hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

update consistency comments for CWE-601

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-07-08 10:02:29 +02:00
parent ce6a211340
commit 1f1c09af02
3 changed files with 54 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected
View File

@@ -56,32 +56,32 @@ nodes
| koa.js:14:16:14:18 | url |
| koa.js:20:16:20:18 | url |
| koa.js:20:16:20:18 | url |
| node.js:6:7:6:52 | target |
| node.js:6:16:6:39 | url.par ... , true) |
| node.js:6:16:6:45 | url.par ... ).query |
| node.js:6:16:6:52 | url.par ... .target |
| node.js:6:26:6:32 | req.url |
| node.js:6:26:6:32 | req.url |
| node.js:7:34:7:39 | target |
| node.js:7:34:7:39 | target |
| node.js:11:7:11:52 | target |
| node.js:11:16:11:39 | url.par ... , true) |
| node.js:11:16:11:45 | url.par ... ).query |
| node.js:11:16:11:52 | url.par ... .target |
| node.js:11:26:11:32 | req.url |
| node.js:11:26:11:32 | req.url |
| node.js:15:34:15:45 | '/' + target |
| node.js:15:34:15:45 | '/' + target |
| node.js:15:40:15:45 | target |
| node.js:29:7:29:52 | target |
| node.js:29:16:29:39 | url.par ... , true) |
| node.js:29:16:29:45 | url.par ... ).query |
| node.js:29:16:29:52 | url.par ... .target |
| node.js:29:26:29:32 | req.url |
| node.js:29:26:29:32 | req.url |
| node.js:32:34:32:39 | target |
| node.js:32:34:32:55 | target ... =" + me |
| node.js:32:34:32:55 | target ... =" + me |
| node.js:5:7:5:52 | target |
| node.js:5:16:5:39 | url.par ... , true) |
| node.js:5:16:5:45 | url.par ... ).query |
| node.js:5:16:5:52 | url.par ... .target |
| node.js:5:26:5:32 | req.url |
| node.js:5:26:5:32 | req.url |
| node.js:6:34:6:39 | target |
| node.js:6:34:6:39 | target |
| node.js:10:7:10:52 | target |
| node.js:10:16:10:39 | url.par ... , true) |
| node.js:10:16:10:45 | url.par ... ).query |
| node.js:10:16:10:52 | url.par ... .target |
| node.js:10:26:10:32 | req.url |
| node.js:10:26:10:32 | req.url |
| node.js:14:34:14:45 | '/' + target |
| node.js:14:34:14:45 | '/' + target |
| node.js:14:40:14:45 | target |
| node.js:28:7:28:52 | target |
| node.js:28:16:28:39 | url.par ... , true) |
| node.js:28:16:28:45 | url.par ... ).query |
| node.js:28:16:28:52 | url.par ... .target |
| node.js:28:26:28:32 | req.url |
| node.js:28:26:28:32 | req.url |
| node.js:31:34:31:39 | target |
| node.js:31:34:31:55 | target ... =" + me |
| node.js:31:34:31:55 | target ... =" + me |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
| react-native.js:7:17:7:33 | req.param("code") |
@@ -139,29 +139,29 @@ edges
| koa.js:6:12:6:27 | ctx.query.target | koa.js:6:6:6:27 | url |
| koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` |
| koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` |
| node.js:6:7:6:52 | target | node.js:7:34:7:39 | target |
| node.js:6:7:6:52 | target | node.js:7:34:7:39 | target |
| node.js:6:16:6:39 | url.par ... , true) | node.js:6:16:6:45 | url.par ... ).query |
| node.js:6:16:6:45 | url.par ... ).query | node.js:6:16:6:52 | url.par ... .target |
| node.js:6:16:6:52 | url.par ... .target | node.js:6:7:6:52 | target |
| node.js:6:26:6:32 | req.url | node.js:6:16:6:39 | url.par ... , true) |
| node.js:6:26:6:32 | req.url | node.js:6:16:6:39 | url.par ... , true) |
| node.js:11:7:11:52 | target | node.js:15:40:15:45 | target |
| node.js:11:16:11:39 | url.par ... , true) | node.js:11:16:11:45 | url.par ... ).query |
| node.js:11:16:11:45 | url.par ... ).query | node.js:11:16:11:52 | url.par ... .target |
| node.js:11:16:11:52 | url.par ... .target | node.js:11:7:11:52 | target |
| node.js:11:26:11:32 | req.url | node.js:11:16:11:39 | url.par ... , true) |
| node.js:11:26:11:32 | req.url | node.js:11:16:11:39 | url.par ... , true) |
| node.js:15:40:15:45 | target | node.js:15:34:15:45 | '/' + target |
| node.js:15:40:15:45 | target | node.js:15:34:15:45 | '/' + target |
| node.js:29:7:29:52 | target | node.js:32:34:32:39 | target |
| node.js:29:16:29:39 | url.par ... , true) | node.js:29:16:29:45 | url.par ... ).query |
| node.js:29:16:29:45 | url.par ... ).query | node.js:29:16:29:52 | url.par ... .target |
| node.js:29:16:29:52 | url.par ... .target | node.js:29:7:29:52 | target |
| node.js:29:26:29:32 | req.url | node.js:29:16:29:39 | url.par ... , true) |
| node.js:29:26:29:32 | req.url | node.js:29:16:29:39 | url.par ... , true) |
| node.js:32:34:32:39 | target | node.js:32:34:32:55 | target ... =" + me |
| node.js:32:34:32:39 | target | node.js:32:34:32:55 | target ... =" + me |
| node.js:5:7:5:52 | target | node.js:6:34:6:39 | target |
| node.js:5:7:5:52 | target | node.js:6:34:6:39 | target |
| node.js:5:16:5:39 | url.par ... , true) | node.js:5:16:5:45 | url.par ... ).query |
| node.js:5:16:5:45 | url.par ... ).query | node.js:5:16:5:52 | url.par ... .target |
| node.js:5:16:5:52 | url.par ... .target | node.js:5:7:5:52 | target |
| node.js:5:26:5:32 | req.url | node.js:5:16:5:39 | url.par ... , true) |
| node.js:5:26:5:32 | req.url | node.js:5:16:5:39 | url.par ... , true) |
| node.js:10:7:10:52 | target | node.js:14:40:14:45 | target |
| node.js:10:16:10:39 | url.par ... , true) | node.js:10:16:10:45 | url.par ... ).query |
| node.js:10:16:10:45 | url.par ... ).query | node.js:10:16:10:52 | url.par ... .target |
| node.js:10:16:10:52 | url.par ... .target | node.js:10:7:10:52 | target |
| node.js:10:26:10:32 | req.url | node.js:10:16:10:39 | url.par ... , true) |
| node.js:10:26:10:32 | req.url | node.js:10:16:10:39 | url.par ... , true) |
| node.js:14:40:14:45 | target | node.js:14:34:14:45 | '/' + target |
| node.js:14:40:14:45 | target | node.js:14:34:14:45 | '/' + target |
| node.js:28:7:28:52 | target | node.js:31:34:31:39 | target |
| node.js:28:16:28:39 | url.par ... , true) | node.js:28:16:28:45 | url.par ... ).query |
| node.js:28:16:28:45 | url.par ... ).query | node.js:28:16:28:52 | url.par ... .target |
| node.js:28:16:28:52 | url.par ... .target | node.js:28:7:28:52 | target |
| node.js:28:26:28:32 | req.url | node.js:28:16:28:39 | url.par ... , true) |
| node.js:28:26:28:32 | req.url | node.js:28:16:28:39 | url.par ... , true) |
| node.js:31:34:31:39 | target | node.js:31:34:31:55 | target ... =" + me |
| node.js:31:34:31:39 | target | node.js:31:34:31:55 | target ... =" + me |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:17:8:23 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:17:8:23 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:9:26:9:32 | tainted |
@@ -185,8 +185,8 @@ edges
| koa.js:8:15:8:26 | `${url}${x}` | koa.js:6:12:6:27 | ctx.query.target | koa.js:8:15:8:26 | `${url}${x}` | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
| koa.js:14:16:14:18 | url | koa.js:6:12:6:27 | ctx.query.target | koa.js:14:16:14:18 | url | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
| koa.js:20:16:20:18 | url | koa.js:6:12:6:27 | ctx.query.target | koa.js:20:16:20:18 | url | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
| node.js:7:34:7:39 | target | node.js:6:26:6:32 | req.url | node.js:7:34:7:39 | target | Untrusted URL redirection due to $@. | node.js:6:26:6:32 | req.url | user-provided value |
| node.js:15:34:15:45 | '/' + target | node.js:11:26:11:32 | req.url | node.js:15:34:15:45 | '/' + target | Untrusted URL redirection due to $@. | node.js:11:26:11:32 | req.url | user-provided value |
| node.js:32:34:32:55 | target ... =" + me | node.js:29:26:29:32 | req.url | node.js:32:34:32:55 | target ... =" + me | Untrusted URL redirection due to $@. | node.js:29:26:29:32 | req.url | user-provided value |
| node.js:6:34:6:39 | target | node.js:5:26:5:32 | req.url | node.js:6:34:6:39 | target | Untrusted URL redirection due to $@. | node.js:5:26:5:32 | req.url | user-provided value |
| node.js:14:34:14:45 | '/' + target | node.js:10:26:10:32 | req.url | node.js:14:34:14:45 | '/' + target | Untrusted URL redirection due to $@. | node.js:10:26:10:32 | req.url | user-provided value |
| node.js:31:34:31:55 | target ... =" + me | node.js:28:26:28:32 | req.url | node.js:31:34:31:55 | target ... =" + me | Untrusted URL redirection due to $@. | node.js:28:26:28:32 | req.url | user-provided value |
| react-native.js:8:17:8:23 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:17:8:23 | tainted | Untrusted URL redirection due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
| react-native.js:9:26:9:32 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:26:9:32 | tainted | Untrusted URL redirection due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |

2
javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/express.js
View File

@@ -135,6 +135,6 @@ app.get('/redirect/:user', function(req, res) {
res.redirect('//' + req.params.user); // BAD - could go to //evil.com
res.redirect('u' + req.params.user); // BAD - could go to u.evil.com
res.redirect('/' + ('/u' + req.params.user)); // BAD - could go to //u.evil.com, but not flagged
res.redirect('/' + ('/u' + req.params.user)); // BAD - could go to //u.evil.com, but not flagged [INCONSISTENCY]
res.redirect('/u' + req.params.user); // GOOD
});

3
javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/node.js
View File

@@ -2,9 +2,8 @@ var https = require('https');
var url = require('url');
var server = https.createServer(function(req, res) {
// BAD: a request parameter is incorporated without validation into a URL redirect
let target = url.parse(req.url, true).query.target;
res.writeHead(302, { Location: target });
res.writeHead(302, { Location: target }); // BAD: a request parameter is incorporated without validation into a URL redirect
})
server.on('request', (req, res) => {