JS: Add test case for RequestForgery with url wrapped via package URL

2026-04-26 17:25:19 +02:00 · 2025-05-26 15:56:19 +02:00
parent a519eabd4d
commit 19cc3e335f
1 changed files with 9 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
+++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
@@ -133,3 +133,12 @@ var server2 = http.createServer(function(req, res) {
    var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; 
    axios.get(myEncodedUrl);
 })
+
+var server2 = http.createServer(function(req, res) {
+  const { URL } = require('url'); 
+  const input = req.query.url; // $MISSING:Source[js/request-forgery]
+  const target = new URL(input);
+  axios.get(target.toString()); // $MISSING:Alert[js/request-forgery]
+  axios.get(target); // $MISSING:Alert[js/request-forgery]
+  axios.get(target.href); // $MISSING:Alert[js/request-forgery]
+});