hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix restify tests

Browse Source
This commit is contained in:
Alvaro Muñoz
2022-12-14 15:37:31 +01:00
parent e1f05e960d
commit 14faff4477
3 changed files with 63 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
javascript/ql/test/library-tests/frameworks/Restify2/src/index.js
View File

@@ -123,9 +123,18 @@ function xss(req, res, next) { // test: handler
res.send('hello ' + req.query.name); // test: source, stackTraceExposureSink, xssSink, xss
next();
}
server["get"]('/xss', xss); // test: setup
function xss2(req, res, next) { // test: handler
function xss2(req, res, next) { // test: candidateHandler
next()
}
function xss3(req, res, next) { // test: handler
res.header("Content-Type", "text/html"); // test: headerDefinition
res.send('hello ' + req.header("foo")); // test: source, stackTraceExposureSink, xssSink, !xss
next();
}
function xss4(req, res, next) { // test: handler
var body = req.params.name; // test: source
res.writeHead(200, {
'Content-Length': Buffer.byteLength(body),
@@ -135,19 +144,16 @@ function xss2(req, res, next) { // test: handler
res.end();
next();
}
server["get"]('/xss', xss); // test: setup
["get", "head"].forEach(method => {
server[method]('/xss2', xss2);
});
function xss3(req, res, next) { // test: handler
res.header("Content-Type", "text/html"); // test: headerDefinition
res.send('hello ' + req.header("foo")); // test: source, stackTraceExposureSink, xssSink, !xss
next();
}
server["get"]('/xss3', xss3); // test: setup
server["get"]('/xss4', xss4); // test: setup
function sendV2(req, res, next) { // test: candidateHandler
server.get('/testv2', function(req, res, next) { // test: handler
res.set({
"Content-Type": "text/html",
"access-control-allow-origin": "*", // test: corsMiconfigurationSink
@@ -162,7 +168,8 @@ function sendV2(req, res, next) { // test: candidateHandler
clients.createJsonClient(req.params.uri); // test: source, ssrfSink
next();
}
})
server.get('/hello2/:name', restify.plugins.conditionalHandler([ // test: setup
{ version: ['2.0.0', '2.1.0', '2.2.0'], handler: sendV2 }
]));

90
javascript/ql/test/library-tests/frameworks/Restify2/tests.expected
View File

@@ -1,7 +1,7 @@
passingPositiveTests
| PASSED | candidateHandler | src/index.js:150:35:150:59 | // test ... Handler |
| PASSED | candidateHandler | src/index.js:173:42:173:66 | // test ... Handler |
| PASSED | corsMiconfigurationSink | src/index.js:153:41:153:72 | // test ... ionSink |
| PASSED | candidateHandler | src/index.js:127:33:127:57 | // test ... Handler |
| PASSED | candidateHandler | src/index.js:180:42:180:66 | // test ... Handler |
| PASSED | corsMiconfigurationSink | src/index.js:159:41:159:72 | // test ... ionSink |
| PASSED | handler | src/index.js:32:39:32:54 | // test: handler |
| PASSED | handler | src/index.js:41:39:41:54 | // test: handler |
| PASSED | handler | src/index.js:44:35:44:50 | // test: handler |
@@ -18,17 +18,18 @@ passingPositiveTests
| PASSED | handler | src/index.js:111:31:111:46 | // test: handler |
| PASSED | handler | src/index.js:115:30:115:45 | // test: handler |
| PASSED | handler | src/index.js:121:32:121:47 | // test: handler |
| PASSED | handler | src/index.js:128:33:128:48 | // test: handler |
| PASSED | handler | src/index.js:142:33:142:48 | // test: handler |
| PASSED | handler | src/index.js:183:65:183:87 | // test ... handler |
| PASSED | handler | src/index.js:187:63:187:85 | // test ... handler |
| PASSED | handler | src/index.js:190:55:190:77 | // test ... handler |
| PASSED | handler | src/index.js:192:39:192:61 | // test ... handler |
| PASSED | handler | src/index.js:194:49:194:71 | // test ... handler |
| PASSED | handler | src/index.js:198:65:198:87 | // test ... handler |
| PASSED | handler | src/index.js:131:33:131:48 | // test: handler |
| PASSED | handler | src/index.js:137:33:137:48 | // test: handler |
| PASSED | handler | src/index.js:156:50:156:65 | // test: handler |
| PASSED | handler | src/index.js:190:65:190:87 | // test ... handler |
| PASSED | handler | src/index.js:194:63:194:85 | // test ... handler |
| PASSED | handler | src/index.js:197:55:197:77 | // test ... handler |
| PASSED | handler | src/index.js:199:39:199:61 | // test ... handler |
| PASSED | handler | src/index.js:201:49:201:71 | // test ... handler |
| PASSED | handler | src/index.js:205:65:205:87 | // test ... handler |
| PASSED | headerDefinition | src/index.js:104:46:104:70 | // test ... inition |
| PASSED | headerDefinition | src/index.js:122:44:122:68 | // test ... inition |
| PASSED | headerDefinition | src/index.js:143:44:143:68 | // test ... inition |
| PASSED | headerDefinition | src/index.js:132:44:132:68 | // test ... inition |
| PASSED | redirectSink | src/index.js:78:32:78:60 | // test ... ectSink |
| PASSED | redirectSink | src/index.js:87:45:87:73 | // test ... ectSink |
| PASSED | redirectSink | src/index.js:88:40:88:68 | // test ... ectSink |
@@ -40,16 +41,17 @@ passingPositiveTests
| PASSED | setup | src/index.js:93:44:93:66 | // test ... handler |
| PASSED | setup | src/index.js:98:20:98:33 | // test: setup |
| PASSED | setup | src/index.js:110:21:110:34 | // test: setup |
| PASSED | setup | src/index.js:126:29:126:42 | // test: setup |
| PASSED | setup | src/index.js:147:31:147:44 | // test: setup |
| PASSED | setup | src/index.js:166:66:166:79 | // test: setup |
| PASSED | setup | src/index.js:170:66:170:78 | //test: setup |
| PASSED | setup | src/index.js:183:65:183:87 | // test ... handler |
| PASSED | setup | src/index.js:187:63:187:85 | // test ... handler |
| PASSED | setup | src/index.js:190:55:190:77 | // test ... handler |
| PASSED | setup | src/index.js:192:39:192:61 | // test ... handler |
| PASSED | setup | src/index.js:194:49:194:71 | // test ... handler |
| PASSED | setup | src/index.js:198:65:198:87 | // test ... handler |
| PASSED | setup | src/index.js:148:29:148:42 | // test: setup |
| PASSED | setup | src/index.js:152:31:152:44 | // test: setup |
| PASSED | setup | src/index.js:153:31:153:44 | // test: setup |
| PASSED | setup | src/index.js:173:66:173:79 | // test: setup |
| PASSED | setup | src/index.js:177:66:177:78 | //test: setup |
| PASSED | setup | src/index.js:190:65:190:87 | // test ... handler |
| PASSED | setup | src/index.js:194:63:194:85 | // test ... handler |
| PASSED | setup | src/index.js:197:55:197:77 | // test ... handler |
| PASSED | setup | src/index.js:199:39:199:61 | // test ... handler |
| PASSED | setup | src/index.js:201:49:201:71 | // test ... handler |
| PASSED | setup | src/index.js:205:65:205:87 | // test ... handler |
| PASSED | source | src/index.js:11:76:11:130 | // test ... k, !xss |
| PASSED | source | src/index.js:24:76:24:128 | // test ... nk, xss |
| PASSED | source | src/index.js:72:41:72:80 | // test ... reSink |
@@ -61,15 +63,15 @@ passingPositiveTests
| PASSED | source | src/index.js:88:40:88:68 | // test ... ectSink |
| PASSED | source | src/index.js:100:37:100:51 | // test: source |
| PASSED | source | src/index.js:123:40:123:92 | // test ... nk, xss |
| PASSED | source | src/index.js:129:31:129:45 | // test: source |
| PASSED | source | src/index.js:144:43:144:96 | // test ... k, !xss |
| PASSED | source | src/index.js:158:41:158:93 | // test ... nk, xss |
| PASSED | source | src/index.js:160:26:160:50 | // test ... srfSink |
| PASSED | source | src/index.js:162:45:162:69 | // test ... srfSink |
| PASSED | source | src/index.js:196:28:196:58 | // test ... k, !xss |
| PASSED | source | src/index.js:200:28:200:56 | // test ... nk, xss |
| PASSED | ssrfSink | src/index.js:160:26:160:50 | // test ... srfSink |
| PASSED | ssrfSink | src/index.js:162:45:162:69 | // test ... srfSink |
| PASSED | source | src/index.js:133:43:133:96 | // test ... k, !xss |
| PASSED | source | src/index.js:138:31:138:45 | // test: source |
| PASSED | source | src/index.js:164:41:164:93 | // test ... nk, xss |
| PASSED | source | src/index.js:166:26:166:50 | // test ... srfSink |
| PASSED | source | src/index.js:168:45:168:69 | // test ... srfSink |
| PASSED | source | src/index.js:203:28:203:58 | // test ... k, !xss |
| PASSED | source | src/index.js:207:28:207:56 | // test ... nk, xss |
| PASSED | ssrfSink | src/index.js:166:26:166:50 | // test ... srfSink |
| PASSED | ssrfSink | src/index.js:168:45:168:69 | // test ... srfSink |
| PASSED | stackTraceExposureSink | src/index.js:9:66:9:96 | // test ... ureSink |
| PASSED | stackTraceExposureSink | src/index.js:11:76:11:130 | // test ... k, !xss |
| PASSED | stackTraceExposureSink | src/index.js:22:66:22:105 | // test ... xssSink |
@@ -81,28 +83,28 @@ passingPositiveTests
| PASSED | stackTraceExposureSink | src/index.js:105:29:105:73 | // test ... nk, xss |
| PASSED | stackTraceExposureSink | src/index.js:116:29:116:59 | // test ... ureSink |
| PASSED | stackTraceExposureSink | src/index.js:123:40:123:92 | // test ... nk, xss |
| PASSED | stackTraceExposureSink | src/index.js:134:20:134:64 | // test ... nk, xss |
| PASSED | stackTraceExposureSink | src/index.js:144:43:144:96 | // test ... k, !xss |
| PASSED | stackTraceExposureSink | src/index.js:158:41:158:93 | // test ... nk, xss |
| PASSED | stackTraceExposureSink | src/index.js:133:43:133:96 | // test ... k, !xss |
| PASSED | stackTraceExposureSink | src/index.js:143:20:143:64 | // test ... nk, xss |
| PASSED | stackTraceExposureSink | src/index.js:164:41:164:93 | // test ... nk, xss |
| PASSED | xss | src/index.js:24:76:24:128 | // test ... nk, xss |
| PASSED | xss | src/index.js:105:29:105:73 | // test ... nk, xss |
| PASSED | xss | src/index.js:123:40:123:92 | // test ... nk, xss |
| PASSED | xss | src/index.js:134:20:134:64 | // test ... nk, xss |
| PASSED | xss | src/index.js:158:41:158:93 | // test ... nk, xss |
| PASSED | xss | src/index.js:200:28:200:56 | // test ... nk, xss |
| PASSED | xss | src/index.js:143:20:143:64 | // test ... nk, xss |
| PASSED | xss | src/index.js:164:41:164:93 | // test ... nk, xss |
| PASSED | xss | src/index.js:207:28:207:56 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:22:66:22:105 | // test ... xssSink |
| PASSED | xssSink | src/index.js:24:76:24:128 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:105:29:105:73 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:123:40:123:92 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:134:20:134:64 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:144:43:144:96 | // test ... k, !xss |
| PASSED | xssSink | src/index.js:158:41:158:93 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:200:28:200:56 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:133:43:133:96 | // test ... k, !xss |
| PASSED | xssSink | src/index.js:143:20:143:64 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:164:41:164:93 | // test ... nk, xss |
| PASSED | xssSink | src/index.js:207:28:207:56 | // test ... nk, xss |
failingPositiveTests
passingNegativeTests
| PASSED | !xss | src/index.js:11:76:11:130 | // test ... k, !xss |
| PASSED | !xss | src/index.js:144:43:144:96 | // test ... k, !xss |
| PASSED | !xss | src/index.js:196:28:196:58 | // test ... k, !xss |
| PASSED | !xss | src/index.js:133:43:133:96 | // test ... k, !xss |
| PASSED | !xss | src/index.js:203:28:203:58 | // test ... k, !xss |
| PASSED | !xssSink | src/index.js:11:76:11:130 | // test ... k, !xss |
| PASSED | !xssSink | src/index.js:196:28:196:58 | // test ... k, !xss |
| PASSED | !xssSink | src/index.js:203:28:203:58 | // test ... k, !xss |
failingNegativeTests

1
javascript/ql/test/library-tests/frameworks/Restify2/tests.ql
View File

@@ -6,7 +6,6 @@ import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
import semmle.javascript.security.dataflow.RequestForgeryCustomizations
import semmle.javascript.security.dataflow.ReflectedXssCustomizations
import semmle.javascript.security.dataflow.ReflectedXssQuery as XssConfig
import semmle.javascript.heuristics.AdditionalRouteHandlers
class InlineTest extends LineComment {
string tests;