hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add engine filter to js/template-object-injection

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-03-09 14:06:37 +01:00
parent b30484dd69
commit 28951e98c4
3 changed files with 150 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected
View File

@@ -1,4 +1,22 @@
nodes
| tst2.js:6:9:6:46 | bodyParameter |
| tst2.js:6:25:6:32 | req.body |
| tst2.js:6:25:6:32 | req.body |
| tst2.js:6:25:6:46 | req.bod ... rameter |
| tst2.js:7:28:7:40 | bodyParameter |
| tst2.js:7:28:7:40 | bodyParameter |
| tst2.js:26:9:26:46 | bodyParameter |
| tst2.js:26:25:26:32 | req.body |
| tst2.js:26:25:26:32 | req.body |
| tst2.js:26:25:26:46 | req.bod ... rameter |
| tst2.js:27:28:27:40 | bodyParameter |
| tst2.js:27:28:27:40 | bodyParameter |
| tst2.js:34:9:34:46 | bodyParameter |
| tst2.js:34:25:34:32 | req.body |
| tst2.js:34:25:34:32 | req.body |
| tst2.js:34:25:34:46 | req.bod ... rameter |
| tst2.js:35:28:35:40 | bodyParameter |
| tst2.js:35:28:35:40 | bodyParameter |
| tst.js:5:9:5:46 | bodyParameter |
| tst.js:5:25:5:32 | req.body |
| tst.js:5:25:5:32 | req.body |
@@ -25,6 +43,21 @@ nodes
| tst.js:27:28:27:42 | JSON.parse(str) |
| tst.js:27:39:27:41 | str |
edges
| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter |
| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter |
| tst2.js:6:25:6:32 | req.body | tst2.js:6:25:6:46 | req.bod ... rameter |
| tst2.js:6:25:6:32 | req.body | tst2.js:6:25:6:46 | req.bod ... rameter |
| tst2.js:6:25:6:46 | req.bod ... rameter | tst2.js:6:9:6:46 | bodyParameter |
| tst2.js:26:9:26:46 | bodyParameter | tst2.js:27:28:27:40 | bodyParameter |
| tst2.js:26:9:26:46 | bodyParameter | tst2.js:27:28:27:40 | bodyParameter |
| tst2.js:26:25:26:32 | req.body | tst2.js:26:25:26:46 | req.bod ... rameter |
| tst2.js:26:25:26:32 | req.body | tst2.js:26:25:26:46 | req.bod ... rameter |
| tst2.js:26:25:26:46 | req.bod ... rameter | tst2.js:26:9:26:46 | bodyParameter |
| tst2.js:34:9:34:46 | bodyParameter | tst2.js:35:28:35:40 | bodyParameter |
| tst2.js:34:9:34:46 | bodyParameter | tst2.js:35:28:35:40 | bodyParameter |
| tst2.js:34:25:34:32 | req.body | tst2.js:34:25:34:46 | req.bod ... rameter |
| tst2.js:34:25:34:32 | req.body | tst2.js:34:25:34:46 | req.bod ... rameter |
| tst2.js:34:25:34:46 | req.bod ... rameter | tst2.js:34:9:34:46 | bodyParameter |
| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
@@ -49,6 +82,9 @@ edges
| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
#select
| tst2.js:7:28:7:40 | bodyParameter | tst2.js:6:25:6:32 | req.body | tst2.js:7:28:7:40 | bodyParameter | Template object injection due to $@. | tst2.js:6:25:6:32 | req.body | user-provided value |
| tst2.js:27:28:27:40 | bodyParameter | tst2.js:26:25:26:32 | req.body | tst2.js:27:28:27:40 | bodyParameter | Template object injection due to $@. | tst2.js:26:25:26:32 | req.body | user-provided value |
| tst2.js:35:28:35:40 | bodyParameter | tst2.js:34:25:34:32 | req.body | tst2.js:35:28:35:40 | bodyParameter | Template object injection due to $@. | tst2.js:34:25:34:32 | req.body | user-provided value |
| tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
| tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
| tst.js:22:28:22:30 | obj | tst.js:6:26:6:49 | req.que ... rameter | tst.js:22:28:22:30 | obj | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |

36
javascript/ql/test/query-tests/Security/CWE-073/tst2.js Normal file
View File

@@ -0,0 +1,36 @@
const handlebars = require("express-handlebars");
var app = require('express')();
app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) );
app.set('view engine', '.hbs')
app.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});
var app2 = require('express')();
app2.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // OK
});
var app3 = require('express')();
app3.set('view engine', 'pug');
app3.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // OK
});
var app4 = require('express')();
app4.set('view engine', 'ejs');
app4.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});
var app5 = require('express')();
app5.engine("foobar", require("consolidate").whiskers);
app5.set('view engine', 'foobar');
app5.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});