hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5897 from erik-krogh/uid

Browse Source 
Approved by RasmusWL, esbena
This commit is contained in:
CodeQL CI
2021-05-17 06:01:04 -07:00
committed by GitHub
parent d706d7b7a4 9d60ec035f
commit 12b1bbe484
4 changed files with 65 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
View File

@@ -66,6 +66,32 @@ nodes
| tst.js:95:33:95:45 | Math.random() |
| tst.js:95:33:95:45 | Math.random() |
| tst.js:95:33:95:45 | Math.random() |
| tst.js:115:16:115:56 | Math.fl ... 00_000) |
| tst.js:115:16:115:56 | Math.fl ... 00_000) |
| tst.js:115:27:115:39 | Math.random() |
| tst.js:115:27:115:39 | Math.random() |
| tst.js:115:27:115:55 | Math.ra ... 000_000 |
| tst.js:116:22:116:62 | Math.fl ... 00_000) |
| tst.js:116:22:116:62 | Math.fl ... 00_000) |
| tst.js:116:33:116:45 | Math.random() |
| tst.js:116:33:116:45 | Math.random() |
| tst.js:116:33:116:61 | Math.ra ... 000_000 |
| tst.js:117:15:117:55 | Math.fl ... 00_000) |
| tst.js:117:15:117:55 | Math.fl ... 00_000) |
| tst.js:117:26:117:38 | Math.random() |
| tst.js:117:26:117:38 | Math.random() |
| tst.js:117:26:117:54 | Math.ra ... 000_000 |
| tst.js:118:23:118:63 | Math.fl ... 00_000) |
| tst.js:118:23:118:63 | Math.fl ... 00_000) |
| tst.js:118:34:118:46 | Math.random() |
| tst.js:118:34:118:46 | Math.random() |
| tst.js:118:34:118:62 | Math.ra ... 000_000 |
| tst.js:120:16:120:28 | Math.random() |
| tst.js:120:16:120:28 | Math.random() |
| tst.js:120:16:120:28 | Math.random() |
| tst.js:121:18:121:30 | Math.random() |
| tst.js:121:18:121:30 | Math.random() |
| tst.js:121:18:121:30 | Math.random() |
edges
| tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() |
| tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() |
@@ -114,6 +140,24 @@ edges
| tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() |
| tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() |
| tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() |
| tst.js:115:27:115:39 | Math.random() | tst.js:115:27:115:55 | Math.ra ... 000_000 |
| tst.js:115:27:115:39 | Math.random() | tst.js:115:27:115:55 | Math.ra ... 000_000 |
| tst.js:115:27:115:55 | Math.ra ... 000_000 | tst.js:115:16:115:56 | Math.fl ... 00_000) |
| tst.js:115:27:115:55 | Math.ra ... 000_000 | tst.js:115:16:115:56 | Math.fl ... 00_000) |
| tst.js:116:33:116:45 | Math.random() | tst.js:116:33:116:61 | Math.ra ... 000_000 |
| tst.js:116:33:116:45 | Math.random() | tst.js:116:33:116:61 | Math.ra ... 000_000 |
| tst.js:116:33:116:61 | Math.ra ... 000_000 | tst.js:116:22:116:62 | Math.fl ... 00_000) |
| tst.js:116:33:116:61 | Math.ra ... 000_000 | tst.js:116:22:116:62 | Math.fl ... 00_000) |
| tst.js:117:26:117:38 | Math.random() | tst.js:117:26:117:54 | Math.ra ... 000_000 |
| tst.js:117:26:117:38 | Math.random() | tst.js:117:26:117:54 | Math.ra ... 000_000 |
| tst.js:117:26:117:54 | Math.ra ... 000_000 | tst.js:117:15:117:55 | Math.fl ... 00_000) |
| tst.js:117:26:117:54 | Math.ra ... 000_000 | tst.js:117:15:117:55 | Math.fl ... 00_000) |
| tst.js:118:34:118:46 | Math.random() | tst.js:118:34:118:62 | Math.ra ... 000_000 |
| tst.js:118:34:118:46 | Math.random() | tst.js:118:34:118:62 | Math.ra ... 000_000 |
| tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
| tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
| tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() |
| tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() |
#select
| tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:2:20:2:32 | Math.random() | random value |
| tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure $@ in a security context. | tst.js:6:31:6:43 | Math.random() | random value |
@@ -131,3 +175,9 @@ edges
| tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:84:19:84:31 | Math.random() | random value |
| tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:90:32:90:44 | Math.random() | random value |
| tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:95:33:95:45 | Math.random() | random value |
| tst.js:115:16:115:56 | Math.fl ... 00_000) | tst.js:115:27:115:39 | Math.random() | tst.js:115:16:115:56 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:115:27:115:39 | Math.random() | random value |
| tst.js:116:22:116:62 | Math.fl ... 00_000) | tst.js:116:33:116:45 | Math.random() | tst.js:116:22:116:62 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:116:33:116:45 | Math.random() | random value |
| tst.js:117:15:117:55 | Math.fl ... 00_000) | tst.js:117:26:117:38 | Math.random() | tst.js:117:15:117:55 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:117:26:117:38 | Math.random() | random value |
| tst.js:118:23:118:63 | Math.fl ... 00_000) | tst.js:118:34:118:46 | Math.random() | tst.js:118:23:118:63 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:118:34:118:46 | Math.random() | random value |
| tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:120:16:120:28 | Math.random() | random value |
| tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:121:18:121:30 | Math.random() | random value |

12
javascript/ql/test/query-tests/Security/CWE-338/tst.js
View File

@@ -109,4 +109,14 @@ function f18() {
}
};
var secret = genRandom(); // OK - Math.random() is only a fallback.
})();
})();
function uid() {
var uuid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
var sessionUid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
var uid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
var my_nice_uid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
var liquid = Math.random(); // OK
var UUID = Math.random(); // NOT OK
var MY_UID = Math.random(); // NOK OK
}