mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
Merge pull request #18089 from Napalys/napalys/regexp-unknown-flags
JS: RegExp unknown flags support and enhanced compatibility with RegExp objects
This commit is contained in:
Napalys Klicius
@@ -0,0 +1,6 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* The `js/incomplete-sanitization` query now also checks regular expressions constructed using `new RegExp(..)`. Previously it only checked regular expression literals.
|
||||
* Regular expression-based sanitisers implemented with `new RegExp(..)` are now detected in more cases.
|
||||
* Regular expression related queries now account for unknown flags.
|
||||
@@ -117,6 +117,12 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
|
||||
*/
|
||||
predicate isGlobal() { this.getRegExp().isGlobal() or this.getMethodName() = "replaceAll" }
|
||||
|
||||
/**
|
||||
* Holds if this is a global replacement, that is, the first argument is a regular expression
|
||||
* with the `g` flag or unknown flags, or this is a call to `.replaceAll()`.
|
||||
*/
|
||||
predicate maybeGlobal() { this.getRegExp().maybeGlobal() or this.getMethodName() = "replaceAll" }
|
||||
|
||||
/**
|
||||
* Holds if this call to `replace` replaces `old` with `new`.
|
||||
*/
|
||||
|
||||
@@ -1685,6 +1685,9 @@ class RegExpCreationNode extends DataFlow::SourceNode {
|
||||
/** Holds if the constructed predicate has the `g` flag. */
|
||||
predicate isGlobal() { RegExp::isGlobal(this.getFlags()) }
|
||||
|
||||
/** Holds if the constructed predicate has the `g` flag or unknown flags. */
|
||||
predicate maybeGlobal() { RegExp::maybeGlobal(this.tryGetFlags()) }
|
||||
|
||||
/** Gets a data flow node referring to this regular expression. */
|
||||
private DataFlow::SourceNode getAReference(DataFlow::TypeTracker t) {
|
||||
t.start() and
|
||||
|
||||
@@ -74,7 +74,7 @@ private StringReplaceCall getAStringReplaceMethodCall(StringReplaceCall n) {
|
||||
module HtmlSanitization {
|
||||
private predicate fixedGlobalReplacement(StringReplaceCallSequence chain) {
|
||||
forall(StringReplaceCall member | member = chain.getAMember() |
|
||||
member.isGlobal() and member.getArgument(0) instanceof DataFlow::RegExpLiteralNode
|
||||
member.maybeGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -36,9 +36,12 @@ module CleartextLogging {
|
||||
*/
|
||||
class MaskingReplacer extends Barrier, StringReplaceCall {
|
||||
MaskingReplacer() {
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
exists(this.getRawReplacement().getStringValue()) and
|
||||
any(RegExpDot term).getLiteral() = this.getRegExp().asExpr()
|
||||
exists(DataFlow::RegExpCreationNode regexpObj |
|
||||
this.(StringReplaceCall).getRegExp() = regexpObj and
|
||||
regexpObj.getRoot() = any(RegExpDot term).getRootTerm()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -46,7 +46,7 @@ class Configuration extends TaintTracking::Configuration {
|
||||
// Replacing with "_" is likely to be exploitable
|
||||
not replace.getRawReplacement().getStringValue() = "_" and
|
||||
(
|
||||
replace.isGlobal()
|
||||
replace.maybeGlobal()
|
||||
or
|
||||
// Non-global replace with a non-empty string can also prevent __proto__ by
|
||||
// inserting a chunk of text that doesn't fit anywhere in __proto__
|
||||
|
||||
@@ -76,7 +76,7 @@ module RegExpInjection {
|
||||
*/
|
||||
class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
|
||||
MetacharEscapeSanitizer() {
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
(
|
||||
RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["{", "[", "+"])
|
||||
or
|
||||
|
||||
@@ -221,10 +221,10 @@ module TaintedPath {
|
||||
this instanceof StringReplaceCall and
|
||||
input = this.getReceiver() and
|
||||
output = this and
|
||||
not exists(RegExpLiteral literal, RegExpTerm term |
|
||||
this.(StringReplaceCall).getRegExp().asExpr() = literal and
|
||||
this.(StringReplaceCall).isGlobal() and
|
||||
literal.getRoot() = term
|
||||
not exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
|
||||
this.(StringReplaceCall).getRegExp() = regexp and
|
||||
this.(StringReplaceCall).maybeGlobal() and
|
||||
regexp.getRoot() = term
|
||||
|
|
||||
term.getAMatchedString() = "/" or
|
||||
term.getAMatchedString() = "." or
|
||||
@@ -305,9 +305,9 @@ module TaintedPath {
|
||||
input = this.getReceiver() and
|
||||
output = this and
|
||||
this.isGlobal() and
|
||||
exists(RegExpLiteral literal, RegExpTerm term |
|
||||
this.getRegExp().asExpr() = literal and
|
||||
literal.getRoot() = term and
|
||||
exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
|
||||
this.getRegExp() = regexp and
|
||||
regexp.getRoot() = term and
|
||||
not term.getAMatchedString() = "/"
|
||||
|
|
||||
term.getAMatchedString() = "." or
|
||||
|
||||
@@ -245,7 +245,7 @@ module UnsafeShellCommandConstruction {
|
||||
class ReplaceQuotesSanitizer extends Sanitizer, StringReplaceCall {
|
||||
ReplaceQuotesSanitizer() {
|
||||
this.getAReplacedString() = "'" and
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
this.getRawReplacement().mayHaveStringValue(["'\\''", ""])
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,7 +36,7 @@ module Shared {
|
||||
*/
|
||||
class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
|
||||
MetacharEscapeSanitizer() {
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
(
|
||||
RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["<", "'", "\""])
|
||||
or
|
||||
|
||||
@@ -23,7 +23,7 @@ string metachar() { result = "'\"\\&<>\n\r\t*|{}[]%$".charAt(_) }
|
||||
|
||||
/** Gets a string matched by `e` in a `replace` call. */
|
||||
string getAMatchedString(DataFlow::Node e) {
|
||||
result = e.(DataFlow::RegExpLiteralNode).getRoot().getAMatchedString()
|
||||
result = e.(DataFlow::RegExpCreationNode).getRoot().getAMatchedString()
|
||||
or
|
||||
result = e.getStringValue()
|
||||
}
|
||||
@@ -52,8 +52,8 @@ predicate isSimpleAlt(RegExpAlt t) { forall(RegExpTerm ch | ch = t.getAChild() |
|
||||
* Holds if `mce` is of the form `x.replace(re, new)`, where `re` is a global
|
||||
* regular expression and `new` prefixes the matched string with a backslash.
|
||||
*/
|
||||
predicate isBackslashEscape(StringReplaceCall mce, DataFlow::RegExpLiteralNode re) {
|
||||
mce.isGlobal() and
|
||||
predicate isBackslashEscape(StringReplaceCall mce, DataFlow::RegExpCreationNode re) {
|
||||
mce.maybeGlobal() and
|
||||
re = mce.getRegExp() and
|
||||
(
|
||||
// replacement with `\$&`, `\$1` or similar
|
||||
@@ -72,7 +72,7 @@ predicate allBackslashesEscaped(DataFlow::Node nd) {
|
||||
nd instanceof JsonStringifyCall
|
||||
or
|
||||
// check whether `nd` itself escapes backslashes
|
||||
exists(DataFlow::RegExpLiteralNode rel | isBackslashEscape(nd, rel) |
|
||||
exists(DataFlow::RegExpCreationNode rel | isBackslashEscape(nd, rel) |
|
||||
// if it's a complex regexp, we conservatively assume that it probably escapes backslashes
|
||||
not isSimple(rel.getRoot()) or
|
||||
getAMatchedString(rel) = "\\"
|
||||
@@ -143,12 +143,21 @@ predicate whitelistedRemoval(StringReplaceCall repl) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a nice string representation of the pattern or value of the node.
|
||||
*/
|
||||
string getPatternOrValueString(DataFlow::Node node) {
|
||||
if node instanceof DataFlow::RegExpConstructorInvokeNode
|
||||
then result = "/" + node.(DataFlow::RegExpConstructorInvokeNode).getRoot() + "/"
|
||||
else result = node.toString()
|
||||
}
|
||||
|
||||
from StringReplaceCall repl, DataFlow::Node old, string msg
|
||||
where
|
||||
(old = repl.getArgument(0) or old = repl.getRegExp()) and
|
||||
(
|
||||
not repl.isGlobal() and
|
||||
msg = "This replaces only the first occurrence of " + old + "." and
|
||||
not repl.maybeGlobal() and
|
||||
msg = "This replaces only the first occurrence of " + getPatternOrValueString(old) + "." and
|
||||
// only flag if this is likely to be a sanitizer or URL encoder or decoder
|
||||
exists(string m | m = getAMatchedString(old) |
|
||||
// sanitizer
|
||||
|
||||
@@ -65,8 +65,8 @@ predicate isCaseSensitiveMiddleware(
|
||||
arg = call.getArgument(0) and
|
||||
regexp.getAReference().flowsTo(arg) and
|
||||
exists(string flags |
|
||||
flags = regexp.getFlags() and
|
||||
not RegExp::isIgnoreCase(flags)
|
||||
flags = regexp.tryGetFlags() and
|
||||
not RegExp::maybeIgnoreCase(flags)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1517,6 +1517,207 @@ nodes
|
||||
| TaintedPath.js:198:35:198:38 | path |
|
||||
| TaintedPath.js:198:35:198:38 | path |
|
||||
| TaintedPath.js:198:35:198:38 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:24:202:30 | req.url |
|
||||
| TaintedPath.js:202:24:202:30 | req.url |
|
||||
| TaintedPath.js:202:24:202:30 | req.url |
|
||||
| TaintedPath.js:202:24:202:30 | req.url |
|
||||
| TaintedPath.js:202:24:202:30 | req.url |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:24:211:30 | req.url |
|
||||
| TaintedPath.js:211:24:211:30 | req.url |
|
||||
| TaintedPath.js:211:24:211:30 | req.url |
|
||||
| TaintedPath.js:211:24:211:30 | req.url |
|
||||
| TaintedPath.js:211:24:211:30 | req.url |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath |
|
||||
@@ -6680,6 +6881,262 @@ edges
|
||||
| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
|
||||
| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
|
||||
| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
|
||||
@@ -10499,6 +10956,9 @@ edges
|
||||
| TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value |
|
||||
| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |
|
||||
| express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value |
|
||||
| handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value |
|
||||
|
||||
@@ -197,3 +197,25 @@ var server = http.createServer(function(req, res) {
|
||||
cp.execFileSync("foobar", ["args"], {cwd: path}); // NOT OK
|
||||
cp.execFileSync("foobar", {cwd: path}); // NOT OK
|
||||
});
|
||||
|
||||
var server = http.createServer(function(req, res) {
|
||||
let path = url.parse(req.url, true).query.path;
|
||||
|
||||
// Removal of forward-slash or dots.
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK.
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to.
|
||||
});
|
||||
|
||||
var server = http.createServer(function(req, res) {
|
||||
let path = url.parse(req.url, true).query.path;
|
||||
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // NOT OK (can be absolute)
|
||||
|
||||
if (!pathModule.isAbsolute(path)) {
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // NOT OK
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // OK
|
||||
res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); // OK
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
@@ -319,6 +319,15 @@ nodes
|
||||
| lib/lib.js:626:29:626:32 | name |
|
||||
| lib/lib.js:629:25:629:28 | name |
|
||||
| lib/lib.js:629:25:629:28 | name |
|
||||
| lib/lib.js:632:38:632:41 | name |
|
||||
| lib/lib.js:632:38:632:41 | name |
|
||||
| lib/lib.js:633:6:633:68 | sanitized |
|
||||
| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" |
|
||||
| lib/lib.js:633:24:633:27 | name |
|
||||
| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
|
||||
| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
|
||||
| lib/lib.js:634:22:634:30 | sanitized |
|
||||
| lib/lib.js:634:22:634:30 | sanitized |
|
||||
| lib/subLib2/compiled-file.ts:3:26:3:29 | name |
|
||||
| lib/subLib2/compiled-file.ts:3:26:3:29 | name |
|
||||
| lib/subLib2/compiled-file.ts:4:25:4:28 | name |
|
||||
@@ -749,6 +758,14 @@ edges
|
||||
| lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name |
|
||||
| lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name |
|
||||
| lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name |
|
||||
| lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:27 | name |
|
||||
| lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:27 | name |
|
||||
| lib/lib.js:633:6:633:68 | sanitized | lib/lib.js:634:22:634:30 | sanitized |
|
||||
| lib/lib.js:633:6:633:68 | sanitized | lib/lib.js:634:22:634:30 | sanitized |
|
||||
| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:633:6:633:68 | sanitized |
|
||||
| lib/lib.js:633:24:633:27 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
|
||||
| lib/lib.js:633:24:633:27 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
|
||||
| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" |
|
||||
| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
|
||||
| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
|
||||
| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
|
||||
@@ -879,6 +896,8 @@ edges
|
||||
| lib/lib.js:609:10:609:25 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:609:22:609:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:609:2:609:26 | cp.exec ... + name) | shell command |
|
||||
| lib/lib.js:626:17:626:32 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:626:29:626:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:626:9:626:33 | cp.exec ... + name) | shell command |
|
||||
| lib/lib.js:629:13:629:28 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:629:5:629:29 | cp.exec ... + name) | shell command |
|
||||
| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command |
|
||||
| lib/lib.js:634:10:634:30 | "rm -rf ... nitized | lib/lib.js:632:38:632:41 | name | lib/lib.js:634:22:634:30 | sanitized | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command |
|
||||
| lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command |
|
||||
| lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command |
|
||||
| lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command |
|
||||
|
||||
@@ -628,3 +628,14 @@ module.exports.veryIndeirect = function (name) {
|
||||
|
||||
cp.exec("rm -rf " + name); // NOT OK
|
||||
}
|
||||
|
||||
module.exports.sanitizer = function (name) {
|
||||
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'"
|
||||
cp.exec("rm -rf " + sanitized); // NOT OK
|
||||
|
||||
var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'"
|
||||
cp.exec("rm -rf " + sanitized); // OK
|
||||
|
||||
var sanitized = "'" + name.replace(new RegExp("\'", unknownFlags()), "'\\''") + "'"
|
||||
cp.exec("rm -rf " + sanitized); // OK -- Most likely should be okay and not flagged to reduce false positives.
|
||||
}
|
||||
|
||||
@@ -1148,6 +1148,12 @@ nodes
|
||||
| tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:501:43:501:62 | window.location.hash |
|
||||
| tst.js:501:43:501:62 | window.location.hash |
|
||||
| tst.js:508:7:508:39 | target |
|
||||
| tst.js:508:16:508:39 | documen ... .search |
|
||||
| tst.js:508:16:508:39 | documen ... .search |
|
||||
| tst.js:509:18:509:23 | target |
|
||||
| tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| typeahead.js:20:13:20:45 | target |
|
||||
| typeahead.js:20:22:20:45 | documen ... .search |
|
||||
| typeahead.js:20:22:20:45 | documen ... .search |
|
||||
@@ -2331,6 +2337,11 @@ edges
|
||||
| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target |
|
||||
| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
|
||||
| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
|
||||
| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
|
||||
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
|
||||
| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
|
||||
@@ -2623,6 +2634,7 @@ edges
|
||||
| tst.js:491:23:491:45 | locatio ... bstr(1) | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:491:23:491:35 | location.hash | user-provided value |
|
||||
| tst.js:494:18:494:40 | locatio ... bstr(1) | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:494:18:494:30 | location.hash | user-provided value |
|
||||
| tst.js:501:33:501:63 | decodeU ... n.hash) | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:43:501:62 | window.location.hash | user-provided value |
|
||||
| tst.js:509:18:509:54 | target. ... "), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:509:18:509:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value |
|
||||
| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
|
||||
| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
|
||||
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
|
||||
|
||||
@@ -1160,6 +1160,12 @@ nodes
|
||||
| tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:501:43:501:62 | window.location.hash |
|
||||
| tst.js:501:43:501:62 | window.location.hash |
|
||||
| tst.js:508:7:508:39 | target |
|
||||
| tst.js:508:16:508:39 | documen ... .search |
|
||||
| tst.js:508:16:508:39 | documen ... .search |
|
||||
| tst.js:509:18:509:23 | target |
|
||||
| tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| typeahead.js:9:28:9:30 | loc |
|
||||
| typeahead.js:9:28:9:30 | loc |
|
||||
| typeahead.js:9:28:9:30 | loc |
|
||||
@@ -2393,6 +2399,11 @@ edges
|
||||
| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) |
|
||||
| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target |
|
||||
| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
|
||||
| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target |
|
||||
| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') |
|
||||
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
|
||||
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
|
||||
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
|
||||
|
||||
@@ -503,3 +503,10 @@ function Foo() {
|
||||
};
|
||||
Object.assign(this, obj);
|
||||
}
|
||||
|
||||
function nonGlobalSanitizer() {
|
||||
var target = document.location.search
|
||||
$("#foo").html(target.replace(new RegExp("<|>"), '')); // NOT OK
|
||||
$("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK -- most likely good. We don't know what the flags are.
|
||||
$("#foo").html(target.replace(new RegExp("<|>", "g"), '')); // OK
|
||||
}
|
||||
|
||||
@@ -6,3 +6,4 @@
|
||||
| tst.js:60:7:60:28 | s.repla ... '%25') | This replacement may double-escape '%' characters from $@. | tst.js:59:7:59:28 | s.repla ... '%26') | here |
|
||||
| tst.js:68:10:70:38 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here |
|
||||
| tst.js:79:10:79:66 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:79:10:79:43 | s.repla ... epl[c]) | here |
|
||||
| tst.js:99:10:101:49 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:100:51 | s.repla ... apos;") | here |
|
||||
|
||||
@@ -94,3 +94,21 @@ function testWithCapturedVar(x) {
|
||||
function encodeDecodeEncode(s) {
|
||||
return goodEncode(goodDecode(goodEncode(s)));
|
||||
}
|
||||
|
||||
function badEncode(s) {
|
||||
return s.replace(new RegExp("\"", "g"), """)
|
||||
.replace(new RegExp("\'", "g"), "'")
|
||||
.replace(new RegExp("&", "g"), "&"); // NOT OK
|
||||
}
|
||||
|
||||
function goodEncode(s) {
|
||||
return s.replace(new RegExp("\"", ""), """)
|
||||
.replace(new RegExp("\'", ""), "'")
|
||||
.replace(new RegExp("&", ""), "&"); // OK
|
||||
}
|
||||
|
||||
function goodEncode(s) {
|
||||
return s.replace(new RegExp("\"", unknownFlags()), """)
|
||||
.replace(new RegExp("\'", unknownFlags()), "'")
|
||||
.replace(new RegExp("&", unknownFlags()), "&"); // OK
|
||||
}
|
||||
|
||||
@@ -65,3 +65,9 @@
|
||||
| tst.js:305:10:305:34 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
|
||||
| tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | This HTML sanitizer does not sanitize single quotes |
|
||||
| tst.js:320:9:329:3 | s().rep ... ;";\\n\\t}) | This HTML sanitizer does not sanitize single quotes |
|
||||
| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize ampersands |
|
||||
| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize double quotes |
|
||||
| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize single quotes |
|
||||
| tst.js:337:2:337:46 | s().rep ... ()),'') | This HTML sanitizer does not sanitize ampersands |
|
||||
| tst.js:337:2:337:46 | s().rep ... ()),'') | This HTML sanitizer does not sanitize double quotes |
|
||||
| tst.js:337:2:337:46 | s().rep ... ()),'') | This HTML sanitizer does not sanitize single quotes |
|
||||
|
||||
@@ -39,3 +39,4 @@
|
||||
| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:148:3:148:99 | n.clone ... gi, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:148:41:148:41 | < | <script |
|
||||
| tst-multi-character-sanitization.js:152:3:152:99 | n.clone ... gi, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:152:41:152:41 | < | <script |
|
||||
| tst.js:341:9:341:44 | p.repla ... "), "") | This string may still contain $@, which may cause a path injection vulnerability. | tst.js:341:31:341:33 | \\. | ../ |
|
||||
|
||||
@@ -29,3 +29,9 @@
|
||||
| tst.js:149:2:149:24 | x.repla ... replace | This replaces only the first occurrence of "\\n". |
|
||||
| tst.js:193:9:193:17 | s.replace | This replaces only the first occurrence of /'/. |
|
||||
| tst.js:202:10:202:18 | p.replace | This replaces only the first occurrence of "/../". |
|
||||
| tst.js:341:9:341:17 | p.replace | This replaces only the first occurrence of /\\.\\.//. |
|
||||
| tst.js:345:9:345:17 | s.replace | This does not escape backslash characters in the input. |
|
||||
| tst.js:349:9:349:17 | s.replace | This replaces only the first occurrence of /'/. |
|
||||
| tst.js:353:9:353:17 | s.replace | This does not escape backslash characters in the input. |
|
||||
| tst.js:362:2:362:10 | x.replace | This replaces only the first occurrence of /\n/. |
|
||||
| tst.js:363:2:363:24 | x.repla ... replace | This replaces only the first occurrence of /\n/. |
|
||||
|
||||
@@ -327,4 +327,41 @@ function incompleteComplexSanitizers() {
|
||||
if (str === "\"")
|
||||
return """;
|
||||
}) + '"';
|
||||
}
|
||||
}
|
||||
|
||||
function typicalBadHtmlSanitizers(s) {
|
||||
s().replace(new RegExp("[<>]", "g"),''); // NOT OK
|
||||
}
|
||||
|
||||
function typicalBadHtmlSanitizers(s) {
|
||||
s().replace(new RegExp("[<>]", unknown()),''); // NOT OK
|
||||
}
|
||||
|
||||
function bad18NewRegExp(p) {
|
||||
return p.replace(new RegExp("\\.\\./"), ""); // NOT OK
|
||||
}
|
||||
|
||||
function bad4NewRegExpG(s) {
|
||||
return s.replace(new RegExp("\'","g"), "\\$&"); // NOT OK
|
||||
}
|
||||
|
||||
function bad4NewRegExp(s) {
|
||||
return s.replace(new RegExp("\'"), "\\$&"); // NOT OK
|
||||
}
|
||||
|
||||
function bad4NewRegExpUnknown(s) {
|
||||
return s.replace(new RegExp("\'", unknownFlags()), "\\$&"); // NOT OK
|
||||
}
|
||||
|
||||
function newlinesNewReGexp(s) {
|
||||
require("child_process").execSync("which emacs").toString().replace(new RegExp("\n"), ""); // OK
|
||||
|
||||
x.replace(new RegExp("\n", "g"), "").replace(x, y); // OK
|
||||
x.replace(x, y).replace(new RegExp("\n", "g"), ""); // OK
|
||||
|
||||
x.replace(new RegExp("\n"), "").replace(x, y); // NOT OK
|
||||
x.replace(x, y).replace(new RegExp("\n"), ""); // NOT OK
|
||||
|
||||
x.replace(new RegExp("\n", unknownFlags()), "").replace(x, y); // OK
|
||||
x.replace(x, y).replace(new RegExp("\n", unknownFlags()), ""); // OK
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
| tst.js:14:5:14:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/FOO/1' will bypass the middleware. | tst.js:14:5:14:28 | new Reg ... (.*)?') | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | case-insensitive path |
|
||||
| tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/FOO/1' will bypass the middleware. | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | case-insensitive path |
|
||||
| tst.js:64:5:64:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/BAR/1' will bypass the middleware. | tst.js:64:5:64:28 | new Reg ... (.*)?') | pattern | tst.js:73:1:74:2 | app.get ... ware\\n}) | case-insensitive path |
|
||||
| tst.js:64:5:64:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/BAR/1' will bypass the middleware. | tst.js:64:5:64:28 | new Reg ... (.*)?') | pattern | tst.js:107:1:108:2 | app.get ... ware\\n}) | case-insensitive path |
|
||||
| tst.js:76:9:76:20 | /\\/baz\\/bla/ | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/BAZ/BLA' will bypass the middleware. | tst.js:76:9:76:20 | /\\/baz\\/bla/ | pattern | tst.js:77:1:79:2 | app.get ... });\\n}) | case-insensitive path |
|
||||
| tst.js:86:9:86:30 | /\\/[Bb] ... 3\\/[a]/ | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/BAZ3/A' will bypass the middleware. | tst.js:86:9:86:30 | /\\/[Bb] ... 3\\/[a]/ | pattern | tst.js:87:1:89:2 | app.get ... });\\n}) | case-insensitive path |
|
||||
| tst.js:91:9:91:40 | /\\/summ ... ntGame/ | This route uses a case-sensitive path $@, but is guarding a $@. A path such as '/CURRENTGAME' will bypass the middleware. | tst.js:91:9:91:40 | /\\/summ ... ntGame/ | pattern | tst.js:93:1:95:2 | app.get ... O");\\n}) | case-insensitive path |
|
||||
|
||||
@@ -93,3 +93,16 @@ app.use(/\/summonerByName|\/currentGame/,apiLimit1, apiLimit2);
|
||||
app.get('/currentGame', function (req, res) {
|
||||
res.send("FOO");
|
||||
});
|
||||
|
||||
app.get(
|
||||
new RegExp('^/bar(.*)?', unknownFlag()), // OK - Might be OK if the unknown flag evaluates to case insensitive one
|
||||
unknown(),
|
||||
function(req, res, next) {
|
||||
if (req.params.blah) {
|
||||
next();
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
app.get('/bar/*', (req, res) => { // OK - not a middleware
|
||||
});
|
||||
|
||||
@@ -139,6 +139,10 @@ nodes
|
||||
| passwords.js:176:17:176:26 | myPasscode |
|
||||
| passwords.js:176:17:176:26 | myPasscode |
|
||||
| passwords.js:176:17:176:26 | myPasscode |
|
||||
| passwords.js:182:14:182:21 | password |
|
||||
| passwords.js:182:14:182:21 | password |
|
||||
| passwords.js:182:14:182:51 | passwor ... ), "*") |
|
||||
| passwords.js:182:14:182:51 | passwor ... ), "*") |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
@@ -285,6 +289,10 @@ edges
|
||||
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
|
||||
| passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword |
|
||||
| passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode |
|
||||
| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
|
||||
| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
|
||||
| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
|
||||
| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
|
||||
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
|
||||
@@ -332,6 +340,7 @@ edges
|
||||
| passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:170:11:170:18 | password | an access to password |
|
||||
| passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | This logs sensitive data returned by $@ as clear text. | passwords.js:173:17:173:26 | myPassword | an access to myPassword |
|
||||
| passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | This logs sensitive data returned by $@ as clear text. | passwords.js:176:17:176:26 | myPasscode | an access to myPasscode |
|
||||
| passwords.js:182:14:182:51 | passwor ... ), "*") | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:182:14:182:21 | password | an access to password |
|
||||
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
|
||||
| passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
|
||||
| passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
|
||||
|
||||
@@ -174,4 +174,12 @@ const debug = require('debug')('test');
|
||||
|
||||
const myPasscode = foo();
|
||||
console.log(myPasscode); // NOT OK
|
||||
});
|
||||
});
|
||||
|
||||
(function () {
|
||||
console.log(password.replace(/./g, "*")); // OK
|
||||
console.log(password.replace(new RegExp(".", "g"), "*")); // OK
|
||||
console.log(password.replace(new RegExp("."), "*")); // NOT OK
|
||||
console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Most likely not a problem.
|
||||
console.log(password.replace(new RegExp("pre_._suf", "g"), "*")); // OK
|
||||
})();
|
||||
|
||||
@@ -130,6 +130,9 @@
|
||||
| polynomial-redos.js:133:22:133:23 | f+ | Strings starting with 'f' and with many repetitions of 'f' can start matching anywhere after the start of the preceeding ff+G |
|
||||
| polynomial-redos.js:136:25:136:26 | h+ | Strings starting with 'h' and with many repetitions of 'h' can start matching anywhere after the start of the preceeding hh+I |
|
||||
| polynomial-redos.js:138:322:138:323 | .* | Strings starting with 'AAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' can start matching anywhere after the start of the preceeding (AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)(AA\|BB)C.*X |
|
||||
| polynomial-redos.js:140:33:140:34 | h+ | Strings starting with 'h' and with many repetitions of 'h' can start matching anywhere after the start of the preceeding hh+I |
|
||||
| polynomial-redos.js:141:33:141:34 | h+ | Strings starting with 'h' and with many repetitions of 'h' can start matching anywhere after the start of the preceeding hh+I |
|
||||
| polynomial-redos.js:142:33:142:34 | h+ | Strings starting with 'h' and with many repetitions of 'h' can start matching anywhere after the start of the preceeding hh+I |
|
||||
| regexplib/address.js:27:3:27:5 | \\s* | Strings with many repetitions of '\\t' can start matching anywhere after the start of the preceeding (\\s*\\(?0\\d{4}\\)?(\\s*\|-)\\d{3}(\\s*\|-)\\d{3}\\s*) |
|
||||
| regexplib/address.js:27:48:27:50 | \\s* | Strings with many repetitions of '\\t' can start matching anywhere after the start of the preceeding (\\s*\\(?0\\d{3}\\)?(\\s*\|-)\\d{3}(\\s*\|-)\\d{4}\\s*) |
|
||||
| regexplib/address.js:27:93:27:95 | \\s* | Strings with many repetitions of '\\t' can start matching anywhere after the start of the preceeding (\\s*(7\|8)(\\d{7}\|\\d{3}(\\-\|\\s{1})\\d{4})\\s*) |
|
||||
|
||||
@@ -249,6 +249,12 @@ nodes
|
||||
| polynomial-redos.js:136:5:136:13 | modified3 |
|
||||
| polynomial-redos.js:138:5:138:11 | tainted |
|
||||
| polynomial-redos.js:138:5:138:11 | tainted |
|
||||
| polynomial-redos.js:140:2:140:10 | modified3 |
|
||||
| polynomial-redos.js:140:2:140:10 | modified3 |
|
||||
| polynomial-redos.js:141:2:141:10 | modified3 |
|
||||
| polynomial-redos.js:141:2:141:10 | modified3 |
|
||||
| polynomial-redos.js:142:2:142:10 | modified3 |
|
||||
| polynomial-redos.js:142:2:142:10 | modified3 |
|
||||
edges
|
||||
| lib/closure.js:3:21:3:21 | x | lib/closure.js:4:16:4:16 | x |
|
||||
| lib/closure.js:3:21:3:21 | x | lib/closure.js:4:16:4:16 | x |
|
||||
@@ -489,6 +495,12 @@ edges
|
||||
| polynomial-redos.js:132:18:132:50 | tainted ... g, "e") | polynomial-redos.js:132:6:132:50 | modified2 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:136:5:136:13 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:136:5:136:13 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:140:2:140:10 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:140:2:140:10 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:141:2:141:10 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:141:2:141:10 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:142:2:142:10 | modified3 |
|
||||
| polynomial-redos.js:135:9:135:47 | modified3 | polynomial-redos.js:142:2:142:10 | modified3 |
|
||||
| polynomial-redos.js:135:21:135:27 | tainted | polynomial-redos.js:135:21:135:47 | tainted ... /g, "") |
|
||||
| polynomial-redos.js:135:21:135:47 | tainted ... /g, "") | polynomial-redos.js:135:9:135:47 | modified3 |
|
||||
#select
|
||||
@@ -590,3 +602,6 @@ edges
|
||||
| polynomial-redos.js:133:2:133:32 | modifie ... g, "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:133:2:133:10 | modified2 | This $@ that depends on $@ may run slow on strings starting with 'f' and with many repetitions of 'f'. | polynomial-redos.js:133:22:133:23 | f+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
|
||||
| polynomial-redos.js:136:5:136:35 | modifie ... g, "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:136:5:136:13 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:136:25:136:26 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
|
||||
| polynomial-redos.js:138:5:138:326 | tainted ... )C.*X/) | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:138:5:138:11 | tainted | This $@ that depends on $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | polynomial-redos.js:138:322:138:323 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
|
||||
| polynomial-redos.js:140:2:140:48 | modifie ... ), "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:140:2:140:10 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:140:33:140:34 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
|
||||
| polynomial-redos.js:141:2:141:59 | modifie ... ), "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:141:2:141:10 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:141:33:141:34 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
|
||||
| polynomial-redos.js:142:2:142:47 | modifie ... ), "b") | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:142:2:142:10 | modified3 | This $@ that depends on $@ may run slow on strings starting with 'h' and with many repetitions of 'h'. | polynomial-redos.js:142:33:142:34 | h+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
|
||||
|
||||
@@ -136,4 +136,8 @@ app.use(function(req, res) {
|
||||
modified3.replace(/hh+I/g, "b"); // NOT OK
|
||||
|
||||
tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // NOT OK
|
||||
|
||||
modified3.replace(new RegExp("hh+I", "g"), "b"); // NOT OK
|
||||
modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // NOT OK
|
||||
modified3.replace(new RegExp("hh+I", ""), "b"); // NOT OK
|
||||
});
|
||||
|
||||
@@ -64,6 +64,14 @@ nodes
|
||||
| RegExpInjection.js:93:20:93:31 | process.argv |
|
||||
| RegExpInjection.js:93:20:93:31 | process.argv |
|
||||
| RegExpInjection.js:93:20:93:34 | process.argv[1] |
|
||||
| RegExpInjection.js:97:7:97:32 | input |
|
||||
| RegExpInjection.js:97:15:97:32 | req.param("input") |
|
||||
| RegExpInjection.js:97:15:97:32 | req.param("input") |
|
||||
| RegExpInjection.js:99:7:99:106 | sanitized |
|
||||
| RegExpInjection.js:99:19:99:23 | input |
|
||||
| RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") |
|
||||
| RegExpInjection.js:100:14:100:22 | sanitized |
|
||||
| RegExpInjection.js:100:14:100:22 | sanitized |
|
||||
| tst.js:5:9:5:29 | data |
|
||||
| tst.js:5:16:5:29 | req.query.data |
|
||||
| tst.js:5:16:5:29 | req.query.data |
|
||||
@@ -133,6 +141,13 @@ edges
|
||||
| RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:20:93:34 | process.argv[1] |
|
||||
| RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
|
||||
| RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
|
||||
| RegExpInjection.js:97:7:97:32 | input | RegExpInjection.js:99:19:99:23 | input |
|
||||
| RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input |
|
||||
| RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input |
|
||||
| RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized |
|
||||
| RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized |
|
||||
| RegExpInjection.js:99:19:99:23 | input | RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") |
|
||||
| RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") | RegExpInjection.js:99:7:99:106 | sanitized |
|
||||
| tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data |
|
||||
| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
|
||||
| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
|
||||
@@ -157,4 +172,5 @@ edges
|
||||
| RegExpInjection.js:87:14:87:55 | "^.*\\.( ... + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ... + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
|
||||
| RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
|
||||
| RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
|
||||
| RegExpInjection.js:100:14:100:22 | sanitized | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:100:14:100:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:97:15:97:32 | req.param("input") | user-provided value |
|
||||
| tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |
|
||||
|
||||
@@ -92,3 +92,16 @@ app.get("argv", function(req, res) {
|
||||
|
||||
new RegExp(`^${process.argv[1]}/Foo/bar.app$`); // NOT OK
|
||||
});
|
||||
|
||||
app.get("argv", function(req, res) {
|
||||
var input = req.param("input");
|
||||
|
||||
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]"), "\\$&");
|
||||
new RegExp(sanitized); // NOT OK
|
||||
|
||||
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]", "g"), "\\$&");
|
||||
new RegExp(sanitized); // OK
|
||||
|
||||
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]", unknownFlags()), "\\$&");
|
||||
new RegExp(sanitized); // OK -- Most likely not a problem.
|
||||
});
|
||||
|
||||
@@ -190,6 +190,11 @@ nodes
|
||||
| tst.js:105:5:105:17 | object[taint] |
|
||||
| tst.js:105:5:105:17 | object[taint] |
|
||||
| tst.js:105:12:105:16 | taint |
|
||||
| tst.js:130:5:130:53 | obj[req ... ), '')] |
|
||||
| tst.js:130:5:130:53 | obj[req ... ), '')] |
|
||||
| tst.js:130:9:130:19 | req.query.x |
|
||||
| tst.js:130:9:130:19 | req.query.x |
|
||||
| tst.js:130:9:130:52 | req.que ... '), '') |
|
||||
edges
|
||||
| lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
|
||||
| lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
|
||||
@@ -366,6 +371,10 @@ edges
|
||||
| tst.js:102:24:102:37 | req.query.data | tst.js:102:17:102:38 | String( ... y.data) |
|
||||
| tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
|
||||
| tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
|
||||
| tst.js:130:9:130:19 | req.query.x | tst.js:130:9:130:52 | req.que ... '), '') |
|
||||
| tst.js:130:9:130:19 | req.query.x | tst.js:130:9:130:52 | req.que ... '), '') |
|
||||
| tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] |
|
||||
| tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] |
|
||||
#select
|
||||
| lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input |
|
||||
| lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input |
|
||||
@@ -394,3 +403,4 @@ edges
|
||||
| tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input |
|
||||
| tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input |
|
||||
| tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input |
|
||||
| tst.js:130:5:130:53 | obj[req ... ), '')] | tst.js:130:9:130:19 | req.query.x | tst.js:130:5:130:53 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:130:9:130:19 | req.query.x | user controlled input |
|
||||
|
||||
@@ -123,3 +123,10 @@ app.get('/assign', (req, res) => {
|
||||
Object.assign(dest, plainObj[taint]);
|
||||
dest[taint] = taint; // OK - 'dest' is not Object.prototype itself (but possibly a copy)
|
||||
});
|
||||
|
||||
app.get('/foo', (req, res) => {
|
||||
let obj = {};
|
||||
obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; // OK
|
||||
obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // NOT OK
|
||||
obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user