hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add test for new sink

Browse Source
This commit is contained in:
Asger Feldthaus
2021-01-18 10:55:34 +00:00
parent 2752b4ba64
commit 3db6069372
3 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -56,6 +56,9 @@ nodes
| angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
@@ -697,6 +700,7 @@ edges
| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
| angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
| classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span ... <span>` |
| classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span ... <span>` |
@@ -1238,6 +1242,7 @@ edges
| angular2-client.ts:35:44:35:91 | this.ro ... et('x') | angular2-client.ts:35:44:35:91 | this.ro ... et('x') | angular2-client.ts:35:44:35:91 | this.ro ... et('x') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:91 | this.ro ... et('x') | user-provided value |
| angular2-client.ts:36:44:36:91 | this.ro ... arams.x | angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:36:44:36:89 | this.ro ... .params | user-provided value |
| angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:58 | this.router.url | user-provided value |
| angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:45:40:59 | this.router.url | user-provided value |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | user-provided value |
| classnames.js:7:31:7:84 | `<span ... <span>` | classnames.js:7:58:7:68 | window.name | classnames.js:7:31:7:84 | `<span ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:7:58:7:68 | window.name | user-provided value |
| classnames.js:8:31:8:85 | `<span ... <span>` | classnames.js:8:59:8:69 | window.name | classnames.js:8:31:8:85 | `<span ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:8:59:8:69 | window.name | user-provided value |

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -56,6 +56,9 @@ nodes
| angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
@@ -708,6 +711,7 @@ edges
| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
| angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url |
| angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url |
| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
| classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span ... <span>` |
| classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span ... <span>` |

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts
View File

@@ -15,7 +15,7 @@ export class AppComponent implements OnInit {
private route: ActivatedRoute,
private sanitizer: DomSanitizer,
private router: Router,
// private sanitizer2: DomSanitizer2
private sanitizer2: DomSanitizer2
) {}
ngOnInit() {
@@ -37,7 +37,7 @@ export class AppComponent implements OnInit {
this.sanitizer.bypassSecurityTrustHtml(this.router.url); // NOT OK
// this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // NOT OK
this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // NOT OK
}
someMethod(routeSnapshot: ActivatedRouteSnapshot) {