hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

move query to src, rename and refactor

Browse Source
This commit is contained in:
CaptainFreak
2021-02-03 15:48:02 +05:30
parent 3363f5e6db
commit 12ee497485
3 changed files with 8 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql Normal file
View File

@@ -0,0 +1,39 @@
/**
* @name Template Object Injection
* @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
* @kind path-problem
* @problem.severity error
* @precision high
* @id js/template-object-injection
* @tags security
* external/cwe/cwe-073
* external/cwe/cwe-094
*/
import javascript
import DataFlow
import PathGraph
predicate isUsingHbsEngine() {
Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
}
class HbsLFRTaint extends TaintTracking::Configuration {
HbsLFRTaint() { this = "HbsLFRTaint" }
override predicate isSource(Node node) { node instanceof RemoteFlowSource }
override predicate isSink(Node node) {
exists(MethodCallExpr mc |
Express::isResponse(mc.getReceiver()) and
mc.getMethodName() = "render" and
node.asExpr() = mc.getArgument(1) and
isUsingHbsEngine()
)
}
}
from HbsLFRTaint cfg, PathNode source, PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
"user-provided value"

10
javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection.js Normal file
View File

@@ -0,0 +1,10 @@
var app = require('express')();
app.set('view engine', 'hbs');
app.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter
var queryParameter = req.query.queryParameter
res.render('template', bodyParameter)
res.render('template', queryParameter)
});

10
javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection_fixed.js Normal file
View File

@@ -0,0 +1,10 @@
var app = require('express')();
app.set('view engine', 'hbs');
app.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter
var queryParameter = req.query.queryParameter
res.render('template', {bodyParameter})
res.render('template', {queryParameter})
});