mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Javascript: Update test files.
This commit is contained in:
Michael Nebel
@@ -36,7 +36,7 @@ var server = http.createServer(function(req, res) {
|
||||
sh = 'cmd.exe', flag = '/c';
|
||||
else
|
||||
sh = '/bin/sh', flag = '-c';
|
||||
cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink
|
||||
cp.spawn(sh, [ flag, cmd ]); // $ Alert
|
||||
|
||||
let args = [];
|
||||
args[0] = "-c";
|
||||
@@ -53,8 +53,8 @@ var server = http.createServer(function(req, res) {
|
||||
args[1] = cmd; // $ Sink
|
||||
cp.execFile(`/bin` + "/bash", args); // $ Alert
|
||||
|
||||
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink
|
||||
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink
|
||||
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert
|
||||
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert
|
||||
|
||||
let myArgs = [];
|
||||
myArgs.push(`-` + "c");
|
||||
|
||||
@@ -12,7 +12,7 @@ function getShell() {
|
||||
|
||||
function execSh(command, options) {
|
||||
var shell = getShell()
|
||||
return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink
|
||||
return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert
|
||||
}
|
||||
|
||||
http.createServer(function (req, res) {
|
||||
|
||||
@@ -7,7 +7,7 @@ function getShell() {
|
||||
}
|
||||
|
||||
function execSh(command, options) {
|
||||
return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink
|
||||
return cp.spawn(getShell(), ["-c", command], options) // $ Alert
|
||||
};
|
||||
|
||||
http.createServer(function (req, res) {
|
||||
|
||||
@@ -3,5 +3,5 @@
|
||||
const cp = require("child_process");
|
||||
|
||||
module.exports.thisMethodIsImported = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
}
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
@@ -1,30 +1,30 @@
|
||||
var cp = require("child_process")
|
||||
|
||||
module.exports.blah = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
cp.execFile(name, [name]);
|
||||
cp.execFile(name, name);
|
||||
};
|
||||
|
||||
module.exports.foo = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
module.exports.foo.bar = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
function cla() { }
|
||||
cla.prototype.method = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
module.exports.cla = new cla();
|
||||
|
||||
|
||||
function cla2() { }
|
||||
cla2.prototype.method = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
module.exports.bla = new cla2();
|
||||
|
||||
@@ -32,13 +32,13 @@ module.exports.lib2 = require("./lib2.js")
|
||||
|
||||
class Cla3 {
|
||||
constructor(name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
static foo(name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
bar(name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
cp.exec("rm -rf " + notASource);
|
||||
}
|
||||
@@ -47,14 +47,14 @@ class Cla3 {
|
||||
module.exports.cla3 = Cla3;
|
||||
|
||||
module.exports.mz = function (name) { // $ Source
|
||||
require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink
|
||||
require("mz/child_process").exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
module.exports.flow = function (name) { // $ Source
|
||||
var cmd1 = "rm -rf " + name; // $ Alert Sink
|
||||
var cmd1 = "rm -rf " + name; // $ Alert
|
||||
cp.exec(cmd1);
|
||||
|
||||
var cmd2 = "rm -rf " + name; // $ Alert Sink
|
||||
var cmd2 = "rm -rf " + name; // $ Alert
|
||||
function myExec(cmd) {
|
||||
cp.exec(cmd);
|
||||
}
|
||||
@@ -62,25 +62,25 @@ module.exports.flow = function (name) { // $ Source
|
||||
}
|
||||
|
||||
module.exports.stringConcat = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
cp.exec(name);
|
||||
|
||||
cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink
|
||||
cp.exec("for foo in (" + name + ") do bla end"); // $ Alert
|
||||
|
||||
cp.exec("cat /foO/BAR/" + name) // $ Alert Sink
|
||||
cp.exec("cat /foO/BAR/" + name) // $ Alert
|
||||
|
||||
cp.exec("cat \"" + name + "\"") // $ Alert Sink
|
||||
cp.exec("cat \"" + name + "\"") // $ Alert
|
||||
|
||||
cp.exec("cat '" + name + "'") // $ Alert Sink
|
||||
cp.exec("cat '" + name + "'") // $ Alert
|
||||
|
||||
cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink
|
||||
cp.exec("cat '/foo/bar" + name + "'") // $ Alert
|
||||
|
||||
cp.exec(name + " some file")
|
||||
}
|
||||
|
||||
module.exports.arrays = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
var args1 = ["node"];
|
||||
args1.push(name); // $ Alert
|
||||
@@ -109,7 +109,7 @@ module.exports.format = function (name) { // $ Source
|
||||
}
|
||||
|
||||
module.exports.valid = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (!isValidName(name)) {
|
||||
return;
|
||||
@@ -118,7 +118,7 @@ module.exports.valid = function (name) { // $ Source
|
||||
}
|
||||
|
||||
module.exports.safe = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (!isSafeName(name)) {
|
||||
return;
|
||||
@@ -128,7 +128,7 @@ module.exports.safe = function (name) { // $ Source
|
||||
|
||||
class Cla4 {
|
||||
wha(name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
static bla(name) {
|
||||
@@ -146,7 +146,7 @@ function Cla5(name) {
|
||||
module.exports.cla5 = new Cla5();
|
||||
|
||||
module.exports.indirect = function (name) { // $ Source
|
||||
let cmd = "rm -rf " + name; // $ Alert Sink
|
||||
let cmd = "rm -rf " + name; // $ Alert
|
||||
let sh = "sh";
|
||||
let args = ["-c", cmd];
|
||||
cp.spawn(sh, args, cb);
|
||||
@@ -158,7 +158,7 @@ module.exports.indirect2 = function (name) { // $ Source
|
||||
let args = ["-c", cmd];
|
||||
cp.spawn(sh, args, cb);
|
||||
|
||||
let cmd2 = "rm -rf " + name; // $ Alert Sink
|
||||
let cmd2 = "rm -rf " + name; // $ Alert
|
||||
var args2 = [cmd2];
|
||||
cp.spawn(
|
||||
'cmd.exe',
|
||||
@@ -170,7 +170,7 @@ module.exports.indirect2 = function (name) { // $ Source
|
||||
module.exports.cmd = function (command, name) { // $ Source
|
||||
cp.exec("fo | " + command);
|
||||
|
||||
cp.exec("fo | " + name); // $ Alert Sink
|
||||
cp.exec("fo | " + name); // $ Alert
|
||||
|
||||
}
|
||||
|
||||
@@ -178,54 +178,54 @@ module.exports.sanitizer = function (name) { // $ Source
|
||||
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
|
||||
cp.exec("rm -rf " + sanitized);
|
||||
|
||||
var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink
|
||||
cp.exec("rm -rf " + broken); // $ Alert Sink
|
||||
var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert
|
||||
cp.exec("rm -rf " + broken); // $ Alert
|
||||
}
|
||||
|
||||
var path = require("path");
|
||||
module.exports.guard = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (!path.exist(name)) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
return;
|
||||
}
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
module.exports.blacklistOfChars = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
}
|
||||
|
||||
module.exports.whitelistOfChars = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
|
||||
cp.exec("rm -rf " + name);
|
||||
} else {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
module.exports.blackList2 = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
process.exit(-1);
|
||||
}
|
||||
|
||||
cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`.
|
||||
cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`.
|
||||
}
|
||||
|
||||
module.exports.accessSync = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
try {
|
||||
path.accessSync(name);
|
||||
@@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { // $ Source
|
||||
return;
|
||||
}
|
||||
|
||||
cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer.
|
||||
cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer.
|
||||
}
|
||||
|
||||
var cleanInput = function (s) {
|
||||
@@ -246,26 +246,26 @@ var cleanInput = function (s) {
|
||||
}
|
||||
|
||||
module.exports.goodSanitizer = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
var cleaned = cleanInput(name);
|
||||
|
||||
cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node.
|
||||
cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node.
|
||||
}
|
||||
|
||||
var fs = require("fs");
|
||||
module.exports.guard2 = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (!fs.existsSync("prefix/" + name)) {
|
||||
cp.exec("rm -rf prefix/" + name); // $ Alert Sink
|
||||
cp.exec("rm -rf prefix/" + name); // $ Alert
|
||||
return;
|
||||
}
|
||||
cp.exec("rm -rf prefix/" + name);
|
||||
}
|
||||
|
||||
module.exports.sanitizerProperty = function (obj) { // $ Source
|
||||
cp.exec("rm -rf " + obj.version); // $ Alert Sink
|
||||
cp.exec("rm -rf " + obj.version); // $ Alert
|
||||
|
||||
obj.version = "";
|
||||
|
||||
@@ -274,11 +274,11 @@ module.exports.sanitizerProperty = function (obj) { // $ Source
|
||||
|
||||
module.exports.Foo = class Foo {
|
||||
start(opts) { // $ Source
|
||||
cp.exec("rm -rf " + opts.bla); // $ Alert Sink
|
||||
cp.exec("rm -rf " + opts.bla); // $ Alert
|
||||
this.opts = {};
|
||||
this.opts.bla = opts.bla
|
||||
|
||||
cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink
|
||||
cp.exec("rm -rf " + this.opts.bla); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -305,24 +305,24 @@ function sanitizeShellString(str) {
|
||||
}
|
||||
|
||||
module.exports.sanitizer2 = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
var sanitized = sanitizeShellString(name);
|
||||
cp.exec("rm -rf " + sanitized);
|
||||
}
|
||||
|
||||
module.exports.typeofcheck = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (typeof name === "undefined") {
|
||||
cp.exec("rm -rf " + name);
|
||||
} else {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
module.exports.typeofcheck = function (arg) { // $ Source
|
||||
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink
|
||||
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert
|
||||
cp.exec(cmd);
|
||||
}
|
||||
|
||||
@@ -337,7 +337,7 @@ module.exports.unproblematic = function() {
|
||||
};
|
||||
|
||||
module.exports.problematic = function(n) { // $ Source
|
||||
cp.exec("rm -rf " + id(n)); // $ Alert Sink
|
||||
cp.exec("rm -rf " + id(n)); // $ Alert
|
||||
};
|
||||
|
||||
module.exports.typeofNumber = function(n) {
|
||||
@@ -348,7 +348,7 @@ module.exports.typeofNumber = function(n) {
|
||||
|
||||
function boundProblem(safe, unsafe) { // $ Source
|
||||
cp.exec("rm -rf " + safe);
|
||||
cp.exec("rm -rf " + unsafe); // $ Alert Sink
|
||||
cp.exec("rm -rf " + unsafe); // $ Alert
|
||||
}
|
||||
|
||||
Object.defineProperty(module.exports, "boundProblem", {
|
||||
@@ -403,7 +403,7 @@ function yetAnohterSanitizer(str) {
|
||||
}
|
||||
|
||||
module.exports.sanitizer3 = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
var sanitized = yetAnohterSanitizer(name);
|
||||
cp.exec("rm -rf " + sanitized);
|
||||
@@ -412,7 +412,7 @@ module.exports.sanitizer3 = function (name) { // $ Source
|
||||
const cp = require("child_process");
|
||||
const spawn = cp.spawn;
|
||||
module.exports.shellOption = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert
|
||||
cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert
|
||||
@@ -439,12 +439,12 @@ function build(first, last) {
|
||||
|
||||
var asyncExec = require("async-execute");
|
||||
module.exports.asyncStuff = function (name) { // $ Source
|
||||
asyncExec("rm -rf " + name); // $ Alert Sink
|
||||
asyncExec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
const myFuncs = {
|
||||
myFunc: function (name) { // $ Source
|
||||
asyncExec("rm -rf " + name); // $ Alert Sink
|
||||
asyncExec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
};
|
||||
|
||||
@@ -480,7 +480,7 @@ module.exports.check = function check(config) { // $ Source
|
||||
}
|
||||
|
||||
module.exports.splitConcat = function (name) { // $ Source
|
||||
let args = ' my name is ' + name; // $ Alert Sink
|
||||
let args = ' my name is ' + name; // $ Alert
|
||||
let cmd = 'echo';
|
||||
cp.exec(cmd + args);
|
||||
}
|
||||
@@ -496,7 +496,7 @@ module.exports.myCommand = function (myCommand) {
|
||||
};
|
||||
|
||||
module.exports.myIndirectThing = function (name) { // $ Source
|
||||
MyThing.cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
MyThing.cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
});
|
||||
|
||||
@@ -507,42 +507,42 @@ for (var name in imp){
|
||||
}
|
||||
|
||||
module.exports.sanitizer4 = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (isNaN(name)) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
if (isNaN(parseInt(name))) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
if (isNaN(+name)) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
if (isNaN(parseInt(name, 10))) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
if (isNaN(name - 0)) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
if (isNaN(name | 0)) { // <- not a sanitizer
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -557,26 +557,26 @@ module.exports.shellThing = function (name) { // $ Source
|
||||
|
||||
module.exports.badSanitizer = function (name) { // $ Source
|
||||
if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer
|
||||
exec("rm -rf " + name); // $ Alert Sink
|
||||
exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
exec("rm -rf " + name); // $ Alert Sink
|
||||
exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer
|
||||
exec("rm -rf " + name); // $ Alert Sink
|
||||
exec("rm -rf " + name); // $ Alert
|
||||
} else {
|
||||
exec("rm -rf " + name);
|
||||
}
|
||||
}
|
||||
|
||||
module.exports.safeWithBool = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (isSafeName(name)) {
|
||||
cp.exec("rm -rf " + name);
|
||||
}
|
||||
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (isSafeName(name) === true) {
|
||||
cp.exec("rm -rf " + name);
|
||||
@@ -587,10 +587,10 @@ module.exports.safeWithBool = function (name) { // $ Source
|
||||
}
|
||||
|
||||
if (isSafeName(name) == false) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
function indirectThing(name) {
|
||||
@@ -606,7 +606,7 @@ function moreIndirect(name) {
|
||||
}
|
||||
|
||||
module.exports.veryIndeirect = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
|
||||
if (indirectThing(name)) {
|
||||
cp.exec("rm -rf " + name);
|
||||
@@ -623,15 +623,15 @@ module.exports.veryIndeirect = function (name) { // $ Source
|
||||
if (moreIndirect(name) !== false) {
|
||||
cp.exec("rm -rf " + name);
|
||||
} else {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink
|
||||
cp.exec("rm -rf " + name); // $ Alert
|
||||
}
|
||||
|
||||
module.exports.sanitizer = function (name) { // $ Source
|
||||
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink
|
||||
cp.exec("rm -rf " + sanitized); // $ Alert Sink
|
||||
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert
|
||||
cp.exec("rm -rf " + sanitized); // $ Alert
|
||||
|
||||
var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'"
|
||||
cp.exec("rm -rf " + sanitized);
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
var cp = require("child_process")
|
||||
|
||||
module.exports = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module.
|
||||
cp.exec("rm -rf " + name); // $ Alert - is imported from main module.
|
||||
};
|
||||
|
||||
module.exports.foo = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module.
|
||||
};
|
||||
cp.exec("rm -rf " + name); // $ Alert - is imported from main module.
|
||||
};
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
const cp = require("child_process");
|
||||
|
||||
module.exports = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js`
|
||||
};
|
||||
cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js`
|
||||
};
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
var cp = require("child_process")
|
||||
|
||||
module.exports = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
|
||||
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
|
||||
};
|
||||
|
||||
module.exports.foo = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js
|
||||
cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js
|
||||
};
|
||||
|
||||
module.exports.amd = require("./amd.js");
|
||||
|
||||
module.exports.arrToShell = function (cmd, arr) { // $ Source
|
||||
cp.spawn("echo", arr, {shell: true}); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
var cp = require("child_process")
|
||||
|
||||
export default function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file.
|
||||
cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file.
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
var cp = require("child_process")
|
||||
|
||||
module.exports = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file.
|
||||
};
|
||||
cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file.
|
||||
};
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
var cp = require("child_process")
|
||||
|
||||
module.exports = function (name) { // $ Source
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
|
||||
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
|
||||
};
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
const cp = require("child_process")
|
||||
|
||||
module.exports = function (name) {
|
||||
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
|
||||
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
|
||||
};
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
goog.module('x.y.z.closure2');
|
||||
|
||||
exports = function (x) { // $ Source[js/polynomial-redos]
|
||||
/u*o/.test(x); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
}
|
||||
/u*o/.test(x); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
module.exports.foo = function (x) { // $ Source[js/polynomial-redos]
|
||||
/k*h/.test(x); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
}
|
||||
/k*h/.test(x); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
var regexp = /a*b/;
|
||||
|
||||
module.exports = function (name) { // $ Source[js/polynomial-redos]
|
||||
regexp.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
regexp.test(name); // $ Alert[js/polynomial-redos]
|
||||
};
|
||||
|
||||
function bar(reg, name) { // $ Source[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
if (typeof define !== 'undefined' && define.amd) { // AMD
|
||||
@@ -33,16 +33,16 @@ module.exports.useArguments = function () {
|
||||
}
|
||||
|
||||
function usedWithArguments(name) {
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
module.exports.snapdragon = require("./snapdragon")
|
||||
|
||||
module.exports.foo = function (name) { // $ Source[js/polynomial-redos]
|
||||
var data1 = name.match(/f*g/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
var data1 = name.match(/f*g/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
name = name.substr(1);
|
||||
var data2 = name.match(/f*g/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
var data2 = name.match(/f*g/); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
var indirectAssign = {};
|
||||
@@ -50,6 +50,6 @@ module.exports.indirectAssign = indirectAssign;
|
||||
|
||||
Object.assign(indirectAssign, {
|
||||
myThing: function (name) { // $ Source[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos]
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
module.exports = function (name) { // $ Source[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos]
|
||||
};
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
module.exports = function (name) { // $ Source[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos]
|
||||
};
|
||||
|
||||
@@ -4,7 +4,7 @@ module.exports.test1 = function (input) { // $ Source[js/polynomial-redos]
|
||||
var snapdragon = new Snapdragon();
|
||||
var ast = snapdragon.parser
|
||||
.set("foo", function () {
|
||||
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos]
|
||||
})
|
||||
.parse(input, options);
|
||||
};
|
||||
@@ -12,7 +12,7 @@ module.exports.test1 = function (input) { // $ Source[js/polynomial-redos]
|
||||
module.exports.test2 = function (input) { // $ Source[js/polynomial-redos]
|
||||
var snapdragon = new Snapdragon();
|
||||
snapdragon.parser.set("foo", function () {
|
||||
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos]
|
||||
});
|
||||
snapdragon.parse(input, options);
|
||||
};
|
||||
@@ -20,7 +20,7 @@ module.exports.test2 = function (input) { // $ Source[js/polynomial-redos]
|
||||
module.exports.test3 = function (input) { // $ Source[js/polynomial-redos]
|
||||
var snapdragon = new Snapdragon();
|
||||
snapdragon.compiler.set("foo", function (node) {
|
||||
node.val.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
node.val.match(/aa*$/); // $ Alert[js/polynomial-redos]
|
||||
});
|
||||
snapdragon.compile(input, options);
|
||||
};
|
||||
|
||||
@@ -5,6 +5,6 @@
|
||||
}(this, (function (exports) { 'use strict';
|
||||
|
||||
exports.foo = function (name) { // $ Source[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
})));
|
||||
})));
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
module.exports = function (name) { // $ Source[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
};
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
module.exports = function (name) { // $ Source[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos]
|
||||
};
|
||||
|
||||
const SubClass = require('./subclass');
|
||||
|
||||
@@ -2,7 +2,7 @@ class Subclass {
|
||||
constructor() {}
|
||||
|
||||
define(name) { // $ Source[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/a*b/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
module.exports.foo = function (name) { // $ Source[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
}
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
}(this, function () {
|
||||
function create() {
|
||||
return function (name) { // $ Source[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/f*g/.test(name); // $ Alert[js/polynomial-redos]
|
||||
}
|
||||
}
|
||||
return create()
|
||||
|
||||
@@ -4,140 +4,140 @@ var app = express();
|
||||
app.use(function(req, res) {
|
||||
let tainted = req.query.tainted; // $ Source[js/polynomial-redos]
|
||||
|
||||
tainted.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.split(/ *, */); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replace(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos]
|
||||
tainted.split(/ *, */); // $ Alert[js/polynomial-redos]
|
||||
tainted.replace(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos]
|
||||
tainted.split('\n');
|
||||
tainted.replace(/.*[/\\]/, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replace(/.*\./, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replace(/.*[/\\]/, ''); // $ Alert[js/polynomial-redos]
|
||||
tainted.replace(/.*\./, ''); // $ Alert[js/polynomial-redos]
|
||||
tainted.replace(/^.*[/\\]/, '');
|
||||
tainted.replace(/^.*\./, '');
|
||||
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - even though it is a proposed fix for the above
|
||||
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos]
|
||||
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos]
|
||||
/^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos]
|
||||
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] - even though it is a proposed fix for the above
|
||||
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos]
|
||||
if (tainted.length < 7000) {
|
||||
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // OK - but flagged
|
||||
}
|
||||
|
||||
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/);
|
||||
/[a-z][A-Z]|[A-Z]{2,}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted); // $ MISSING: Alert[js/polynomial-redos] - not detected due to not supporting ranges
|
||||
/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted);
|
||||
|
||||
tainted.replace(/[?]+.*$/g, ""); // $ Sink[js/polynomial-redos] SPURIOUS: Alert[js/polynomial-redos] - can not fail once a match has started
|
||||
tainted.replace(/[?]+.*$/g, ""); // $ SPURIOUS: Alert[js/polynomial-redos] - can not fail once a match has started
|
||||
tainted.replace(/\-\-+/g, "-").replace(/-+$/, ""); // OK - indirectly sanitized
|
||||
tainted.replace(/\n\n\n+/g, "\n").replace(/\n*$/g, ""); // OK - indirectly sanitized
|
||||
tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/<head>(?![\s\S]*<head>)/i);
|
||||
|
||||
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/<.*style="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/<.*style="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert[js/redos] - it is a fix for the above, but it introduces exponential complexity elsewhere
|
||||
|
||||
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/);
|
||||
|
||||
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert[js/redos]
|
||||
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/);
|
||||
tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos]
|
||||
|
||||
/Y.*X/.test(tainted); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/B?(YH|K)(YH|J)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/B?(YH|K).*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/f(B|Y)+(Y)*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/f(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/f(B|Y)+(Y|K)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/f(B|Y)+.*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/f(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
/Y.*X/.test(tainted); // $ Alert[js/polynomial-redos]
|
||||
/B?(YH|K)(YH|J)*X/.test(tainted) // $ Alert[js/polynomial-redos]
|
||||
(/B?(YH|K).*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
/(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos]
|
||||
(/(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos]
|
||||
(/f(B|Y)+(Y)*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
/f(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos]
|
||||
(/f(B|Y)+(Y|K)*X/.test(tainted)) // $ Alert[js/polynomial-redos]
|
||||
(/f(B|Y)+.*X/.test(tainted)) // $ Alert[js/polynomial-redos]
|
||||
(/f(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos]
|
||||
(/^(.)*X/.test(tainted));
|
||||
(/^Y(Y)*X/.test(tainted));
|
||||
(/^Y*Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/^(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/^foo(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/^foo(K|Y)+.*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/(K|Y).*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/[^Y].*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/^Y*Y*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
(/^(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
(/^foo(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
(/^foo(K|Y)+.*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
(/(K|Y).*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
(/[^Y].*X/.test(tainted)); // $ Alert[js/polynomial-redos]
|
||||
(/[^Y].*$/.test(req.url)); // OK - the input cannot contain newlines.
|
||||
(/[^Y].*$/.test(req.body)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
(/[^Y].*$/.test(req.body)); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/Y.*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/Y.*X/); // $ Alert[js/polynomial-redos]
|
||||
tatined.match(/B?(YH|K)(YH|J)*X/); // $ MISSING: Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/a*b/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - the initial repetition can start matching anywhere.
|
||||
tainted.match(/cc*D/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/a*b/); // $ Alert[js/polynomial-redos] - the initial repetition can start matching anywhere.
|
||||
tainted.match(/cc*D/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^ee*F/);
|
||||
tainted.match(/^g*g*/);
|
||||
tainted.match(/^h*i*/);
|
||||
|
||||
tainted.match(/^(ab)*ab(ab)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^(ab)*ab(ab)*X/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/aa*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^a*a*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/\wa*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/aa*X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^a*a*X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/\wa*X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/a*b*c*/);
|
||||
tainted.match(/a*a*a*a*/);
|
||||
|
||||
tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^\d*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([3-7]|A)*\d*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^\d*([2-5]|B)*X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^([3-7]|A)*\d*X/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/^(ab)+ab(ab)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^(ab)+ab(ab)+X/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/aa+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/a+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^a+a+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/\wa+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/a+b+c+/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/aa+X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/a+X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^a+a+X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/\wa+X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/a+b+c+/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/a+a+a+a+/);
|
||||
|
||||
tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^\d+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([3-7]|A)+\d+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^\d+([2-5]|B)+X/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/^([3-7]|A)+\d+X/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/\s*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/\s+$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/\s*$/); // $ Alert[js/polynomial-redos]
|
||||
tainted.match(/\s+$/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/^\d*5\w*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/^\d*5\w*$/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/\/\*[\d\D]*?\*\//g); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/\/\*[\d\D]*?\*\//g); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/(#\d+)+/); // $ Sink[js/polynomial-redos] SPURIOUS: Alert[js/polynomial-redos] - flagged due to insufficient suffix-checking.
|
||||
tainted.match(/(#\d+)+/); // $ SPURIOUS: Alert[js/polynomial-redos] - flagged due to insufficient suffix-checking.
|
||||
|
||||
(function foo() {
|
||||
var replaced = tainted.replace(/[^\w\s\-\.\_~]/g, '');
|
||||
var result = ""
|
||||
result += replaced;
|
||||
result = result.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
result = result.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos]
|
||||
})();
|
||||
|
||||
tainted.match(/(https?:\/\/[^\s]+)/gm);
|
||||
|
||||
var modified = tainted.replace(/a/g, "b");
|
||||
modified.replace(/cc+D/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
modified.replace(/cc+D/g, "b"); // $ Alert[js/polynomial-redos]
|
||||
|
||||
var modified2 = tainted.replace(/a|b|c|\d/g, "e");
|
||||
modified2.replace(/ff+G/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
modified2.replace(/ff+G/g, "b"); // $ Alert[js/polynomial-redos]
|
||||
|
||||
var modified3 = tainted.replace(/\s+/g, "");
|
||||
modified3.replace(/hh+I/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
modified3.replace(/hh+I/g, "b"); // $ Alert[js/polynomial-redos]
|
||||
|
||||
tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // $ Alert[js/polynomial-redos]
|
||||
|
||||
modified3.replace(new RegExp("hh+I", "g"), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
modified3.replace(new RegExp("hh+I", ""), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
|
||||
modified3.replace(new RegExp("hh+I", "g"), "b"); // $ Alert[js/polynomial-redos]
|
||||
modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // $ Alert[js/polynomial-redos]
|
||||
modified3.replace(new RegExp("hh+I", ""), "b"); // $ Alert[js/polynomial-redos]
|
||||
});
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
export async function POST(req: Request) {
|
||||
const { url } = await req.json(); // $ Source[js/request-forgery]
|
||||
const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
const res = await fetch(url); // $ Alert[js/request-forgery]
|
||||
return new Response(res.body, { headers: res.headers });
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
|
||||
|
||||
export async function POST(req: NextRequest) {
|
||||
const { url } = await req.json(); // $ Source[js/request-forgery]
|
||||
const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
const res = await fetch(url); // $ Alert[js/request-forgery]
|
||||
const data = await res.text();
|
||||
return new NextResponse(data, { headers: res.headers });
|
||||
}
|
||||
|
||||
@@ -4,15 +4,14 @@ export async function middleware(req: NextRequest) {
|
||||
const target = req.nextUrl // $ Source[js/request-forgery]
|
||||
const target2 = target.searchParams.get('target'); // $ Source[js/request-forgery]
|
||||
if (target) {
|
||||
const res = await fetch(target) // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
const res = await fetch(target) // $ Alert[js/request-forgery]
|
||||
const data = await res.text()
|
||||
return new NextResponse(data)
|
||||
}
|
||||
if (target2) {
|
||||
const res = await fetch(target2); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
const res = await fetch(target2); // $ Alert[js/request-forgery]
|
||||
const data = await res.text();
|
||||
return new NextResponse(data);
|
||||
}
|
||||
return NextResponse.next()
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ function createApolloServer(typeDefs) {
|
||||
const resolvers = {
|
||||
Mutation: {
|
||||
downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery]
|
||||
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery]
|
||||
return true;
|
||||
},
|
||||
},
|
||||
@@ -15,7 +15,7 @@ function createApolloServer(typeDefs) {
|
||||
const resolvers2 = {
|
||||
Mutation: {
|
||||
downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery]
|
||||
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery]
|
||||
return true;
|
||||
},
|
||||
},
|
||||
|
||||
@@ -9,16 +9,16 @@ export function MyComponent() {
|
||||
request(params.foo); // Possibly problematic, but not currently flagged.
|
||||
|
||||
const query = window.location.search.substring(1); // $ Source[js/client-side-request-forgery]
|
||||
request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery]
|
||||
request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery]
|
||||
request('https://example.com/api?q=' + query);
|
||||
request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] - likely OK - but currently flagged anyway
|
||||
request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] - likely OK - but currently flagged anyway
|
||||
|
||||
const fragment = window.location.hash.substring(1); // $ Source[js/client-side-request-forgery]
|
||||
request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery]
|
||||
request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery]
|
||||
request('https://example.com/api?q=' + fragment);
|
||||
|
||||
const name = window.name; // $ Source[js/client-side-request-forgery]
|
||||
request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery]
|
||||
request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery]
|
||||
request('https://example.com/api?q=' + name);
|
||||
|
||||
request(window.location.href + '?q=123');
|
||||
|
||||
@@ -15,34 +15,34 @@ var server = http.createServer(function(req, res) {
|
||||
|
||||
request("example.com");
|
||||
|
||||
request(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request(tainted); // $ Alert[js/request-forgery]
|
||||
|
||||
request.get(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request.get(tainted); // $ Alert[js/request-forgery]
|
||||
|
||||
var options = {};
|
||||
options.url = tainted; // $ Sink[js/request-forgery]
|
||||
request(options); // $ Alert[js/request-forgery]
|
||||
|
||||
request("http://" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request("http://" + tainted); // $ Alert[js/request-forgery]
|
||||
|
||||
request("http://example.com" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request("http://example.com" + tainted); // $ Alert[js/request-forgery]
|
||||
|
||||
request("http://example.com/" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request("http://example.com/" + tainted); // $ Alert[js/request-forgery]
|
||||
|
||||
request("http://example.com/?" + tainted);
|
||||
|
||||
http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery]
|
||||
|
||||
XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery]
|
||||
new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery]
|
||||
|
||||
let base = require('./config').base;
|
||||
|
||||
request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery]
|
||||
|
||||
request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery]
|
||||
|
||||
request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery]
|
||||
|
||||
request('http://example.com/' + base + ('/' + tainted)); // $ MISSING: Alert
|
||||
|
||||
@@ -58,14 +58,14 @@ var server = http.createServer(async function(req, res) {
|
||||
var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
|
||||
|
||||
var client = await CDP(options);
|
||||
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
|
||||
|
||||
CDP(options).catch((ignored) => {}).then((client) => {
|
||||
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
|
||||
})
|
||||
|
||||
CDP(options, (client) => {
|
||||
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
|
||||
});
|
||||
})
|
||||
|
||||
@@ -73,7 +73,7 @@ import {JSDOM} from "jsdom";
|
||||
var server = http.createServer(async function(req, res) {
|
||||
var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
|
||||
|
||||
JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
JSDOM.fromURL(tainted); // $ Alert[js/request-forgery]
|
||||
});
|
||||
|
||||
var route = require('koa-route');
|
||||
@@ -81,15 +81,15 @@ var Koa = require('koa');
|
||||
var app = new Koa();
|
||||
|
||||
app.use(route.get('/pets', (context, param1, param2, param3) => { // $ Source[js/request-forgery]
|
||||
JSDOM.fromURL(param1); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
JSDOM.fromURL(param1); // $ Alert[js/request-forgery]
|
||||
}));
|
||||
|
||||
const router = require('koa-router')();
|
||||
const app = new Koa();
|
||||
router.get('/', async (ctx, next) => {
|
||||
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery]
|
||||
}).post('/', async (ctx, next) => {
|
||||
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery]
|
||||
});
|
||||
app.use(router.routes());
|
||||
|
||||
@@ -97,7 +97,7 @@ import {JSDOM} from "jsdom";
|
||||
var server = http.createServer(async function(req, res) {
|
||||
var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
|
||||
|
||||
new WebSocket(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
new WebSocket(tainted); // $ Alert[js/request-forgery]
|
||||
});
|
||||
|
||||
|
||||
@@ -106,7 +106,7 @@ import * as ws from 'ws';
|
||||
new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
|
||||
socket.on('message', function(message) {
|
||||
const url = request.url; // $ Source[js/request-forgery]
|
||||
const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
const socket = new ws(url); // $ Alert[js/request-forgery]
|
||||
});
|
||||
});
|
||||
|
||||
@@ -114,7 +114,7 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
|
||||
socket.on('message', function (message) {
|
||||
const url = new URL(request.url, base); // $ Source[js/request-forgery]
|
||||
const target = new URL(url.pathname, base);
|
||||
const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
const socket = new ws(url); // $ Alert[js/request-forgery]
|
||||
});
|
||||
});
|
||||
|
||||
@@ -128,8 +128,8 @@ var server2 = http.createServer(function(req, res) {
|
||||
}) // $ Alert[js/request-forgery]
|
||||
|
||||
var myUrl = `${something}/bla/${tainted}`;
|
||||
axios.get(myUrl); // $ Alert[js/request-forgery] Sink[js/request-forgery]
|
||||
axios.get(myUrl); // $ Alert[js/request-forgery]
|
||||
|
||||
var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`;
|
||||
axios.get(myEncodedUrl);
|
||||
})
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user