mirror of
https://github.com/github/codeql.git
synced 2026-05-03 04:39:29 +02:00
Merge branch 'main' into js/underscore-string
This commit is contained in:
Napalys Klicius
@@ -2,4 +2,4 @@ const MyStream = require('classes').MyStream;
|
||||
|
||||
var s = new MyStream();
|
||||
for (let m of ["write"])
|
||||
s[m]("Hello, world!"); /* use=moduleImport("classes").getMember("exports").getMember("MyStream").getInstance().getUnknownMember() */
|
||||
s[m]("Hello, world!"); /* use=moduleImport("classes").getMember("exports").getMember("MyStream").getInstance().getArrayElement() */
|
||||
|
||||
@@ -81,6 +81,10 @@ taintFlow
|
||||
| test.js:272:6:272:40 | new MyS ... ource() | test.js:272:6:272:40 | new MyS ... ource() |
|
||||
| test.js:274:6:274:39 | testlib ... eName() | test.js:274:6:274:39 | testlib ... eName() |
|
||||
| test.js:277:8:277:31 | "danger ... .danger | test.js:277:8:277:31 | "danger ... .danger |
|
||||
| test.js:284:8:284:16 | source[0] | test.js:284:8:284:16 | source[0] |
|
||||
| test.js:285:8:285:19 | source.pop() | test.js:285:8:285:19 | source.pop() |
|
||||
| test.js:286:18:286:18 | e | test.js:286:28:286:28 | e |
|
||||
| test.js:287:14:287:14 | e | test.js:287:24:287:24 | e |
|
||||
isSink
|
||||
| test.js:54:18:54:25 | source() | test-sink |
|
||||
| test.js:55:22:55:29 | source() | test-sink |
|
||||
|
||||
@@ -10,6 +10,7 @@ extensions:
|
||||
- ['testlib', 'Member[MethodDecorator].DecoratedMember.Parameter[0]', 'test-source']
|
||||
- ['testlib', 'Member[ParamDecoratorSource].DecoratedParameter', 'test-source']
|
||||
- ['testlib', 'Member[getSource].ReturnValue', 'test-source']
|
||||
- ['testlib', 'Member[getSourceArray].ReturnValue.ArrayElement', 'test-source']
|
||||
- ['(testlib)', 'Member[parenthesizedPackageName].ReturnValue', 'test-source']
|
||||
- ['danger-constant', 'Member[danger]', 'test-source']
|
||||
|
||||
|
||||
@@ -278,3 +278,11 @@ function dangerConstant() {
|
||||
sink("danger-constant".safe); // OK
|
||||
sink("danger-constant"); // OK
|
||||
}
|
||||
|
||||
function arraySource() {
|
||||
const source = testlib.getSourceArray();
|
||||
sink(source[0]); // NOT OK
|
||||
sink(source.pop()); // NOT OK
|
||||
source.forEach(e => sink(e)); // NOT OK
|
||||
source.map(e => sink(e)); // NOT OK
|
||||
}
|
||||
|
||||
@@ -45,6 +45,8 @@
|
||||
| TaintedPath.js:195:29:195:85 | path.re ... '), '') | TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:195:29:195:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:191:24:191:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:202:29:202:68 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:202:29:202:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:205:31:205:69 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:205:31:205:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:214:29:214:42 | improperEscape | TaintedPath.js:212:24:212:30 | req.url | TaintedPath.js:214:29:214:42 | improperEscape | This path depends on a $@. | TaintedPath.js:212:24:212:30 | req.url | user-provided value |
|
||||
| TaintedPath.js:216:29:216:43 | improperEscape2 | TaintedPath.js:212:24:212:30 | req.url | TaintedPath.js:216:29:216:43 | improperEscape2 | This path depends on a $@. | TaintedPath.js:212:24:212:30 | req.url | user-provided value |
|
||||
| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |
|
||||
| express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value |
|
||||
| handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value |
|
||||
@@ -320,6 +322,18 @@ edges
|
||||
| TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:200:14:200:37 | url.par ... , true) | provenance | Config |
|
||||
| TaintedPath.js:202:29:202:32 | path | TaintedPath.js:202:29:202:68 | path.re ... '), '') | provenance | Config |
|
||||
| TaintedPath.js:205:31:205:34 | path | TaintedPath.js:205:31:205:69 | path.re ... '), '') | provenance | Config |
|
||||
| TaintedPath.js:212:7:212:48 | path | TaintedPath.js:213:33:213:36 | path | provenance | |
|
||||
| TaintedPath.js:212:7:212:48 | path | TaintedPath.js:215:36:215:39 | path | provenance | |
|
||||
| TaintedPath.js:212:14:212:37 | url.par ... , true) | TaintedPath.js:212:14:212:43 | url.par ... ).query | provenance | Config |
|
||||
| TaintedPath.js:212:14:212:43 | url.par ... ).query | TaintedPath.js:212:14:212:48 | url.par ... ry.path | provenance | Config |
|
||||
| TaintedPath.js:212:14:212:48 | url.par ... ry.path | TaintedPath.js:212:7:212:48 | path | provenance | |
|
||||
| TaintedPath.js:212:24:212:30 | req.url | TaintedPath.js:212:14:212:37 | url.par ... , true) | provenance | Config |
|
||||
| TaintedPath.js:213:9:213:37 | improperEscape | TaintedPath.js:214:29:214:42 | improperEscape | provenance | |
|
||||
| TaintedPath.js:213:26:213:37 | escape(path) | TaintedPath.js:213:9:213:37 | improperEscape | provenance | |
|
||||
| TaintedPath.js:213:33:213:36 | path | TaintedPath.js:213:26:213:37 | escape(path) | provenance | Config |
|
||||
| TaintedPath.js:215:9:215:40 | improperEscape2 | TaintedPath.js:216:29:216:43 | improperEscape2 | provenance | |
|
||||
| TaintedPath.js:215:27:215:40 | unescape(path) | TaintedPath.js:215:9:215:40 | improperEscape2 | provenance | |
|
||||
| TaintedPath.js:215:36:215:39 | path | TaintedPath.js:215:27:215:40 | unescape(path) | provenance | Config |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:10:36:10:43 | filePath | provenance | |
|
||||
| examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config |
|
||||
| examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config |
|
||||
@@ -780,6 +794,19 @@ nodes
|
||||
| TaintedPath.js:202:29:202:68 | path.re ... '), '') | semmle.label | path.re ... '), '') |
|
||||
| TaintedPath.js:205:31:205:34 | path | semmle.label | path |
|
||||
| TaintedPath.js:205:31:205:69 | path.re ... '), '') | semmle.label | path.re ... '), '') |
|
||||
| TaintedPath.js:212:7:212:48 | path | semmle.label | path |
|
||||
| TaintedPath.js:212:14:212:37 | url.par ... , true) | semmle.label | url.par ... , true) |
|
||||
| TaintedPath.js:212:14:212:43 | url.par ... ).query | semmle.label | url.par ... ).query |
|
||||
| TaintedPath.js:212:14:212:48 | url.par ... ry.path | semmle.label | url.par ... ry.path |
|
||||
| TaintedPath.js:212:24:212:30 | req.url | semmle.label | req.url |
|
||||
| TaintedPath.js:213:9:213:37 | improperEscape | semmle.label | improperEscape |
|
||||
| TaintedPath.js:213:26:213:37 | escape(path) | semmle.label | escape(path) |
|
||||
| TaintedPath.js:213:33:213:36 | path | semmle.label | path |
|
||||
| TaintedPath.js:214:29:214:42 | improperEscape | semmle.label | improperEscape |
|
||||
| TaintedPath.js:215:9:215:40 | improperEscape2 | semmle.label | improperEscape2 |
|
||||
| TaintedPath.js:215:27:215:40 | unescape(path) | semmle.label | unescape(path) |
|
||||
| TaintedPath.js:215:36:215:39 | path | semmle.label | path |
|
||||
| TaintedPath.js:216:29:216:43 | improperEscape2 | semmle.label | improperEscape2 |
|
||||
| examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath |
|
||||
| examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) |
|
||||
| examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query |
|
||||
|
||||
@@ -208,3 +208,10 @@ var server = http.createServer(function(req, res) {
|
||||
}
|
||||
});
|
||||
|
||||
var srv = http.createServer(function(req, res) {
|
||||
let path = url.parse(req.url, true).query.path; // $ Source
|
||||
const improperEscape = escape(path);
|
||||
res.write(fs.readFileSync(improperEscape)); // $ Alert
|
||||
const improperEscape2 = unescape(path);
|
||||
res.write(fs.readFileSync(improperEscape2)); // $ Alert
|
||||
});
|
||||
|
||||
@@ -8,5 +8,5 @@ document.write(document.location.href.toUpperCase()); // $ Alert
|
||||
document.write(document.location.href.trimLeft()); // $ Alert
|
||||
document.write(String.fromCharCode(document.location.href)); // $ Alert
|
||||
document.write(String(document.location.href)); // $ Alert
|
||||
document.write(escape(document.location.href)); // OK - for now
|
||||
document.write(escape(escape(escape(document.location.href)))); // OK - for now
|
||||
document.write(escape(document.location.href));
|
||||
document.write(escape(escape(escape(document.location.href))));
|
||||
|
||||
@@ -16,6 +16,7 @@
|
||||
| testReactUseQueries.jsx:37:25:37:38 | repoQuery.data | testReactUseQueries.jsx:4:26:4:53 | fetch(' ... e.com') | testReactUseQueries.jsx:37:25:37:38 | repoQuery.data | Cross-site scripting vulnerability due to $@. | testReactUseQueries.jsx:4:26:4:53 | fetch(' ... e.com') | user-provided value |
|
||||
| testUseQueries2.vue:40:10:40:23 | v-html=data3 | testUseQueries2.vue:6:28:6:63 | fetch(" ... ntent") | testUseQueries2.vue:40:10:40:23 | v-html=data3 | Cross-site scripting vulnerability due to $@. | testUseQueries2.vue:6:28:6:63 | fetch(" ... ntent") | user-provided value |
|
||||
| testUseQueries2.vue:40:10:40:23 | v-html=data3 | testUseQueries2.vue:12:28:12:41 | fetch("${id}") | testUseQueries2.vue:40:10:40:23 | v-html=data3 | Cross-site scripting vulnerability due to $@. | testUseQueries2.vue:12:28:12:41 | fetch("${id}") | user-provided value |
|
||||
| testUseQueries.vue:25:10:25:23 | v-html=data2 | testUseQueries.vue:11:36:11:49 | fetch("${id}") | testUseQueries.vue:25:10:25:23 | v-html=data2 | Cross-site scripting vulnerability due to $@. | testUseQueries.vue:11:36:11:49 | fetch("${id}") | user-provided value |
|
||||
edges
|
||||
| test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance | |
|
||||
| test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance | |
|
||||
@@ -88,6 +89,12 @@ edges
|
||||
| testUseQueries2.vue:13:12:13:19 | response | testUseQueries2.vue:13:12:13:26 | response.json() | provenance | |
|
||||
| testUseQueries2.vue:13:12:13:26 | response.json() | testUseQueries2.vue:33:22:33:36 | results[0].data | provenance | |
|
||||
| testUseQueries2.vue:33:22:33:36 | results[0].data | testUseQueries2.vue:40:10:40:23 | v-html=data3 | provenance | |
|
||||
| testUseQueries.vue:11:19:11:49 | response | testUseQueries.vue:12:20:12:27 | response | provenance | |
|
||||
| testUseQueries.vue:11:30:11:49 | await fetch("${id}") | testUseQueries.vue:11:19:11:49 | response | provenance | |
|
||||
| testUseQueries.vue:11:36:11:49 | fetch("${id}") | testUseQueries.vue:11:30:11:49 | await fetch("${id}") | provenance | |
|
||||
| testUseQueries.vue:12:20:12:27 | response | testUseQueries.vue:12:20:12:34 | response.json() | provenance | |
|
||||
| testUseQueries.vue:12:20:12:34 | response.json() | testUseQueries.vue:18:22:18:36 | results[0].data | provenance | |
|
||||
| testUseQueries.vue:18:22:18:36 | results[0].data | testUseQueries.vue:25:10:25:23 | v-html=data2 | provenance | |
|
||||
nodes
|
||||
| test.jsx:5:11:5:63 | response | semmle.label | response |
|
||||
| test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
|
||||
@@ -174,4 +181,11 @@ nodes
|
||||
| testUseQueries2.vue:13:12:13:26 | response.json() | semmle.label | response.json() |
|
||||
| testUseQueries2.vue:33:22:33:36 | results[0].data | semmle.label | results[0].data |
|
||||
| testUseQueries2.vue:40:10:40:23 | v-html=data3 | semmle.label | v-html=data3 |
|
||||
| testUseQueries.vue:11:19:11:49 | response | semmle.label | response |
|
||||
| testUseQueries.vue:11:30:11:49 | await fetch("${id}") | semmle.label | await fetch("${id}") |
|
||||
| testUseQueries.vue:11:36:11:49 | fetch("${id}") | semmle.label | fetch("${id}") |
|
||||
| testUseQueries.vue:12:20:12:27 | response | semmle.label | response |
|
||||
| testUseQueries.vue:12:20:12:34 | response.json() | semmle.label | response.json() |
|
||||
| testUseQueries.vue:18:22:18:36 | results[0].data | semmle.label | results[0].data |
|
||||
| testUseQueries.vue:25:10:25:23 | v-html=data2 | semmle.label | v-html=data2 |
|
||||
subpaths
|
||||
|
||||
@@ -8,7 +8,7 @@ export default {
|
||||
queries: ids.map((id) => ({
|
||||
queryKey: ['post', id],
|
||||
queryFn: async () => {
|
||||
const response = await fetch("${id}"); // $ MISSING: Source
|
||||
const response = await fetch("${id}"); // $ Source
|
||||
return response.json();
|
||||
},
|
||||
staleTime: Infinity,
|
||||
@@ -22,6 +22,6 @@ export default {
|
||||
|
||||
<template>
|
||||
<VueQueryClientProvider :client="queryClient">
|
||||
<div v-html="data2"></div> <!--$ MISSING: Alert -->
|
||||
<div v-html="data2"></div> <!--$ Alert -->
|
||||
</VueQueryClientProvider>
|
||||
</template>
|
||||
|
||||
Reference in New Issue
Block a user