hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix FP in js/path-injection by recognizing more prefix checks

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-01-31 10:55:29 +01:00
parent f8d0b4e602
commit 279c584bb8
5 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/test/library-tests/StringOps/StartsWith/StartsWith.expected
View File

@@ -14,3 +14,5 @@
| tst.js:19:9:19:36 | A.subst ... "web/" | tst.js:19:9:19:9 | A | tst.js:19:31:19:36 | "web/" | true |
| tst.js:32:9:32:32 | strings ... h(A, B) | tst.js:32:28:32:28 | A | tst.js:32:31:32:31 | B | true |
| tst.js:33:9:33:47 | strings ... h(A, B) | tst.js:33:43:33:43 | A | tst.js:33:46:33:46 | B | true |
| tst.js:34:9:34:34 | A.slice ... ) !== B | tst.js:34:9:34:9 | A | tst.js:34:34:34:34 | B | false |
| tst.js:35:9:35:42 | A.slice ... = B.foo | tst.js:35:9:35:9 | A | tst.js:35:38:35:42 | B.foo | false |

2
javascript/ql/test/library-tests/StringOps/StartsWith/tst.js
View File

@@ -31,4 +31,6 @@ function f(A, B) {
if (strings.startsWith(A, B)) {}
if (strings.caseInsensitiveStartsWith(A, B)) {}
if (A.slice(0, B.length) !== B) {}
if (A.slice(0, B.foo.length) !== B.foo) {}
}