hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add test case to ensure exec calls without middleware injection into Express are not flagged.

Browse Source
This commit is contained in:
Napalys
2025-03-30 13:59:36 +02:00
parent 45c8ec96df
commit 32d6ac8da7
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/test/query-tests/Security/CWE-089/untyped/hana.js
View File

@@ -84,3 +84,12 @@ app2.post('/documents/find', (req, res) => {
client.execute('select A, B from TEST.NUMBERS order by A' + maliciousInput, function(err, rs) {}); // $ Alert client.execute('select A, B from TEST.NUMBERS order by A' + maliciousInput, function(err, rs) {}); // $ Alert
}); });
}); });
var app3 = express();
app3.get('/execute-query', function (req, res) {
var client = req.db;
let maliciousInput = req.body.data;
client.exec('SELECT * FROM DUMMY' + maliciousInput, function (err, rs) {});
req.db.exec('SELECT * FROM DUMMY' + maliciousInput, function (err, rs) {});
});