hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into logs

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-07-16 11:21:25 +02:00
parent e13d53f001 a02a82caac
commit 178d3de824
311 changed files with 9413 additions and 1874 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
View File

@@ -65,24 +65,35 @@ nodes
| logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
| logInjectionBad.js:58:27:58:58 | chalk.u ... ername) |
| logInjectionBad.js:58:50:58:57 | username |
| logInjectionBad.js:64:9:64:36 | q |
| logInjectionBad.js:64:13:64:36 | url.par ... , true) |
| logInjectionBad.js:64:23:64:29 | req.url |
| logInjectionBad.js:64:23:64:29 | req.url |
| logInjectionBad.js:65:9:65:35 | username |
| logInjectionBad.js:65:20:65:20 | q |
| logInjectionBad.js:65:20:65:26 | q.query |
| logInjectionBad.js:65:20:65:35 | q.query.username |
| logInjectionBad.js:67:15:67:22 | username |
| logInjectionBad.js:67:15:67:22 | username |
| logInjectionBad.js:74:30:74:37 | username |
| logInjectionBad.js:74:30:74:37 | username |
| logInjectionBad.js:83:26:83:33 | username |
| logInjectionBad.js:83:26:83:33 | username |
| logInjectionBad.js:63:9:63:36 | q |
| logInjectionBad.js:63:13:63:36 | url.par ... , true) |
| logInjectionBad.js:63:23:63:29 | req.url |
| logInjectionBad.js:63:23:63:29 | req.url |
| logInjectionBad.js:64:9:64:35 | username |
| logInjectionBad.js:64:20:64:20 | q |
| logInjectionBad.js:64:20:64:26 | q.query |
| logInjectionBad.js:64:20:64:35 | q.query.username |
| logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
| logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
| logInjectionBad.js:66:35:66:42 | username |
| logInjectionBad.js:72:9:72:36 | q |
| logInjectionBad.js:72:13:72:36 | url.par ... , true) |
| logInjectionBad.js:72:23:72:29 | req.url |
| logInjectionBad.js:72:23:72:29 | req.url |
| logInjectionBad.js:73:9:73:35 | username |
| logInjectionBad.js:73:20:73:20 | q |
| logInjectionBad.js:73:20:73:26 | q.query |
| logInjectionBad.js:73:20:73:35 | q.query.username |
| logInjectionBad.js:75:15:75:22 | username |
| logInjectionBad.js:75:15:75:22 | username |
| logInjectionBad.js:82:30:82:37 | username |
| logInjectionBad.js:82:30:82:37 | username |
| logInjectionBad.js:91:26:91:33 | username |
| logInjectionBad.js:91:26:91:33 | username |
| logInjectionBad.js:105:37:105:44 | username |
| logInjectionBad.js:105:37:105:44 | username |
| logInjectionBad.js:99:26:99:33 | username |
| logInjectionBad.js:99:26:99:33 | username |
| logInjectionBad.js:113:37:113:44 | username |
| logInjectionBad.js:113:37:113:44 | username |
edges
| logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
| logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -148,23 +159,33 @@ edges
| logInjectionBad.js:58:27:58:58 | chalk.u ... ername) | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
| logInjectionBad.js:58:27:58:58 | chalk.u ... ername) | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
| logInjectionBad.js:58:50:58:57 | username | logInjectionBad.js:58:27:58:58 | chalk.u ... ername) |
| logInjectionBad.js:64:9:64:36 | q | logInjectionBad.js:65:20:65:20 | q |
| logInjectionBad.js:64:13:64:36 | url.par ... , true) | logInjectionBad.js:64:9:64:36 | q |
| logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:64:13:64:36 | url.par ... , true) |
| logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:64:13:64:36 | url.par ... , true) |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:67:15:67:22 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:67:15:67:22 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:74:30:74:37 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:74:30:74:37 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:83:26:83:33 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:83:26:83:33 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:91:26:91:33 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:91:26:91:33 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:105:37:105:44 | username |
| logInjectionBad.js:65:9:65:35 | username | logInjectionBad.js:105:37:105:44 | username |
| logInjectionBad.js:65:20:65:20 | q | logInjectionBad.js:65:20:65:26 | q.query |
| logInjectionBad.js:65:20:65:26 | q.query | logInjectionBad.js:65:20:65:35 | q.query.username |
| logInjectionBad.js:65:20:65:35 | q.query.username | logInjectionBad.js:65:9:65:35 | username |
| logInjectionBad.js:63:9:63:36 | q | logInjectionBad.js:64:20:64:20 | q |
| logInjectionBad.js:63:13:63:36 | url.par ... , true) | logInjectionBad.js:63:9:63:36 | q |
| logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:63:13:63:36 | url.par ... , true) |
| logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:63:13:63:36 | url.par ... , true) |
| logInjectionBad.js:64:9:64:35 | username | logInjectionBad.js:66:35:66:42 | username |
| logInjectionBad.js:64:20:64:20 | q | logInjectionBad.js:64:20:64:26 | q.query |
| logInjectionBad.js:64:20:64:26 | q.query | logInjectionBad.js:64:20:64:35 | q.query.username |
| logInjectionBad.js:64:20:64:35 | q.query.username | logInjectionBad.js:64:9:64:35 | username |
| logInjectionBad.js:66:35:66:42 | username | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
| logInjectionBad.js:66:35:66:42 | username | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
| logInjectionBad.js:72:9:72:36 | q | logInjectionBad.js:73:20:73:20 | q |
| logInjectionBad.js:72:13:72:36 | url.par ... , true) | logInjectionBad.js:72:9:72:36 | q |
| logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:72:13:72:36 | url.par ... , true) |
| logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:72:13:72:36 | url.par ... , true) |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:75:15:75:22 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:75:15:75:22 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:82:30:82:37 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:82:30:82:37 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:91:26:91:33 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:91:26:91:33 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:99:26:99:33 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:99:26:99:33 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:113:37:113:44 | username |
| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:113:37:113:44 | username |
| logInjectionBad.js:73:20:73:20 | q | logInjectionBad.js:73:20:73:26 | q.query |
| logInjectionBad.js:73:20:73:26 | q.query | logInjectionBad.js:73:20:73:35 | q.query.username |
| logInjectionBad.js:73:20:73:35 | q.query.username | logInjectionBad.js:73:9:73:35 | username |
#select
| logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
@@ -181,8 +202,9 @@ edges
| logInjectionBad.js:56:17:56:55 | kleur.b ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:56:17:56:55 | kleur.b ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
| logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
| logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
| logInjectionBad.js:67:15:67:22 | username | logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:67:15:67:22 | username | $@ flows to log entry. | logInjectionBad.js:64:23:64:29 | req.url | User-provided value |
| logInjectionBad.js:74:30:74:37 | username | logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:74:30:74:37 | username | $@ flows to log entry. | logInjectionBad.js:64:23:64:29 | req.url | User-provided value |
| logInjectionBad.js:83:26:83:33 | username | logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:83:26:83:33 | username | $@ flows to log entry. | logInjectionBad.js:64:23:64:29 | req.url | User-provided value |
| logInjectionBad.js:91:26:91:33 | username | logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:91:26:91:33 | username | $@ flows to log entry. | logInjectionBad.js:64:23:64:29 | req.url | User-provided value |
| logInjectionBad.js:105:37:105:44 | username | logInjectionBad.js:64:23:64:29 | req.url | logInjectionBad.js:105:37:105:44 | username | $@ flows to log entry. | logInjectionBad.js:64:23:64:29 | req.url | User-provided value |
| logInjectionBad.js:66:17:66:43 | prettyj ... ername) | logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:66:17:66:43 | prettyj ... ername) | $@ flows to log entry. | logInjectionBad.js:63:23:63:29 | req.url | User-provided value |
| logInjectionBad.js:75:15:75:22 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:75:15:75:22 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
| logInjectionBad.js:82:30:82:37 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:82:30:82:37 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
| logInjectionBad.js:91:26:91:33 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:91:26:91:33 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
| logInjectionBad.js:99:26:99:33 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:99:26:99:33 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
| logInjectionBad.js:113:37:113:44 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:113:37:113:44 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |

12
javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
View File

@@ -58,12 +58,20 @@ const server2 = http.createServer((req, res) => {
console.log(stripAnsi(chalk.underline.bgBlue(username))); // NOT OK
});
const pino = require('pino')()
var prettyjson = require('prettyjson');
const server3 = http.createServer((req, res) => {
let q = url.parse(req.url, true);
let username = q.query.username;
console.log(prettyjson.render(username)); // NOT OK
});
const pino = require('pino')()
const server4 = http.createServer((req, res) => {
let q = url.parse(req.url, true);
let username = q.query.username;
pino.info(username); // NOT OK
function fastify() {