changes based on review

2026-04-28 10:15:14 +02:00 · 2020-01-30 14:04:04 +01:00
parent 7637ebcc03
commit 162c19c348
6 changed files with 70 additions and 42 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -9,6 +9,9 @@ nodes
 | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:11:12:11:19 | response |
 | etherpad.js:11:12:11:19 | response |
+| exception-xss.js:190:12:190:24 | req.params.id |
+| exception-xss.js:190:12:190:24 | req.params.id |
+| exception-xss.js:190:12:190:24 | req.params.id |
 | formatting.js:4:9:4:29 | evil |
 | formatting.js:4:16:4:29 | req.query.evil |
 | formatting.js:4:16:4:29 | req.query.evil |
@@ -77,6 +80,7 @@ edges
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
+| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id |
 | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil |
 | formatting.js:4:9:4:29 | evil | formatting.js:7:49:7:52 | evil |
 | formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
@@ -131,6 +135,7 @@ edges
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
+| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected
@@ -1,4 +1,5 @@
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
+| exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
@@ -183,4 +183,34 @@ app.get('/user/:id', function (req, res) {
 		}
 		$('myId').html(res); // NOT OK!
 	});
-});
+});
+
+app.get('/user/:id', function (req, res) {
+	try {
+		res.send(req.params.id);
+	} catch(err) {
+		res.send(err); // OK (the above `res.send()` is already reported by js/xss)
+	}
+});
+
+var fs = require("fs");
+
+(function () {
+	var foo = document.location.search;
+
+	try {
+		// A series of functions does not throw tainted exceptions.
+		Object.assign(foo, foo)
+		_.pick(foo, foo);
+		[foo, foo].join(join);
+		$.val(foo);
+		JSON.parse(foo); 
+		/bla/.test(foo);
+		console.log(foo);
+		log.info(foo);
+		localStorage.setItem(foo);
+	} catch (e) {
+		$('myId').html(e); // OK
+	}
+	
+})();