hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Fix barrier guards for ServerSideUrlRedirect

Browse Source 
The barrier guards for ServerSideUrlRedirect were lost when it was ported to ConfigSig, and the aforementioned spurious alert was a result of that.

The query had two guards: a proper barrier guard and a heuristic one for functions named 'isLocalURL'. We should move away from the heuristic name-based sanitiser guards, so I'm only reinstating the proper barrier guard.

Therefore updating the test to test the real barrier guard.
This commit is contained in:
Asger F
2025-02-21 21:05:47 +01:00
parent 38be524b6a
commit 29659647ea
2 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/express.js
View File

@@ -23,9 +23,9 @@ app.get('/some/other/path2', function(req, res) {
app.get('/some/path', function(req, res) {
var target = req.param("target");
if (isLocalURL(target))
if (target.startsWith("http://example.com/"))
// OK - request parameter is sanitized before incorporating it into the redirect
res.redirect(target); // $ SPURIOUS: Alert
res.redirect(target);
else
res.redirect(target); // $ Alert - sanitization doesn't apply here
res.redirect(target); // $ Alert - sanitization doesn't apply here