hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

recognize barrier guard where the result is stored in a variable

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-05-27 20:25:43 +02:00
parent 562a38cdd5
commit 1a2db10a90
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
View File

@@ -438,7 +438,7 @@ private predicate barrierGuardBlocksNode(BarrierGuardNode guard, DataFlow::Node
barrierGuardIsRelevant(guard) and
exists(AccessPath p, BasicBlock bb, ConditionGuardNode cond, boolean outcome |
nd = DataFlow::valueNode(p.getAnInstanceIn(bb)) and
guard.getEnclosingExpr() = cond.getTest() and
(guard.getEnclosingExpr() = cond.getTest() or guard = cond.getTest().flow().getALocalSource()) and
outcome = cond.getOutcome() and
barrierGuardBlocksAccessPath(guard, outcome, p, label) and
cond.dominates(bb)

17
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js
View File

@@ -68,3 +68,20 @@ app.get('/user/:id', function(req, res) {
res.send(escapeHtml1(url)); // OK
});
const matchHtmlRegExp = /["'&<>]/;
function escapeHtml2 (string) {
const str = '' + string;
const match = matchHtmlRegExp.exec(str);
if (!match) {
return str;
}
}
app.get('/user/:id', function(req, res) {
const url = req.params.id;
res.send(escapeHtml2(url)); // OK
});