hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into javascript_xss_improvements

Browse Source
This commit is contained in:
Alvaro Muñoz
2022-10-19 18:18:19 +02:00
committed by GitHub
parent 41fea776e8 c6b62c934b
commit 245be44eac
2102 changed files with 45300 additions and 64985 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll
View File

@@ -151,7 +151,7 @@ private int getMaxChars() { result = 1000000 }
*/
string getBodyTokensFeature(Function function) {
// Performance optimization: If a function has more than 256 body subtokens, then featurize it as
// absent. This approximates the behavior of the classifer on non-generic body features where
// absent. This approximates the behavior of the classifier on non-generic body features where
// large body features are replaced by the absent token.
//
// We count nodes instead of tokens because tokens are often not unique.

2
javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-experimental-atm-lib
version: 0.3.4
version: 0.3.6
extractor: javascript
library: true
groups:

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/codeql-pack.lock.yml
View File

@@ -1,6 +1,6 @@
---
dependencies:
codeql/javascript-experimental-atm-model:
version: 0.2.0
version: 0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d
compiled: false
lockVersion: 1.0.0

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountNosqlInjection.ql
View File

@@ -2,7 +2,7 @@
* For internal use only.
*
*
* Count the number of sinks and alerts for the `NosqlInection` security query.
* Count the number of sinks and alerts for the `NosqlInjection` security query.
*/
import semmle.javascript.security.dataflow.NosqlInjectionQuery

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountSqlInjection.ql
View File

@@ -2,7 +2,7 @@
* For internal use only.
*
*
* Count the number of sinks and alerts for the `SqlInection` security query.
* Count the number of sinks and alerts for the `SqlInjection` security query.
*/
import semmle.javascript.security.dataflow.SqlInjectionQuery

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjection.ql
View File

@@ -1,25 +0,0 @@
/**
* NosqlInjection.ql
*
* Version of the standard NoSQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof NosqlInjection::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

28
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATM.ql
View File

@@ -1,28 +0,0 @@
/**
* NosqlInjectionATM.ql
*
* Version of the boosted NoSQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.NosqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATMLite.ql
View File

@@ -1,29 +0,0 @@
/**
* NosqlInjectionATMLite.ql
*
* Arbitrarily ranked version of the boosted NoSQL injection query with an output relation ready to
* plug into the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint
* filters, and (b) as a baseline to compare the model against.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.NosqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/SqlInjection.ql
View File

@@ -1,25 +0,0 @@
/**
* SqlInjection.ql
*
* Version of the standard SQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof SqlInjection::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

28
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/SqlInjectionATM.ql
View File

@@ -1,28 +0,0 @@
/**
* SqlInjectionATM.ql
*
* Version of the boosted SQL injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.SqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/SqlInjectionATMLite.ql
View File

@@ -1,29 +0,0 @@
/**
* SqlInjectionATMLite.ql
*
* Arbitrarily ranked version of the boosted SQL injection query with an output relation ready to
* plug into the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint
* filters, and (b) as a baseline to compare the model against.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.SqlInjectionATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/TaintedPath.ql
View File

@@ -1,25 +0,0 @@
/**
* TaintedPath.ql
*
* Version of the standard path injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.TaintedPathQuery as TaintedPath
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof TaintedPath::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

28
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/TaintedPathATM.ql
View File

@@ -1,28 +0,0 @@
/**
* TaintedPathATM.ql
*
* Version of the boosted path injection query with an output relation ready to plug into the
* evaluation pipeline.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.TaintedPathATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/TaintedPathATMLite.ql
View File

@@ -1,29 +0,0 @@
/**
* TaintedPathATMLite.ql
*
* Arbitrarily ranked version of the boosted path injection query with an output relation ready to
* plug into the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint
* filters, and (b) as a baseline to compare the model against.
*/
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.TaintedPathATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/Xss.ql
View File

@@ -1,25 +0,0 @@
/**
* Xss.ql
*
* Version of the standard XSS query with an output relation ready to plug into the evaluation
* pipeline.
*/
import javascript
import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
import EndToEndEvaluation as EndToEndEvaluation
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource
where
cfg instanceof DomBasedXss::Configuration and
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource)
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

29
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssATM.ql
View File

@@ -1,29 +0,0 @@
/**
* XssATM.ql
*
* Version of the boosted XSS query with an output relation ready to plug into the evaluation
* pipeline.
*/
import javascript
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.XssATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
getScoreForFlow(source, sink) = score
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

30
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssATMLite.ql
View File

@@ -1,30 +0,0 @@
/**
* XssATMLite.ql
*
* Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into
* the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters,
* and (b) as a baseline to compare the model against.
*/
import javascript
import ATM::ResultsInfo
import EndToEndEvaluation as EndToEndEvaluation
import experimental.adaptivethreatmodeling.XssATM
from
DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
where
cfg.hasFlow(source, sink) and
not EndToEndEvaluation::isFlowExcluded(source, sink) and
not isFlowLikelyInBaseQuery(source, sink) and
sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
source
.hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
endColumnSource) and
score = 0
select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink

25
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointDataEvaluation.ql
View File

@@ -1,25 +0,0 @@
/*
* For internal use only.
*
* Extracts evaluation data we can use to evaluate ML models for ML-powered queries.
*/
import javascript
import ExtractEndpointData as ExtractEndpointData
query predicate endpoints(
DataFlow::Node endpoint, string queryName, string key, string value, string valueType
) {
ExtractEndpointData::endpoints(endpoint, queryName, key, value, valueType) and
// only select endpoints that are either Sink, NotASink or Unknown
ExtractEndpointData::endpoints(endpoint, queryName, "sinkLabel", ["Sink", "NotASink", "Unknown"],
"string") and
// do not select endpoints filtered out by end-to-end evaluation
ExtractEndpointData::endpoints(endpoint, queryName, "isExcludedFromEndToEndEvaluation", "false",
"boolean")
}
query predicate tokenFeatures(DataFlow::Node endpoint, string featureName, string featureValue) {
endpoints(endpoint, _, _, _, _) and
ExtractEndpointData::tokenFeatures(endpoint, featureName, featureValue)
}

2
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml
View File

@@ -6,4 +6,4 @@ groups:
- experimental
dependencies:
codeql/javascript-experimental-atm-lib: "*"
codeql/javascript-experimental-atm-model: "0.2.0"
codeql/javascript-experimental-atm-model: "0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d"

2
javascript/ql/experimental/adaptivethreatmodeling/src/codeql-pack.lock.yml
View File

@@ -1,6 +1,6 @@
---
dependencies:
codeql/javascript-experimental-atm-model:
version: 0.2.0
version: 0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d
compiled: false
lockVersion: 1.0.0

4
javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
View File

@@ -1,6 +1,6 @@
name: codeql/javascript-experimental-atm-queries
language: javascript
version: 0.3.4
version: 0.3.6
suites: codeql-suites
defaultSuiteFile: codeql-suites/javascript-atm-code-scanning.qls
groups:
@@ -8,4 +8,4 @@ groups:
- experimental
dependencies:
codeql/javascript-experimental-atm-lib: "*"
codeql/javascript-experimental-atm-model: "0.2.0"
codeql/javascript-experimental-atm-model: "0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d"

2
javascript/ql/experimental/adaptivethreatmodeling/test/codeql-pack.lock.yml
View File

@@ -1,6 +1,6 @@
---
dependencies:
codeql/javascript-experimental-atm-model:
version: 0.2.0
version: 0.2.1-2022-09-06-08h55m54s.bubbly-basin-xpztl8fh.f3c3c9360a727959e428ecc6932257e6a546dc65d8a9baac525a49247123822d
compiled: false
lockVersion: 1.0.0

49956
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataEvaluation.expected
View File

File diff suppressed because it is too large Load Diff

1
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataEvaluation.qlref
View File

@@ -1 +0,0 @@
extraction/ExtractEndpointDataEvaluation.ql

530
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_unit_tests/ExtractEndpointDataEvaluation.expected
View File

@@ -1,530 +0,0 @@
endpoints
| index.js:1:25:1:33 | "express" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:1:25:1:33 | "express" | TaintedPath | isConstantExpression | true | boolean |
| index.js:1:25:1:33 | "express" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:1:25:1:33 | "express" | TaintedPath | sinkLabel | Sink | string |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | isConstantExpression | true | boolean |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:2:26:2:35 | 'mongoose' | TaintedPath | sinkLabel | Sink | string |
| index.js:3:29:3:34 | 'User' | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | NosqlInjection | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | NosqlInjection | sinkLabel | Unknown | string |
| index.js:3:29:3:34 | 'User' | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | SqlInjection | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | SqlInjection | sinkLabel | Unknown | string |
| index.js:3:29:3:34 | 'User' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | TaintedPath | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | TaintedPath | sinkLabel | Unknown | string |
| index.js:3:29:3:34 | 'User' | Xss | hasFlowFromSource | false | boolean |
| index.js:3:29:3:34 | 'User' | Xss | isConstantExpression | true | boolean |
| index.js:3:29:3:34 | 'User' | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:29:3:34 | 'User' | Xss | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | NosqlInjection | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | NosqlInjection | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | SqlInjection | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | SqlInjection | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | TaintedPath | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | TaintedPath | sinkLabel | Unknown | string |
| index.js:3:37:3:40 | null | Xss | hasFlowFromSource | false | boolean |
| index.js:3:37:3:40 | null | Xss | isConstantExpression | true | boolean |
| index.js:3:37:3:40 | null | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:3:37:3:40 | null | Xss | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | NosqlInjection | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | SqlInjection | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | TaintedPath | sinkLabel | Unknown | string |
| index.js:8:12:8:21 | '/isAdmin' | Xss | hasFlowFromSource | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | Xss | isConstantExpression | true | boolean |
| index.js:8:12:8:21 | '/isAdmin' | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:12:8:21 | '/isAdmin' | Xss | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | NosqlInjection | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | SqlInjection | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | TaintedPath | sinkLabel | Unknown | string |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | hasFlowFromSource | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | isConstantExpression | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:8:24:10:3 | (req, r ... });\\n } | Xss | sinkLabel | Unknown | string |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | hasFlowFromSource | true | boolean |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:15:9:45 | { 'isAd ... Admin } | NosqlInjection | sinkLabel | Sink | string |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | hasFlowFromSource | true | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | isConstantExpression | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | SqlInjection | sinkLabel | Unknown | string |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | hasFlowFromSource | true | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | isConstantExpression | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | TaintedPath | sinkLabel | Unknown | string |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | hasFlowFromSource | true | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | isConstantExpression | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:9:28:9:43 | req.body.isAdmin | Xss | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | NosqlInjection | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | SqlInjection | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | TaintedPath | sinkLabel | Unknown | string |
| index.js:14:12:14:21 | '/isAdmin' | Xss | hasFlowFromSource | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | Xss | isConstantExpression | true | boolean |
| index.js:14:12:14:21 | '/isAdmin' | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:12:14:21 | '/isAdmin' | Xss | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | NosqlInjection | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | SqlInjection | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | TaintedPath | sinkLabel | Unknown | string |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | hasFlowFromSource | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | isConstantExpression | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:14:24:16:3 | (req, r ... n);\\n } | Xss | sinkLabel | Unknown | string |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | TaintedPath | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | Xss | sinkLabel | NotASink | string |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:13:20:31 | { 'isAdmin': true } | NosqlInjection | sinkLabel | Sink | string |
| index.js:20:26:20:29 | true | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:20:26:20:29 | true | SqlInjection | isConstantExpression | true | boolean |
| index.js:20:26:20:29 | true | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:26:20:29 | true | SqlInjection | sinkLabel | Unknown | string |
| index.js:20:26:20:29 | true | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:20:26:20:29 | true | TaintedPath | isConstantExpression | true | boolean |
| index.js:20:26:20:29 | true | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:26:20:29 | true | TaintedPath | sinkLabel | Unknown | string |
| index.js:20:26:20:29 | true | Xss | hasFlowFromSource | false | boolean |
| index.js:20:26:20:29 | true | Xss | isConstantExpression | true | boolean |
| index.js:20:26:20:29 | true | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:20:26:20:29 | true | Xss | sinkLabel | Unknown | string |
| index.js:24:13:24:22 | "constant" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:24:13:24:22 | "constant" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:24:13:24:22 | "constant" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:24:13:24:22 | "constant" | NosqlInjection | sinkLabel | Sink | string |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | isConstantExpression | false | boolean |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | NosqlInjection | sinkLabel | Sink | string |
| index.js:32:15:32:24 | "someData" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | NosqlInjection | sinkLabel | NotASink | string |
| index.js:32:15:32:24 | "someData" | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | SqlInjection | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | SqlInjection | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | SqlInjection | sinkLabel | NotASink | string |
| index.js:32:15:32:24 | "someData" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | TaintedPath | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | TaintedPath | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | TaintedPath | sinkLabel | NotASink | string |
| index.js:32:15:32:24 | "someData" | Xss | hasFlowFromSource | false | boolean |
| index.js:32:15:32:24 | "someData" | Xss | isConstantExpression | true | boolean |
| index.js:32:15:32:24 | "someData" | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:32:15:32:24 | "someData" | Xss | notASinkReason | LoggerMethod | string |
| index.js:32:15:32:24 | "someData" | Xss | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | NosqlInjection | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | NosqlInjection | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | NosqlInjection | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | SqlInjection | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | SqlInjection | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | SqlInjection | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | SqlInjection | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | TaintedPath | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | TaintedPath | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | TaintedPath | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | TaintedPath | sinkLabel | NotASink | string |
| index.js:36:20:36:22 | "a" | Xss | hasFlowFromSource | false | boolean |
| index.js:36:20:36:22 | "a" | Xss | isConstantExpression | true | boolean |
| index.js:36:20:36:22 | "a" | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:36:20:36:22 | "a" | Xss | notASinkReason | ConstantReceiver | string |
| index.js:36:20:36:22 | "a" | Xss | notASinkReason | StringStartsWith | string |
| index.js:36:20:36:22 | "a" | Xss | sinkLabel | NotASink | string |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:41:13:68:61 | "a" + " ... " + "a" | NosqlInjection | sinkLabel | Sink | string |
| index.js:78:30:78:39 | "someData" | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | NosqlInjection | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | NosqlInjection | sinkLabel | NotASink | string |
| index.js:78:30:78:39 | "someData" | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | SqlInjection | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | SqlInjection | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | SqlInjection | sinkLabel | NotASink | string |
| index.js:78:30:78:39 | "someData" | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | TaintedPath | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | TaintedPath | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | TaintedPath | sinkLabel | NotASink | string |
| index.js:78:30:78:39 | "someData" | Xss | hasFlowFromSource | false | boolean |
| index.js:78:30:78:39 | "someData" | Xss | isConstantExpression | true | boolean |
| index.js:78:30:78:39 | "someData" | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:78:30:78:39 | "someData" | Xss | notASinkReason | LoggerMethod | string |
| index.js:78:30:78:39 | "someData" | Xss | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | TaintedPath | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | Xss | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | SqlInjection | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | TaintedPath | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | TaintedPath | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | TaintedPath | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | TaintedPath | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | Xss | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | Xss | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | Xss | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | Xss | sinkLabel | NotASink | string |
tokenFeatures
| index.js:1:25:1:33 | "express" | CalleeFlexibleAccessPath | require |
| index.js:1:25:1:33 | "express" | InputAccessPathFromCallee | |
| index.js:1:25:1:33 | "express" | InputArgumentIndex | 0 |
| index.js:1:25:1:33 | "express" | assignedToPropName | |
| index.js:1:25:1:33 | "express" | calleeImports | |
| index.js:1:25:1:33 | "express" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:1:25:1:33 | "express" | contextSurroundingFunctionParameters | |
| index.js:1:25:1:33 | "express" | enclosingFunctionBody | |
| index.js:1:25:1:33 | "express" | enclosingFunctionName | |
| index.js:1:25:1:33 | "express" | fileImports | express mongoose |
| index.js:1:25:1:33 | "express" | receiverName | |
| index.js:1:25:1:33 | "express" | stringConcatenatedWith | |
| index.js:2:26:2:35 | 'mongoose' | CalleeFlexibleAccessPath | require |
| index.js:2:26:2:35 | 'mongoose' | InputAccessPathFromCallee | |
| index.js:2:26:2:35 | 'mongoose' | InputArgumentIndex | 0 |
| index.js:2:26:2:35 | 'mongoose' | assignedToPropName | |
| index.js:2:26:2:35 | 'mongoose' | calleeImports | |
| index.js:2:26:2:35 | 'mongoose' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:2:26:2:35 | 'mongoose' | contextSurroundingFunctionParameters | |
| index.js:2:26:2:35 | 'mongoose' | enclosingFunctionBody | |
| index.js:2:26:2:35 | 'mongoose' | enclosingFunctionName | |
| index.js:2:26:2:35 | 'mongoose' | fileImports | express mongoose |
| index.js:2:26:2:35 | 'mongoose' | receiverName | |
| index.js:2:26:2:35 | 'mongoose' | stringConcatenatedWith | |
| index.js:3:29:3:34 | 'User' | CalleeFlexibleAccessPath | mongoose.model |
| index.js:3:29:3:34 | 'User' | InputAccessPathFromCallee | |
| index.js:3:29:3:34 | 'User' | InputArgumentIndex | 0 |
| index.js:3:29:3:34 | 'User' | assignedToPropName | |
| index.js:3:29:3:34 | 'User' | calleeImports | mongoose |
| index.js:3:29:3:34 | 'User' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:3:29:3:34 | 'User' | contextSurroundingFunctionParameters | |
| index.js:3:29:3:34 | 'User' | enclosingFunctionBody | |
| index.js:3:29:3:34 | 'User' | enclosingFunctionName | |
| index.js:3:29:3:34 | 'User' | fileImports | express mongoose |
| index.js:3:29:3:34 | 'User' | receiverName | mongoose |
| index.js:3:29:3:34 | 'User' | stringConcatenatedWith | |
| index.js:3:37:3:40 | null | CalleeFlexibleAccessPath | mongoose.model |
| index.js:3:37:3:40 | null | InputAccessPathFromCallee | |
| index.js:3:37:3:40 | null | InputArgumentIndex | 1 |
| index.js:3:37:3:40 | null | assignedToPropName | |
| index.js:3:37:3:40 | null | calleeImports | mongoose |
| index.js:3:37:3:40 | null | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:3:37:3:40 | null | contextSurroundingFunctionParameters | |
| index.js:3:37:3:40 | null | enclosingFunctionBody | |
| index.js:3:37:3:40 | null | enclosingFunctionName | |
| index.js:3:37:3:40 | null | fileImports | express mongoose |
| index.js:3:37:3:40 | null | receiverName | mongoose |
| index.js:3:37:3:40 | null | stringConcatenatedWith | |
| index.js:8:12:8:21 | '/isAdmin' | CalleeFlexibleAccessPath | app.post |
| index.js:8:12:8:21 | '/isAdmin' | InputAccessPathFromCallee | |
| index.js:8:12:8:21 | '/isAdmin' | InputArgumentIndex | 0 |
| index.js:8:12:8:21 | '/isAdmin' | assignedToPropName | |
| index.js:8:12:8:21 | '/isAdmin' | calleeImports | express |
| index.js:8:12:8:21 | '/isAdmin' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:8:12:8:21 | '/isAdmin' | contextSurroundingFunctionParameters | () |
| index.js:8:12:8:21 | '/isAdmin' | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:8:12:8:21 | '/isAdmin' | enclosingFunctionName | flowFromSourceToSink |
| index.js:8:12:8:21 | '/isAdmin' | fileImports | express mongoose |
| index.js:8:12:8:21 | '/isAdmin' | receiverName | app |
| index.js:8:12:8:21 | '/isAdmin' | stringConcatenatedWith | |
| index.js:8:24:10:3 | (req, r ... });\\n } | CalleeFlexibleAccessPath | app.post |
| index.js:8:24:10:3 | (req, r ... });\\n } | InputAccessPathFromCallee | |
| index.js:8:24:10:3 | (req, r ... });\\n } | InputArgumentIndex | 1 |
| index.js:8:24:10:3 | (req, r ... });\\n } | assignedToPropName | |
| index.js:8:24:10:3 | (req, r ... });\\n } | calleeImports | express |
| index.js:8:24:10:3 | (req, r ... });\\n } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:8:24:10:3 | (req, r ... });\\n } | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:8:24:10:3 | (req, r ... });\\n } | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:8:24:10:3 | (req, r ... });\\n } | enclosingFunctionName | flowFromSourceToSink |
| index.js:8:24:10:3 | (req, r ... });\\n } | fileImports | express mongoose |
| index.js:8:24:10:3 | (req, r ... });\\n } | receiverName | app |
| index.js:8:24:10:3 | (req, r ... });\\n } | stringConcatenatedWith | |
| index.js:9:15:9:45 | { 'isAd ... Admin } | CalleeFlexibleAccessPath | User.find |
| index.js:9:15:9:45 | { 'isAd ... Admin } | InputAccessPathFromCallee | |
| index.js:9:15:9:45 | { 'isAd ... Admin } | InputArgumentIndex | 0 |
| index.js:9:15:9:45 | { 'isAd ... Admin } | assignedToPropName | |
| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeImports | mongoose |
| index.js:9:15:9:45 | { 'isAd ... Admin } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:9:15:9:45 | { 'isAd ... Admin } | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:9:15:9:45 | { 'isAd ... Admin } | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:9:15:9:45 | { 'isAd ... Admin } | enclosingFunctionName | flowFromSourceToSink |
| index.js:9:15:9:45 | { 'isAd ... Admin } | fileImports | express mongoose |
| index.js:9:15:9:45 | { 'isAd ... Admin } | receiverName | User |
| index.js:9:15:9:45 | { 'isAd ... Admin } | stringConcatenatedWith | |
| index.js:9:28:9:43 | req.body.isAdmin | CalleeFlexibleAccessPath | User.find |
| index.js:9:28:9:43 | req.body.isAdmin | InputAccessPathFromCallee | 0.isAdmin |
| index.js:9:28:9:43 | req.body.isAdmin | InputArgumentIndex | 0 |
| index.js:9:28:9:43 | req.body.isAdmin | assignedToPropName | isAdmin |
| index.js:9:28:9:43 | req.body.isAdmin | calleeImports | mongoose |
| index.js:9:28:9:43 | req.body.isAdmin | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:9:28:9:43 | req.body.isAdmin | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:9:28:9:43 | req.body.isAdmin | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
| index.js:9:28:9:43 | req.body.isAdmin | enclosingFunctionName | flowFromSourceToSink |
| index.js:9:28:9:43 | req.body.isAdmin | fileImports | express mongoose |
| index.js:9:28:9:43 | req.body.isAdmin | receiverName | |
| index.js:9:28:9:43 | req.body.isAdmin | stringConcatenatedWith | |
| index.js:14:12:14:21 | '/isAdmin' | CalleeFlexibleAccessPath | app.post |
| index.js:14:12:14:21 | '/isAdmin' | InputAccessPathFromCallee | |
| index.js:14:12:14:21 | '/isAdmin' | InputArgumentIndex | 0 |
| index.js:14:12:14:21 | '/isAdmin' | assignedToPropName | |
| index.js:14:12:14:21 | '/isAdmin' | calleeImports | express |
| index.js:14:12:14:21 | '/isAdmin' | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:14:12:14:21 | '/isAdmin' | contextSurroundingFunctionParameters | () |
| index.js:14:12:14:21 | '/isAdmin' | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
| index.js:14:12:14:21 | '/isAdmin' | enclosingFunctionName | flowFromSourceToNotASink |
| index.js:14:12:14:21 | '/isAdmin' | fileImports | express mongoose |
| index.js:14:12:14:21 | '/isAdmin' | receiverName | app |
| index.js:14:12:14:21 | '/isAdmin' | stringConcatenatedWith | |
| index.js:14:24:16:3 | (req, r ... n);\\n } | CalleeFlexibleAccessPath | app.post |
| index.js:14:24:16:3 | (req, r ... n);\\n } | InputAccessPathFromCallee | |
| index.js:14:24:16:3 | (req, r ... n);\\n } | InputArgumentIndex | 1 |
| index.js:14:24:16:3 | (req, r ... n);\\n } | assignedToPropName | |
| index.js:14:24:16:3 | (req, r ... n);\\n } | calleeImports | express |
| index.js:14:24:16:3 | (req, r ... n);\\n } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:14:24:16:3 | (req, r ... n);\\n } | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:14:24:16:3 | (req, r ... n);\\n } | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
| index.js:14:24:16:3 | (req, r ... n);\\n } | enclosingFunctionName | flowFromSourceToNotASink |
| index.js:14:24:16:3 | (req, r ... n);\\n } | fileImports | express mongoose |
| index.js:14:24:16:3 | (req, r ... n);\\n } | receiverName | app |
| index.js:14:24:16:3 | (req, r ... n);\\n } | stringConcatenatedWith | |
| index.js:15:17:15:32 | req.body.isAdmin | CalleeFlexibleAccessPath | console.log |
| index.js:15:17:15:32 | req.body.isAdmin | InputAccessPathFromCallee | |
| index.js:15:17:15:32 | req.body.isAdmin | InputArgumentIndex | 0 |
| index.js:15:17:15:32 | req.body.isAdmin | assignedToPropName | |
| index.js:15:17:15:32 | req.body.isAdmin | calleeImports | |
| index.js:15:17:15:32 | req.body.isAdmin | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:15:17:15:32 | req.body.isAdmin | contextSurroundingFunctionParameters | ()\n(req, res) |
| index.js:15:17:15:32 | req.body.isAdmin | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
| index.js:15:17:15:32 | req.body.isAdmin | enclosingFunctionName | flowFromSourceToNotASink |
| index.js:15:17:15:32 | req.body.isAdmin | fileImports | express mongoose |
| index.js:15:17:15:32 | req.body.isAdmin | receiverName | console |
| index.js:15:17:15:32 | req.body.isAdmin | stringConcatenatedWith | |
| index.js:20:13:20:31 | { 'isAdmin': true } | CalleeFlexibleAccessPath | User.find |
| index.js:20:13:20:31 | { 'isAdmin': true } | InputAccessPathFromCallee | |
| index.js:20:13:20:31 | { 'isAdmin': true } | InputArgumentIndex | 0 |
| index.js:20:13:20:31 | { 'isAdmin': true } | assignedToPropName | |
| index.js:20:13:20:31 | { 'isAdmin': true } | calleeImports | mongoose |
| index.js:20:13:20:31 | { 'isAdmin': true } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:20:13:20:31 | { 'isAdmin': true } | contextSurroundingFunctionParameters | () |
| index.js:20:13:20:31 | { 'isAdmin': true } | enclosingFunctionBody | User find isAdmin true |
| index.js:20:13:20:31 | { 'isAdmin': true } | enclosingFunctionName | notFlowFromSource |
| index.js:20:13:20:31 | { 'isAdmin': true } | fileImports | express mongoose |
| index.js:20:13:20:31 | { 'isAdmin': true } | receiverName | User |
| index.js:20:13:20:31 | { 'isAdmin': true } | stringConcatenatedWith | |
| index.js:20:26:20:29 | true | CalleeFlexibleAccessPath | User.find |
| index.js:20:26:20:29 | true | InputAccessPathFromCallee | 0.isAdmin |
| index.js:20:26:20:29 | true | InputArgumentIndex | 0 |
| index.js:20:26:20:29 | true | assignedToPropName | isAdmin |
| index.js:20:26:20:29 | true | calleeImports | mongoose |
| index.js:20:26:20:29 | true | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:20:26:20:29 | true | contextSurroundingFunctionParameters | () |
| index.js:20:26:20:29 | true | enclosingFunctionBody | User find isAdmin true |
| index.js:20:26:20:29 | true | enclosingFunctionName | notFlowFromSource |
| index.js:20:26:20:29 | true | fileImports | express mongoose |
| index.js:20:26:20:29 | true | receiverName | |
| index.js:20:26:20:29 | true | stringConcatenatedWith | |
| index.js:24:13:24:22 | "constant" | CalleeFlexibleAccessPath | User.find |
| index.js:24:13:24:22 | "constant" | InputAccessPathFromCallee | |
| index.js:24:13:24:22 | "constant" | InputArgumentIndex | 0 |
| index.js:24:13:24:22 | "constant" | assignedToPropName | |
| index.js:24:13:24:22 | "constant" | calleeImports | mongoose |
| index.js:24:13:24:22 | "constant" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:24:13:24:22 | "constant" | contextSurroundingFunctionParameters | () |
| index.js:24:13:24:22 | "constant" | enclosingFunctionBody | User find constant |
| index.js:24:13:24:22 | "constant" | enclosingFunctionName | constantExpression |
| index.js:24:13:24:22 | "constant" | fileImports | express mongoose |
| index.js:24:13:24:22 | "constant" | receiverName | User |
| index.js:24:13:24:22 | "constant" | stringConcatenatedWith | |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | CalleeFlexibleAccessPath | User.find |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | InputAccessPathFromCallee | |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | InputArgumentIndex | 0 |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | assignedToPropName | |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeImports | mongoose |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | contextSurroundingFunctionParameters | () |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | enclosingFunctionBody | User find UNDEFINED_GLOBAL |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | enclosingFunctionName | notConstantExpression |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | fileImports | express mongoose |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | receiverName | User |
| index.js:28:13:28:28 | UNDEFINED_GLOBAL | stringConcatenatedWith | |
| index.js:32:15:32:24 | "someData" | CalleeFlexibleAccessPath | console.log |
| index.js:32:15:32:24 | "someData" | InputAccessPathFromCallee | |
| index.js:32:15:32:24 | "someData" | InputArgumentIndex | 0 |
| index.js:32:15:32:24 | "someData" | assignedToPropName | |
| index.js:32:15:32:24 | "someData" | calleeImports | |
| index.js:32:15:32:24 | "someData" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:32:15:32:24 | "someData" | contextSurroundingFunctionParameters | () |
| index.js:32:15:32:24 | "someData" | enclosingFunctionBody | console log someData |
| index.js:32:15:32:24 | "someData" | enclosingFunctionName | notASink |
| index.js:32:15:32:24 | "someData" | fileImports | express mongoose |
| index.js:32:15:32:24 | "someData" | receiverName | console |
| index.js:32:15:32:24 | "someData" | stringConcatenatedWith | |
| index.js:36:20:36:22 | "a" | CalleeFlexibleAccessPath | ?.startsWith |
| index.js:36:20:36:22 | "a" | InputAccessPathFromCallee | |
| index.js:36:20:36:22 | "a" | InputArgumentIndex | 0 |
| index.js:36:20:36:22 | "a" | assignedToPropName | |
| index.js:36:20:36:22 | "a" | calleeImports | |
| index.js:36:20:36:22 | "a" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:36:20:36:22 | "a" | contextSurroundingFunctionParameters | () |
| index.js:36:20:36:22 | "a" | enclosingFunctionBody | abc startsWith a |
| index.js:36:20:36:22 | "a" | enclosingFunctionName | notASinkMultipleReasons |
| index.js:36:20:36:22 | "a" | fileImports | express mongoose |
| index.js:36:20:36:22 | "a" | receiverName | |
| index.js:36:20:36:22 | "a" | stringConcatenatedWith | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | CalleeFlexibleAccessPath | User.find |
| index.js:41:13:68:61 | "a" + " ... " + "a" | InputAccessPathFromCallee | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | InputArgumentIndex | 0 |
| index.js:41:13:68:61 | "a" + " ... " + "a" | assignedToPropName | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | calleeImports | mongoose |
| index.js:41:13:68:61 | "a" + " ... " + "a" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:41:13:68:61 | "a" + " ... " + "a" | contextSurroundingFunctionParameters | () |
| index.js:41:13:68:61 | "a" + " ... " + "a" | enclosingFunctionBody | |
| index.js:41:13:68:61 | "a" + " ... " + "a" | enclosingFunctionName | veryLongFunctionBody |
| index.js:41:13:68:61 | "a" + " ... " + "a" | fileImports | express mongoose |
| index.js:41:13:68:61 | "a" + " ... " + "a" | receiverName | User |
| index.js:41:13:68:61 | "a" + " ... " + "a" | stringConcatenatedWith | |
| index.js:78:30:78:39 | "someData" | CalleeFlexibleAccessPath | console.log |
| index.js:78:30:78:39 | "someData" | InputAccessPathFromCallee | |
| index.js:78:30:78:39 | "someData" | InputArgumentIndex | 0 |
| index.js:78:30:78:39 | "someData" | assignedToPropName | |
| index.js:78:30:78:39 | "someData" | calleeImports | |
| index.js:78:30:78:39 | "someData" | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:78:30:78:39 | "someData" | contextSurroundingFunctionParameters | () |
| index.js:78:30:78:39 | "someData" | enclosingFunctionBody | console log someData |
| index.js:78:30:78:39 | "someData" | enclosingFunctionName | identity#functionalargument |
| index.js:78:30:78:39 | "someData" | fileImports | express mongoose |
| index.js:78:30:78:39 | "someData" | receiverName | console |
| index.js:78:30:78:39 | "someData" | stringConcatenatedWith | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | CalleeFlexibleAccessPath | $.ajax |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | InputAccessPathFromCallee | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | InputArgumentIndex | 0 |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | assignedToPropName | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | calleeImports | |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | contextSurroundingFunctionParameters | (foo) |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | enclosingFunctionBody | foo $ ajax url foo bar |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | enclosingFunctionName | effectiveSinkAndNotASink |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | fileImports | express mongoose |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | receiverName | $ |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | stringConcatenatedWith | |
| index.js:84:12:84:18 | foo.bar | CalleeFlexibleAccessPath | $.ajax |
| index.js:84:12:84:18 | foo.bar | InputAccessPathFromCallee | 0.url |
| index.js:84:12:84:18 | foo.bar | InputArgumentIndex | 0 |
| index.js:84:12:84:18 | foo.bar | assignedToPropName | url |
| index.js:84:12:84:18 | foo.bar | calleeImports | |
| index.js:84:12:84:18 | foo.bar | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
| index.js:84:12:84:18 | foo.bar | contextSurroundingFunctionParameters | (foo) |
| index.js:84:12:84:18 | foo.bar | enclosingFunctionBody | foo $ ajax url foo bar |
| index.js:84:12:84:18 | foo.bar | enclosingFunctionName | effectiveSinkAndNotASink |
| index.js:84:12:84:18 | foo.bar | fileImports | express mongoose |
| index.js:84:12:84:18 | foo.bar | receiverName | |
| index.js:84:12:84:18 | foo.bar | stringConcatenatedWith | |

1
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_unit_tests/ExtractEndpointDataEvaluation.qlref
View File

@@ -1 +0,0 @@
extraction/ExtractEndpointDataEvaluation.ql

7
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.3.1
### Minor Analysis Improvements
- Several of the SQL and NoSQL library models have improved, leading to more results for the `js/sql-injection` query,
and in some cases the `js/missing-rate-limiting` query.
## 0.3.0
### Breaking Changes

6
javascript/ql/lib/change-notes/2022-09-06-type-defs-squashed.md → javascript/ql/lib/change-notes/released/0.3.1.md
View File

@@ -1,6 +1,6 @@
---
category: minorAnalysis
---
## 0.3.1
### Minor Analysis Improvements
- Several of the SQL and NoSQL library models have improved, leading to more results for the `js/sql-injection` query,
and in some cases the `js/missing-rate-limiting` query.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.3.1-dev
version: 0.3.2-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

16
javascript/ql/lib/semmle/javascript/Actions.qll
View File

@@ -93,6 +93,9 @@ module Actions {
/** Gets the value of the `if` field in this job, if any. */
JobIf getIf() { result.getJob() = this }
/** Gets the value of the `runs-on` field in this job. */
JobRunson getRunsOn() { result.getJob() = this }
}
/**
@@ -108,6 +111,19 @@ module Actions {
Job getJob() { result = job }
}
/**
* A `runs-on` within a job.
* See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on.
*/
class JobRunson extends YamlNode, YamlScalar {
Job job;
JobRunson() { job.lookup("runs-on") = this }
/** Gets the step this field belongs to. */
Job getJob() { result = job }
}
/**
* A step within an Actions job.
* See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps.

2
javascript/ql/lib/semmle/javascript/JSX.qll
View File

@@ -70,7 +70,7 @@ class JsxElement extends JsxNode {
override string getAPrimaryQlClass() { result = "JsxElement" }
/**
* Holds if this JSX element is a HTML element.
* Holds if this JSX element is an HTML element.
* That is, the name starts with a lowercase letter.
*/
predicate isHtmlElement() { getName().regexpMatch("[a-z].*") }

2
javascript/ql/lib/semmle/javascript/PrintAst.qll
View File

@@ -161,7 +161,7 @@ private module PrintJavaScript {
/**
* A print node representing an `ASTNode`.
*
* Provides a default implemention that works for some (but not all) ASTNode's.
* Provides a default implementation that works for some (but not all) ASTNode's.
* More specific subclasses can override this class to get more specific behavior.
*
* The more specific subclasses are mostly used aggregate the children of the `ASTNode`.

20
javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -711,13 +711,31 @@ module TaintTracking {
}
}
/**
* Gets a local source of any part of the input to the given stringification `call`.
*/
pragma[nomagic]
private DataFlow::Node getAJsonLocalInput(JsonStringifyCall call) {
result = call.getInput()
or
exists(DataFlow::SourceNode source |
source = pragma[only_bind_out](getAJsonLocalInput(call)).getALocalSource()
|
result = source.getAPropertyWrite().getRhs()
or
result = source.(DataFlow::ObjectLiteralNode).getASpreadProperty()
or
result = source.(DataFlow::ArrayCreationNode).getASpreadArgument()
)
}
/**
* A taint propagating data flow edge arising from JSON unparsing.
*/
private class JsonStringifyTaintStep extends SharedTaintStep {
override predicate serializeStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(JsonStringifyCall call |
pred = call.getArgument(0) and
pred = getAJsonLocalInput(call) and
succ = call
)
}

2
javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -671,7 +671,7 @@ module ClientRequest {
}
/**
* Gets the response type corresponding to `getReponse()` but not
* Gets the response type corresponding to `getResponse()` but not
* for explicitly typed calls like `getResponseJson()`.
*/
string getAssignedResponseType() {

2
javascript/ql/lib/semmle/javascript/frameworks/Immutable.qll
View File

@@ -7,7 +7,7 @@ import javascript
/**
* Provides classes implementing data-flow for Immutable.
*
* The implemention rely on the flowsteps implemented in `Collections.qll`.
* The implementation rely on the flowsteps implemented in `Collections.qll`.
*/
private module Immutable {
/**

110
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
View File

@@ -544,7 +544,7 @@ private API::Node getNodeFromSubPath(API::Node base, AccessPath subPath) {
}
/** Gets the node identified by the given `(package, type, path)` tuple. */
API::Node getNodeFromPath(string package, string type, AccessPath path) {
private API::Node getNodeFromPath(string package, string type, AccessPath path) {
result = getNodeFromPath(package, type, path, path.getNumToken())
}
@@ -567,7 +567,9 @@ private predicate typeStep(API::Node pred, API::Node succ) {
*
* Unlike `getNodeFromPath`, the `path` may end with one or more call-site filters.
*/
Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPath path, int n) {
private Specific::InvokeNode getInvocationFromPath(
string package, string type, AccessPath path, int n
) {
result = Specific::getAnInvocationOf(getNodeFromPath(package, type, path, n))
or
result = getInvocationFromPath(package, type, path, n - 1) and
@@ -575,7 +577,7 @@ Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPa
}
/** Gets an invocation identified by the given `(package, type, path)` tuple. */
Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPath path) {
private Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPath path) {
result = getInvocationFromPath(package, type, path, path.getNumToken())
}
@@ -583,7 +585,7 @@ Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPa
* Holds if `name` is a valid name for an access path token in the identifying access path.
*/
bindingset[name]
predicate isValidTokenNameInIdentifyingAccessPath(string name) {
private predicate isValidTokenNameInIdentifyingAccessPath(string name) {
name = ["Argument", "Parameter", "ReturnValue", "WithArity", "TypeVar"]
or
Specific::isExtraValidTokenNameInIdentifyingAccessPath(name)
@@ -594,7 +596,7 @@ predicate isValidTokenNameInIdentifyingAccessPath(string name) {
* in an identifying access path.
*/
bindingset[name]
predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
private predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
name = "ReturnValue"
or
Specific::isExtraValidNoArgumentTokenInIdentifyingAccessPath(name)
@@ -605,7 +607,7 @@ predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
* in an identifying access path.
*/
bindingset[name, argument]
predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argument) {
private predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argument) {
name = ["Argument", "Parameter"] and
argument.regexpMatch("(N-|-)?\\d+(\\.\\.((N-|-)?\\d+)?)?")
or
@@ -622,51 +624,61 @@ predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argume
* Module providing access to the imported models in terms of API graph nodes.
*/
module ModelOutput {
/**
* Holds if a CSV source model contributed `source` with the given `kind`.
*/
API::Node getASourceNode(string kind) {
exists(string package, string type, string path |
sourceModel(package, type, path, kind) and
result = getNodeFromPath(package, type, path)
)
cached
private module Cached {
/**
* Holds if a CSV source model contributed `source` with the given `kind`.
*/
cached
API::Node getASourceNode(string kind) {
exists(string package, string type, string path |
sourceModel(package, type, path, kind) and
result = getNodeFromPath(package, type, path)
)
}
/**
* Holds if a CSV sink model contributed `sink` with the given `kind`.
*/
cached
API::Node getASinkNode(string kind) {
exists(string package, string type, string path |
sinkModel(package, type, path, kind) and
result = getNodeFromPath(package, type, path)
)
}
/**
* Holds if a relevant CSV summary exists for these parameters.
*/
cached
predicate relevantSummaryModel(
string package, string type, string path, string input, string output, string kind
) {
isRelevantPackage(package) and
summaryModel(package, type, path, input, output, kind)
}
/**
* Holds if a `baseNode` is an invocation identified by the `package,type,path` part of a summary row.
*/
cached
predicate resolvedSummaryBase(
string package, string type, string path, Specific::InvokeNode baseNode
) {
summaryModel(package, type, path, _, _, _) and
baseNode = getInvocationFromPath(package, type, path)
}
/**
* Holds if `node` is seen as an instance of `(package,type)` due to a type definition
* contributed by a CSV model.
*/
cached
API::Node getATypeNode(string package, string type) { result = getNodeFromType(package, type) }
}
/**
* Holds if a CSV sink model contributed `sink` with the given `kind`.
*/
API::Node getASinkNode(string kind) {
exists(string package, string type, string path |
sinkModel(package, type, path, kind) and
result = getNodeFromPath(package, type, path)
)
}
/**
* Holds if a relevant CSV summary exists for these parameters.
*/
predicate relevantSummaryModel(
string package, string type, string path, string input, string output, string kind
) {
isRelevantPackage(package) and
summaryModel(package, type, path, input, output, kind)
}
/**
* Holds if a `baseNode` is an invocation identified by the `package,type,path` part of a summary row.
*/
predicate resolvedSummaryBase(
string package, string type, string path, Specific::InvokeNode baseNode
) {
summaryModel(package, type, path, _, _, _) and
baseNode = getInvocationFromPath(package, type, path)
}
/**
* Holds if `node` is seen as an instance of `(package,type)` due to a type definition
* contributed by a CSV model.
*/
API::Node getATypeNode(string package, string type) { result = getNodeFromType(package, type) }
import Cached
/**
* Gets an error message relating to an invalid CSV row in a model.

6
javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll
View File

@@ -1,5 +1,5 @@
/**
* Provides precicates for reasoning about bad tag filter vulnerabilities.
* Provides predicates for reasoning about bad tag filter vulnerabilities.
*/
import regexp.RegexpMatching
@@ -65,7 +65,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
regexp.matches("<!-- foo --!>") and
exists(int a, int b | a != b |
regexp.fillsCaptureGroup("<!-- foo -->", a) and
// <!-- foo --> might be ambigously parsed (matching both capture groups), and that is ok here.
// <!-- foo --> might be ambiguously parsed (matching both capture groups), and that is ok here.
regexp.fillsCaptureGroup("<!-- foo --!>", b) and
not regexp.fillsCaptureGroup("<!-- foo --!>", a) and
msg =
@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
not regexp.fillsCaptureGroup("<script>", group) and
msg =
"This regular expression only parses --> (capture group " + group +
") and not --!> as a HTML comment end tag."
") and not --!> as an HTML comment end tag."
)
or
regexp.matches("<!-- foo -->") and

2
javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
View File

@@ -80,7 +80,7 @@ module HtmlSanitization {
}
/**
* Gets a HTML-relevant character that is replaced by `chain`.
* Gets an HTML-relevant character that is replaced by `chain`.
*/
private string getALikelyReplacedCharacter(StringReplaceCallSequence chain) {
result = "\"" and

10
javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll
View File

@@ -35,7 +35,7 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm
or
result = t.getAMatchedString()
or
// A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
// A substring matched by some character class. This is only used to match the "word" part of an HTML tag (e.g. "iframe" in "<iframe").
exists(NfaUtils::CharacterClass cc |
cc = NfaUtils::getCanonicalCharClass(t) and
cc.matches(result) and
@@ -101,12 +101,12 @@ private class RepetitionMatcher extends EmptyReplaceRegExpTerm {
predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {
prefix = getADangerousMatchedPrefix(t) and
(
kind = "path injection" and
kind = "a path injection vulnerability" and
prefix = ["/..", "../"] and
// If the regex is matching explicit path components, it is unlikely that it's being used as a sanitizer.
not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_-].*")
or
kind = "HTML element injection" and
kind = "an HTML element injection vulnerability" and
(
// comments
prefix = "<!--" and
@@ -119,7 +119,7 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string
)
)
or
kind = "HTML attribute injection" and
kind = "an HTML attribute injection vulnerability" and
prefix =
[
// ordinary event handler prefix
@@ -197,6 +197,6 @@ query predicate problems(
) {
exists(string kind |
isResult(replace, dangerous, prefix, kind) and
msg = "This string may still contain $@, which may cause a " + kind + " vulnerability."
msg = "This string may still contain $@, which may cause " + kind + "."
)
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll
View File

@@ -26,7 +26,7 @@ module ImproperCodeSanitization {
abstract class Sanitizer extends DataFlow::Node { }
/**
* A call to a HTML sanitizer seen as a source for improper code sanitization
* A call to an HTML sanitizer seen as a source for improper code sanitization
*/
class HtmlSanitizerCallAsSource extends Source {
HtmlSanitizerCallAsSource() { this instanceof HtmlSanitizerCall }

10
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
View File

@@ -32,7 +32,7 @@ module UnsafeJQueryPlugin {
abstract class Sanitizer extends DataFlow::Node { }
/**
* An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
*/
class AmbiguousHtmlOrSelectorArgument extends DataFlow::Node,
DomBasedXss::JQueryHtmlOrSelectorArgument {
@@ -173,7 +173,7 @@ module UnsafeJQueryPlugin {
}
/**
* An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
*/
class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {
AmbiguousHtmlOrSelectorArgumentAsSink() {
@@ -182,7 +182,7 @@ module UnsafeJQueryPlugin {
}
/**
* A hint that a value is expected to be treated as a HTML fragment later.
* A hint that a value is expected to be treated as an HTML fragment later.
*/
class IntentionalHtmlFragmentHint extends Sanitizer {
IntentionalHtmlFragmentHint() {
@@ -191,7 +191,7 @@ module UnsafeJQueryPlugin {
}
/**
* Holds if there exists a jQuery plugin that likely expects `sink` to be treated as a HTML fragment.
* Holds if there exists a jQuery plugin that likely expects `sink` to be treated as an HTML fragment.
*/
predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {
exists(
@@ -206,7 +206,7 @@ module UnsafeJQueryPlugin {
}
/**
* Gets a property-write that writes a HTML-like constant string to `prop`.
* Gets a property-write that writes an HTML-like constant string to `prop`.
*/
pragma[noinline]
private DataFlow::PropWrite getALikelyHtmlWrite(string prop) {

2
javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -65,7 +65,7 @@ module Shared {
private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHtml
/**
* A guard that checks if a string can contain quotes, which is a guard for strings that are inside a HTML attribute.
* A guard that checks if a string can contain quotes, which is a guard for strings that are inside an HTML attribute.
*/
abstract class QuoteGuard extends TaintTracking::SanitizerGuardNode, StringOps::Includes {
QuoteGuard() {

2
javascript/ql/lib/semmle/javascript/security/regexp/ExponentialBackTracking.qll
View File

@@ -202,7 +202,7 @@ private predicate isFork(State q, InputSymbol s1, InputSymbol s2, State r1, Stat
//
// We additionally require that the there exists another InfiniteRepetitionQuantifier `mid` on the path from `q` to itself.
// This is done to avoid flagging regular expressions such as `/(a?)*b/` - that only has polynomial runtime, and is detected by `js/polynomial-redos`.
// The below code is therefore a heuritic, that only flags regular expressions such as `/(a*)*b/`,
// The below code is therefore a heuristic, that only flags regular expressions such as `/(a*)*b/`,
// and does not flag regular expressions such as `/(a?b?)c/`, but the latter pattern is not used frequently.
r1 = r2 and
q1 = q2 and

17
javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll
View File

@@ -59,8 +59,8 @@ predicate matchesEpsilon(RegExpTerm t) {
/**
* A lookahead/lookbehind that matches the empty string.
*/
class EmptyPositiveSubPatttern extends RegExpSubPattern {
EmptyPositiveSubPatttern() {
class EmptyPositiveSubPattern extends RegExpSubPattern {
EmptyPositiveSubPattern() {
(
this instanceof RegExpPositiveLookahead
or
@@ -70,6 +70,9 @@ class EmptyPositiveSubPatttern extends RegExpSubPattern {
}
}
/** DEPRECATED: Use `EmptyPositiveSubPattern` instead. */
deprecated class EmptyPositiveSubPatttern = EmptyPositiveSubPattern;
/**
* A branch in a disjunction that is the root node in a literal, or a literal
* whose root node is not a disjunction.
@@ -133,7 +136,7 @@ private predicate isCanonicalTerm(RelevantRegExpTerm term, string str) {
}
/**
* Gets a string reperesentation of the flags used with the regular expression.
* Gets a string representation of the flags used with the regular expression.
* Only the flags that are relevant for the canonicalization are included.
*/
string getCanonicalizationFlags(RegExpTerm root) {
@@ -334,7 +337,7 @@ private module CharacterClasses {
)
}
private string lowercaseLetter() { result = "abdcefghijklmnopqrstuvwxyz".charAt(_) }
private string lowercaseLetter() { result = "abcdefghijklmnopqrstuvwxyz".charAt(_) }
private string upperCaseLetter() { result = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".charAt(_) }
@@ -697,9 +700,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
lbl = Epsilon() and q2 = Accept(getRoot(dollar))
)
or
exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
lbl = Epsilon() and q2 = after(empty)
)
exists(EmptyPositiveSubPattern empty | q1 = before(empty) | lbl = Epsilon() and q2 = after(empty))
}
/**
@@ -1028,7 +1029,7 @@ module ReDoSPruning<isCandidateSig/2 isCandidate> {
* as the suffix "X" will cause both the regular expressions to be rejected.
*
* The string `w` is repeated any number of times because it needs to be
* infinitely repeatedable for the attack to work.
* infinitely repeatable for the attack to work.
* For the regular expression `/((ab)+)*abab/` the accepting state is not reachable from the fork
* using epsilon transitions. But any attempt at repeating `w` will end in a state that accepts all suffixes.
*/

6
javascript/ql/lib/semmle/javascript/security/regexp/NfaUtilsSpecific.qll
View File

@@ -5,7 +5,7 @@
import javascript
/**
* Holds if `term` is an ecape class representing e.g. `\d`.
* Holds if `term` is an escape class representing e.g. `\d`.
* `clazz` is which character class it represents, e.g. "d" for `\d`.
*/
predicate isEscapeClass(RegExpTerm term, string clazz) {
@@ -20,13 +20,13 @@ predicate isPossessive(RegExpQuantifier term) { none() }
/**
* Holds if the regex that `term` is part of is used in a way that ignores any leading prefix of the input it's matched against.
* Not yet implemented for Javascript.
* Not yet implemented for JavaScript.
*/
predicate matchesAnyPrefix(RegExpTerm term) { any() }
/**
* Holds if the regex that `term` is part of is used in a way that ignores any trailing suffix of the input it's matched against.
* Not yet implemented for Javascript.
* Not yet implemented for JavaScript.
*/
predicate matchesAnySuffix(RegExpTerm term) { any() }

2
javascript/ql/lib/semmle/javascript/security/regexp/RegexpMatching.qll
View File

@@ -1,5 +1,5 @@
/**
* Provides precicates for reasoning about which strings are matched by a regular expression,
* Provides predicates for reasoning about which strings are matched by a regular expression,
* and for testing which capture groups are filled when a particular regexp matches a string.
*/

2
javascript/ql/lib/semmle/javascript/security/regexp/SuperlinearBackTracking.qll
View File

@@ -76,7 +76,7 @@ class StateTuple extends TStateTuple {
StateTuple() { this = MkStateTuple(q1, q2, q3) }
/**
* Gest a string repesentation of this tuple.
* Gest a string representation of this tuple.
*/
string toString() { result = "(" + q1 + ", " + q2 + ", " + q3 + ")" }

6
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.1
No user-facing changes.
## 0.4.0
### Minor Analysis Improvements
@@ -119,7 +123,7 @@
### New Queries
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
The query is not run by default.
* A new query `js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
* A new query `js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.

1
javascript/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
View File

@@ -3,6 +3,7 @@
* @description Lists all files in the source code directory that were extracted without encountering an error in the file.
* @kind diagnostic
* @id js/diagnostics/successfully-extracted-files
* @tags successfully-extracted-files
*/
import javascript

2
javascript/ql/src/LanguageFeatures/NonLinearPattern.qhelp
View File

@@ -40,7 +40,7 @@ From context, it appears that the second binding should have been for variable <
<sample src="examples/NonLinearPatternGood.js" />
<p>
This can sometimes happen in TypeScript, due to the apparant similarity between property patterns
This can sometimes happen in TypeScript, due to the apparent similarity between property patterns
and type annotations. In the following example, the function uses a pattern parameter with properties <code>x</code>
and <code>y</code>. These appear to have type <code>number</code>, but are in fact untyped properties both stored in a variable named <code>number</code>.
</p>

2
javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
View File

@@ -44,7 +44,7 @@
<sample src="examples/unsafe-html-construction_safe.js" />
<p>
Alternatively, a HTML sanitizer can be used to remove unsafe content.
Alternatively, an HTML sanitizer can be used to remove unsafe content.
</p>
<sample src="examples/unsafe-html-construction_sanitizer.js" />

2
javascript/ql/src/Security/CWE-079/XssThroughDom.qhelp
View File

@@ -33,7 +33,7 @@ selector to determine which element should be manipulated.
<p>
However, if an attacker can control the <code>data-target</code> attribute,
then the value of <code>target</code> can be used to cause the <code>$</code> function
to execute arbitary JavaScript.
to execute arbitrary JavaScript.
</p>
<p>
The above vulnerability can be fixed by using <code>$.find</code> instead of <code>$</code>.

2
javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
View File

@@ -23,7 +23,7 @@
</p>
<p>
It is also recommended to limit the permissions of any tokens used
by a workflow such as the the GITHUB_TOKEN.
by a workflow such as the GITHUB_TOKEN.
</p>
</recommendation>

2
javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp
View File

@@ -12,7 +12,7 @@
<recommendation>
<p>
If using <code>JSON.stringify</code> or a HTML sanitizer to sanitize a string inserted into
If using <code>JSON.stringify</code> or an HTML sanitizer to sanitize a string inserted into
JavaScript code, then make sure to perform additional sanitization or remove potentially
dangerous characters.
</p>

2
javascript/ql/src/Security/CWE-367/FileSystemRace.ql
View File

@@ -106,7 +106,7 @@ predicate useAfterCheck(FileCheck check, FileUse use) {
)
)
or
check.getBasicBlock().getASuccessor+() = use.getBasicBlock()
check.getBasicBlock().(ReachableBasicBlock).strictlyDominates(use.getBasicBlock())
}
from FileCheck check, FileUse use

2
javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
View File

@@ -4,7 +4,7 @@
<qhelp>
<overview>
<p>
Downloading executeables or other sensitive files over an unencrypted connection
Downloading executables or other sensitive files over an unencrypted connection
can leave a server open to man-in-the-middle attacks (MITM).
Such an attack can allow an attacker to insert arbitrary content
into the downloaded file, and in the worst case, allow the attacker to execute

2
javascript/ql/src/Statements/UselessComparisonTest.qhelp
View File

@@ -17,7 +17,7 @@ longer needed, remove it.
</p>
<p>
If the check is needed to guard against <code>NaN</code> values, insert a comment explaning the possibility of <code>NaN</code>.
If the check is needed to guard against <code>NaN</code> values, insert a comment explaining the possibility of <code>NaN</code>.
</p>
</recommendation>

4
javascript/ql/src/change-notes/2022-10-04-fix-loops-file-system-race.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Removed some false positives from the `js/file-system-race` query by requiring that the file-check dominates the file-access.

4
javascript/ql/src/change-notes/2022-10-04-json-stringify-improvement.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Improved taint tracking through `JSON.stringify` in cases where a tainted value is stored somewhere in the input object.

2
javascript/ql/src/change-notes/released/0.0.10.md
View File

@@ -2,7 +2,7 @@
### New Queries
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
The query is not run by default.
* A new query `js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
* A new query `js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.

3
javascript/ql/src/change-notes/released/0.4.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.1
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.4.1-dev
version: 0.4.2-dev
groups:
- javascript
- queries

36
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -431,6 +431,22 @@ nodes
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
@@ -1509,6 +1525,24 @@ edges
| jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:51:11:56 | locale | json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:56:19:61 | locale | json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |
@@ -2241,6 +2275,8 @@ edges
| jquery.js:27:5:27:25 | hash.re ... #', '') | jquery.js:18:14:18:33 | window.location.hash | jquery.js:27:5:27:25 | hash.re ... #', '') | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
| jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value |
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
| jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value |

34
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -431,6 +431,22 @@ nodes
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:5:18:5:36 | req.param("locale") |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
@@ -1559,6 +1575,24 @@ edges
| jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| jquery.js:34:13:34:16 | hash | jquery.js:34:5:34:25 | '<b>' + ... '</b>' |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:11:51:11:56 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:19:56:19:61 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:9:5:36 | locale | json-stringify.jsx:31:55:31:60 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:5:9:5:36 | locale |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:16:11:58 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:11:51:11:56 | locale | json-stringify.jsx:11:16:11:58 | `https: ... ocale}` |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:16:19:63 | `https: ... ocale}` | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) |
| json-stringify.jsx:19:56:19:61 | locale | json-stringify.jsx:19:16:19:63 | `https: ... ocale}` |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| json-stringify.jsx:31:55:31:60 | locale | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |

42
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx Normal file
View File

@@ -0,0 +1,42 @@
var express = require("express");
var app = express();
app.get("/some/path", function (req, res) {
const locale = req.param("locale");
const breadcrumbList = [
{
"@type": "ListItem",
position: 1,
item: {
"@id": `https://example.com/some?locale=${locale}`,
name: "Some",
},
},
{
"@type": "ListItem",
position: 2,
item: {
"@id": `https://example.com/some/path?locale=${locale}`,
name: "Path",
},
},
];
const jsonLD = {
"@context": "https://schema.org",
"@type": "BreadcrumbList",
itemListElement: breadcrumbList,
};
<script
type="application/ld+json"
dangerouslySetInnerHTML={{ __html: JSON.stringify(locale) }} // NOT OK
/>;
<script
type="application/ld+json"
dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLD) }} // NOT OK
/>;
<script
type="application/ld+json"
dangerouslySetInnerHTML={{ __html: JSON.stringify({}) }} // OK
/>;
<script type="application/ld+json">{ JSON.stringify(jsonLD) }</script> // OK
});

2
javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected
View File

@@ -13,5 +13,5 @@
| tst.js:18:6:18:48 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
| tst.js:19:6:19:147 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
| tst.js:20:3:20:57 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as a HTML comment end tag. |
| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
| tst.js:22:6:22:33 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |

66
javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
View File

@@ -1,39 +1,39 @@
| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <script |
| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 | on\\w+=".*" | on |
| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 | on\\w+=\\'.*\\' | on |
| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <script |
| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <script |
| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 | on\\w+=".*" | on |
| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 | on\\w+=\\'.*\\' | on |
| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <script |
| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:22:48:23 | \\/ | /.. |
| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:26:48:27 | \\. | ../ |
| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
| tst-multi-character-sanitization.js:85:7:85:48 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:85:18:85:21 | \\x2E | ../ |
| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n }) | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n }) | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
| tst-multi-character-sanitization.js:101:7:101:30 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:101:18:101:19 | \\. | ../ |
| tst-multi-character-sanitization.js:102:7:102:30 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:102:18:102:19 | \\/ | /.. |
| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
| tst-multi-character-sanitization.js:126:7:129:34 | x\\n . ... //, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:129:21:129:22 | \\/ | /.. |
| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
| tst-multi-character-sanitization.js:137:2:137:48 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:137:19:137:20 | .+ | <script |
| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:21:138:21 | < | <script |
| tst-multi-character-sanitization.js:142:13:142:62 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:142:30:142:36 | <script | <script |
| tst-multi-character-sanitization.js:143:13:143:56 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:143:30:143:30 | < | <script |
| tst-multi-character-sanitization.js:144:13:144:91 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:144:30:144:30 | < | <script |
| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |
| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
| tst-multi-character-sanitization.js:137:2:137:48 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:137:19:137:20 | .+ | <script |
| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:21:138:21 | < | <script |
| tst-multi-character-sanitization.js:142:13:142:62 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:142:30:142:36 | <script | <script |
| tst-multi-character-sanitization.js:143:13:143:56 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:143:30:143:30 | < | <script |
| tst-multi-character-sanitization.js:144:13:144:91 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:144:30:144:30 | < | <script |
| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |

5
javascript/ql/test/query-tests/Security/CWE-367/tst.js
View File

@@ -41,3 +41,8 @@ const filePath3 = createFile();
if (fs.existsSync(filePath3)) {
fs.readFileSync(filePath3); // OK - a read after an existence check is OK
}
const filePath4 = createFile();
while(Math.random() > 0.5) {
fs.open(filePath4); // OK - it is only ever opened here.
}