalModule.js:10:1:10:12 | x.y.z.global |
| x.y.z.global | tests/requireFromGoogModule.js:3:20:3:47 | goog.re ... lobal') |
| x.y.z.global.fun | tests/globalModule.js:4:6:4:10 | () {} |
| x.y.z.global.fun | tests/requireFromEs6.js:12:1:12:16 | globalModule.fun |
| x.y.z.global.fun | tests/requireFromGlobalModule.js:10:1:10:16 | x.y.z.global.fun |
| x.y.z.global.fun | tests/requireFromGoogModule.js:12:1:12:16 | globalModule.fun |
| x.y.z.globaldefault | tests/globalModuleDefault.js:3:23:3:39 | function fun() {} |
| x.y.z.globaldefault | tests/requireFromEs6.js:4:27:4:61 | goog.re ... fault') |
| x.y.z.globaldefault | tests/requireFromGlobalModule.js:2:1:2:35 | goog.re ... fault') |
@@ -45,6 +107,9 @@
| x.y.z.goog | tests/requireFromGlobalModule.js:4:1:4:26 | goog.re ... .goog') |
| x.y.z.goog | tests/requireFromGlobalModule.js:13:1:13:10 | x.y.z.goog |
| x.y.z.goog | tests/requireFromGoogModule.js:9:18:9:43 | goog.re ... .goog') |
| x.y.z.goog.fun | tests/requireFromEs6.js:18:1:18:14 | googModule.fun |
| x.y.z.goog.fun | tests/requireFromGlobalModule.js:13:1:13:14 | x.y.z.goog.fun |
| x.y.z.goog.fun | tests/requireFromGoogModule.js:18:1:18:14 | googModule.fun |
| x.y.z.googdefault | tests/requireFromEs6.js:10:25:10:57 | goog.re ... fault') |
| x.y.z.googdefault | tests/requireFromGlobalModule.js:5:1:5:33 | goog.re ... fault') |
| x.y.z.googdefault | tests/requireFromGlobalModule.js:14:1:14:17 | x.y.z.googdefault |

31
javascript/ql/test/library-tests/Closure/moduleMember.expected
View File

@@ -1,31 +0,0 @@
| x | y | tests/globalModule.js:3:1:3:3 | x.y |
| x | y | tests/globalModuleDefault.js:3:1:3:3 | x.y |
| x | y | tests/requireFromGlobalModule.js:10:1:10:3 | x.y |
| x | y | tests/requireFromGlobalModule.js:11:1:11:3 | x.y |
| x | y | tests/requireFromGlobalModule.js:13:1:13:3 | x.y |
| x | y | tests/requireFromGlobalModule.js:14:1:14:3 | x.y |
| x | y | tests/requireFromGlobalModule.js:16:1:16:3 | x.y |
| x | y | tests/requireFromGlobalModule.js:17:1:17:3 | x.y |
| x.y | z | tests/globalModule.js:3:1:3:5 | x.y.z |
| x.y | z | tests/globalModuleDefault.js:3:1:3:5 | x.y.z |
| x.y | z | tests/requireFromGlobalModule.js:10:1:10:5 | x.y.z |
| x.y | z | tests/requireFromGlobalModule.js:11:1:11:5 | x.y.z |
| x.y | z | tests/requireFromGlobalModule.js:13:1:13:5 | x.y.z |
| x.y | z | tests/requireFromGlobalModule.js:14:1:14:5 | x.y.z |
| x.y | z | tests/requireFromGlobalModule.js:16:1:16:5 | x.y.z |
| x.y | z | tests/requireFromGlobalModule.js:17:1:17:5 | x.y.z |
| x.y.z | es6 | tests/requireFromGlobalModule.js:16:1:16:9 | x.y.z.es6 |
| x.y.z | es6default | tests/requireFromGlobalModule.js:17:1:17:16 | x.y.z.es6default |
| x.y.z | global | tests/requireFromGlobalModule.js:10:1:10:12 | x.y.z.global |
| x.y.z | globaldefault | tests/requireFromGlobalModule.js:11:1:11:19 | x.y.z.globaldefault |
| x.y.z | goog | tests/requireFromGlobalModule.js:13:1:13:10 | x.y.z.goog |
| x.y.z | googdefault | tests/requireFromGlobalModule.js:14:1:14:17 | x.y.z.googdefault |
| x.y.z.es6 | fun | tests/requireFromEs6.js:15:1:15:13 | es6Module.fun |
| x.y.z.es6 | fun | tests/requireFromGlobalModule.js:16:1:16:13 | x.y.z.es6.fun |
| x.y.z.es6 | fun | tests/requireFromGoogModule.js:15:1:15:13 | es6Module.fun |
| x.y.z.global | fun | tests/requireFromEs6.js:12:1:12:16 | globalModule.fun |
| x.y.z.global | fun | tests/requireFromGlobalModule.js:10:1:10:16 | x.y.z.global.fun |
| x.y.z.global | fun | tests/requireFromGoogModule.js:12:1:12:16 | globalModule.fun |
| x.y.z.goog | fun | tests/requireFromEs6.js:18:1:18:14 | googModule.fun |
| x.y.z.goog | fun | tests/requireFromGlobalModule.js:13:1:13:14 | x.y.z.goog.fun |
| x.y.z.goog | fun | tests/requireFromGoogModule.js:18:1:18:14 | googModule.fun |

4
javascript/ql/test/library-tests/Closure/moduleMember.ql
View File

@@ -1,4 +0,0 @@
import javascript
from string mod, string name
select mod, name, Closure::moduleMember(mod, name)

5
javascript/ql/test/library-tests/Closure/tests/uri.js Normal file
View File

@@ -0,0 +1,5 @@
goog.module('uritest');
let net = goog.require('goog.net');
new net.Uri();

24
javascript/ql/test/library-tests/frameworks/UriLibraries/UriLibraryStep.expected
View File

@@ -1,3 +1,27 @@
| closureUri.js:5:11:5:20 | new Uri(x) | closureUri.js:5:19:5:19 | x | closureUri.js:5:11:5:20 | new Uri(x) |
| closureUri.js:6:1:6:12 | Uri.parse(x) | closureUri.js:6:11:6:11 | x | closureUri.js:6:1:6:12 | Uri.parse(x) |
| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:13:7:13 | x | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:16:7:16 | y | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:12:8:17 | scheme | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:26:8:31 | domain | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:40:8:43 | path | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:1:10:3 | uri | closureUri.js:10:1:10:16 | uri.setScheme(x) |
| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:15:10:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
| closureUri.js:11:1:11:18 | uri.setUserInfo(x) | closureUri.js:11:1:11:3 | uri | closureUri.js:11:1:11:18 | uri.setUserInfo(x) |
| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:1:12:3 | uri | closureUri.js:12:1:12:16 | uri.setDomain(x) |
| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:15:12:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
| closureUri.js:13:1:13:14 | uri.setPort(x) | closureUri.js:13:1:13:3 | uri | closureUri.js:13:1:13:14 | uri.setPort(x) |
| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:1:14:3 | uri | closureUri.js:14:1:14:14 | uri.setPath(x) |
| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:13:14:13 | x | closureUri.js:5:11:5:20 | new Uri(x) |
| closureUri.js:15:1:15:15 | uri.setQuery(x) | closureUri.js:15:1:15:3 | uri | closureUri.js:15:1:15:15 | uri.setQuery(x) |
| closureUri.js:16:1:16:18 | uri.setFragment(x) | closureUri.js:16:1:16:3 | uri | closureUri.js:16:1:16:18 | uri.setFragment(x) |
| closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:3 | uri | closureUri.js:18:1:18:15 | uri.setQuery(x) |
| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:26 | uri.set ... Path(y) |
| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:25:18:25 | y | closureUri.js:5:11:5:20 | new Uri(x) |
| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:39 | uri.set ... heme(z) |
| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:38:18:38 | z | closureUri.js:5:11:5:20 | new Uri(x) |
| closureUri.js:22:1:22:25 | utils.a ... uri, z) | closureUri.js:22:19:22:21 | uri | closureUri.js:22:1:22:25 | utils.a ... uri, z) |
| closureUri.js:23:1:23:18 | utils.getPath(uri) | closureUri.js:23:15:23:17 | uri | closureUri.js:23:1:23:18 | utils.getPath(uri) |
| punycode.js:3:9:3:26 | punycode.decode(x) | punycode.js:3:25:3:25 | x | punycode.js:3:9:3:26 | punycode.decode(x) |
| punycode.js:5:5:5:22 | punycode.encode(x) | punycode.js:5:21:5:21 | x | punycode.js:5:5:5:22 | punycode.encode(x) |
| punycode.js:7:5:7:25 | punycod ... code(x) | punycode.js:7:24:7:24 | x | punycode.js:7:5:7:25 | punycod ... code(x) |

23
javascript/ql/test/library-tests/frameworks/UriLibraries/closureUri.js Normal file
View File

@@ -0,0 +1,23 @@
goog.module('closureUri');
let Uri = goog.require('goog.Uri');
let uri = new Uri(x);
Uri.parse(x);
Uri.resolve(x, y);
Uri.create(scheme, cred, domain, port, path, query, frag);
uri.setScheme(x);
uri.setUserInfo(x);
uri.setDomain(x);
uri.setPort(x);
uri.setPath(x);
uri.setQuery(x);
uri.setFragment(x);
uri.setQuery(x).setPath(y).setScheme(z);
let utils = goog.require('goog.uri.utils');
utils.appendParam(uri, z);
utils.getPath(uri);

82
javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
View File

@@ -1,39 +1,49 @@
nodes
| tst.js:12:9:12:52 | tainted |
| tst.js:12:19:12:42 | url.par ... , true) |
| tst.js:12:19:12:48 | url.par ... ).query |
| tst.js:12:19:12:52 | url.par ... ery.url |
| tst.js:12:29:12:35 | req.url |
| tst.js:16:13:16:19 | tainted |
| tst.js:18:17:18:23 | tainted |
| tst.js:21:19:21:25 | tainted |
| tst.js:24:13:24:31 | "http://" + tainted |
| tst.js:24:25:24:31 | tainted |
| tst.js:26:13:26:42 | "http:/ ... tainted |
| tst.js:26:36:26:42 | tainted |
| tst.js:28:13:28:43 | "http:/ ... tainted |
| tst.js:28:37:28:43 | tainted |
| tst.js:32:34:32:40 | tainted |
| tst.js:14:9:14:52 | tainted |
| tst.js:14:19:14:42 | url.par ... , true) |
| tst.js:14:19:14:48 | url.par ... ).query |
| tst.js:14:19:14:52 | url.par ... ery.url |
| tst.js:14:29:14:35 | req.url |
| tst.js:18:13:18:19 | tainted |
| tst.js:20:17:20:23 | tainted |
| tst.js:23:19:23:25 | tainted |
| tst.js:26:13:26:31 | "http://" + tainted |
| tst.js:26:25:26:31 | tainted |
| tst.js:28:13:28:42 | "http:/ ... tainted |
| tst.js:28:36:28:42 | tainted |
| tst.js:30:13:30:43 | "http:/ ... tainted |
| tst.js:30:37:30:43 | tainted |
| tst.js:34:34:34:40 | tainted |
| tst.js:36:16:36:31 | new Uri(tainted) |
| tst.js:36:24:36:30 | tainted |
| tst.js:37:22:37:37 | new Uri(tainted) |
| tst.js:37:30:37:36 | tainted |
edges
| tst.js:12:9:12:52 | tainted | tst.js:16:13:16:19 | tainted |
| tst.js:12:9:12:52 | tainted | tst.js:18:17:18:23 | tainted |
| tst.js:12:9:12:52 | tainted | tst.js:21:19:21:25 | tainted |
| tst.js:12:9:12:52 | tainted | tst.js:24:25:24:31 | tainted |
| tst.js:12:9:12:52 | tainted | tst.js:26:36:26:42 | tainted |
| tst.js:12:9:12:52 | tainted | tst.js:28:37:28:43 | tainted |
| tst.js:12:9:12:52 | tainted | tst.js:32:34:32:40 | tainted |
| tst.js:12:19:12:42 | url.par ... , true) | tst.js:12:19:12:48 | url.par ... ).query |
| tst.js:12:19:12:48 | url.par ... ).query | tst.js:12:19:12:52 | url.par ... ery.url |
| tst.js:12:19:12:52 | url.par ... ery.url | tst.js:12:9:12:52 | tainted |
| tst.js:12:29:12:35 | req.url | tst.js:12:19:12:42 | url.par ... , true) |
| tst.js:24:25:24:31 | tainted | tst.js:24:13:24:31 | "http://" + tainted |
| tst.js:26:36:26:42 | tainted | tst.js:26:13:26:42 | "http:/ ... tainted |
| tst.js:28:37:28:43 | tainted | tst.js:28:13:28:43 | "http:/ ... tainted |
| tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:20:17:20:23 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:23:19:23:25 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:26:25:26:31 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:28:36:28:42 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:30:37:30:43 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:34:34:34:40 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:36:24:36:30 | tainted |
| tst.js:14:9:14:52 | tainted | tst.js:37:30:37:36 | tainted |
| tst.js:14:19:14:42 | url.par ... , true) | tst.js:14:19:14:48 | url.par ... ).query |
| tst.js:14:19:14:48 | url.par ... ).query | tst.js:14:19:14:52 | url.par ... ery.url |
| tst.js:14:19:14:52 | url.par ... ery.url | tst.js:14:9:14:52 | tainted |
| tst.js:14:29:14:35 | req.url | tst.js:14:19:14:42 | url.par ... , true) |
| tst.js:26:25:26:31 | tainted | tst.js:26:13:26:31 | "http://" + tainted |
| tst.js:28:36:28:42 | tainted | tst.js:28:13:28:42 | "http:/ ... tainted |
| tst.js:30:37:30:43 | tainted | tst.js:30:13:30:43 | "http:/ ... tainted |
| tst.js:36:24:36:30 | tainted | tst.js:36:16:36:31 | new Uri(tainted) |
| tst.js:37:30:37:36 | tainted | tst.js:37:22:37:37 | new Uri(tainted) |
#select
| tst.js:16:5:16:20 | request(tainted) | tst.js:12:29:12:35 | req.url | tst.js:16:13:16:19 | tainted | The $@ of this request depends on $@. | tst.js:16:13:16:19 | tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:18:5:18:24 | request.get(tainted) | tst.js:12:29:12:35 | req.url | tst.js:18:17:18:23 | tainted | The $@ of this request depends on $@. | tst.js:18:17:18:23 | tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:22:5:22:20 | request(options) | tst.js:12:29:12:35 | req.url | tst.js:21:19:21:25 | tainted | The $@ of this request depends on $@. | tst.js:21:19:21:25 | tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:24:5:24:32 | request ... ainted) | tst.js:12:29:12:35 | req.url | tst.js:24:13:24:31 | "http://" + tainted | The $@ of this request depends on $@. | tst.js:24:13:24:31 | "http://" + tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:26:5:26:43 | request ... ainted) | tst.js:12:29:12:35 | req.url | tst.js:26:13:26:42 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:26:13:26:42 | "http:/ ... tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:28:5:28:44 | request ... ainted) | tst.js:12:29:12:35 | req.url | tst.js:28:13:28:43 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:28:13:28:43 | "http:/ ... tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:32:5:32:42 | http.ge ... inted}) | tst.js:12:29:12:35 | req.url | tst.js:32:34:32:40 | tainted | The $@ of this request depends on $@. | tst.js:32:34:32:40 | tainted | host | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:20:5:20:24 | request.get(tainted) | tst.js:14:29:14:35 | req.url | tst.js:20:17:20:23 | tainted | The $@ of this request depends on $@. | tst.js:20:17:20:23 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:24:5:24:20 | request(options) | tst.js:14:29:14:35 | req.url | tst.js:23:19:23:25 | tainted | The $@ of this request depends on $@. | tst.js:23:19:23:25 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:26:5:26:32 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:26:13:26:31 | "http://" + tainted | The $@ of this request depends on $@. | tst.js:26:13:26:31 | "http://" + tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:28:5:28:43 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:28:13:28:42 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:30:5:30:44 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:30:13:30:43 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:34:5:34:42 | http.ge ... inted}) | tst.js:14:29:14:35 | req.url | tst.js:34:34:34:40 | tainted | The $@ of this request depends on $@. | tst.js:34:34:34:40 | tainted | host | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:36:5:36:32 | XhrIo.s ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:36:16:36:31 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
| tst.js:37:5:37:38 | new Xhr ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:37:22:37:37 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |

5
javascript/ql/test/query-tests/Security/CWE-918/tst.js
View File

@@ -7,6 +7,8 @@ import axios from 'axios';
import got from 'got';
import nodeFetch from 'node-fetch';
import url from 'url';
let XhrIo = goog.require('goog.net.XhrIo');
let Uri = goog.require('goog.Uri');
var server = http.createServer(function(req, res) {
var tainted = url.parse(req.url, true).query.url;
@@ -30,4 +32,7 @@ var server = http.createServer(function(req, res) {
request("http://example.com/?" + tainted); // OK
http.get(relativeUrl, {host: tainted}); // NOT OK
XhrIo.send(new Uri(tainted)); // NOT OK
new XhrIo().send(new Uri(tainted)); // NOT OK
})