hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add ClientSideRequestForgery to RequestForgery test

Browse Source
This commit is contained in:
Asger Feldthaus
2022-02-16 09:07:07 +01:00
parent 260638c68b
commit 3fbc3a4d70
3 changed files with 68 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.expected Normal file
View File

@@ -0,0 +1,52 @@
nodes
| clientSideParam.js:11:11:11:53 | query |
| clientSideParam.js:11:19:11:40 | window. ... .search |
| clientSideParam.js:11:19:11:40 | window. ... .search |
| clientSideParam.js:11:19:11:53 | window. ... ring(1) |
| clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
| clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
| clientSideParam.js:12:42:12:46 | query |
| clientSideParam.js:14:13:14:63 | 'https: ... .search |
| clientSideParam.js:14:13:14:63 | 'https: ... .search |
| clientSideParam.js:14:42:14:63 | window. ... .search |
| clientSideParam.js:14:42:14:63 | window. ... .search |
| clientSideParam.js:16:11:16:54 | fragment |
| clientSideParam.js:16:22:16:41 | window.location.hash |
| clientSideParam.js:16:22:16:41 | window.location.hash |
| clientSideParam.js:16:22:16:54 | window. ... ring(1) |
| clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
| clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
| clientSideParam.js:17:42:17:49 | fragment |
| clientSideParam.js:20:11:20:28 | name |
| clientSideParam.js:20:18:20:28 | window.name |
| clientSideParam.js:20:18:20:28 | window.name |
| clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
| clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
| clientSideParam.js:21:42:21:45 | name |
edges
| clientSideParam.js:11:11:11:53 | query | clientSideParam.js:12:42:12:46 | query |
| clientSideParam.js:11:19:11:40 | window. ... .search | clientSideParam.js:11:19:11:53 | window. ... ring(1) |
| clientSideParam.js:11:19:11:40 | window. ... .search | clientSideParam.js:11:19:11:53 | window. ... ring(1) |
| clientSideParam.js:11:19:11:53 | window. ... ring(1) | clientSideParam.js:11:11:11:53 | query |
| clientSideParam.js:12:42:12:46 | query | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
| clientSideParam.js:12:42:12:46 | query | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
| clientSideParam.js:16:11:16:54 | fragment | clientSideParam.js:17:42:17:49 | fragment |
| clientSideParam.js:16:22:16:41 | window.location.hash | clientSideParam.js:16:22:16:54 | window. ... ring(1) |
| clientSideParam.js:16:22:16:41 | window.location.hash | clientSideParam.js:16:22:16:54 | window. ... ring(1) |
| clientSideParam.js:16:22:16:54 | window. ... ring(1) | clientSideParam.js:16:11:16:54 | fragment |
| clientSideParam.js:17:42:17:49 | fragment | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
| clientSideParam.js:17:42:17:49 | fragment | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
| clientSideParam.js:20:11:20:28 | name | clientSideParam.js:21:42:21:45 | name |
| clientSideParam.js:20:18:20:28 | window.name | clientSideParam.js:20:11:20:28 | name |
| clientSideParam.js:20:18:20:28 | window.name | clientSideParam.js:20:11:20:28 | name |
| clientSideParam.js:21:42:21:45 | name | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
| clientSideParam.js:21:42:21:45 | name | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
#select
| clientSideParam.js:12:5:12:55 | request ... '/id') | clientSideParam.js:11:19:11:40 | window. ... .search | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' | The $@ of this request depends on $@. | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' | URL | clientSideParam.js:11:19:11:40 | window. ... .search | a user-provided value |
| clientSideParam.js:14:5:14:64 | request ... search) | clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search | The $@ of this request depends on $@. | clientSideParam.js:14:13:14:63 | 'https: ... .search | URL | clientSideParam.js:14:42:14:63 | window. ... .search | a user-provided value |
| clientSideParam.js:17:5:17:58 | request ... '/id') | clientSideParam.js:16:22:16:41 | window.location.hash | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' | The $@ of this request depends on $@. | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' | URL | clientSideParam.js:16:22:16:41 | window.location.hash | a user-provided value |
| clientSideParam.js:21:5:21:54 | request ... '/id') | clientSideParam.js:20:18:20:28 | window.name | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' | The $@ of this request depends on $@. | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' | URL | clientSideParam.js:20:18:20:28 | window.name | a user-provided value |

1
javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-918/ClientSideRequestForgery.ql

15
javascript/ql/test/query-tests/Security/CWE-918/clientSideParam.js
View File

@@ -7,4 +7,19 @@ export function MyComponent() {
request('https://example.com/api/' + params.foo + '/id'); // OK - cannot manipulate path using `../`
request(params.foo); // Possibly problematic, but not currently flagged.
const query = window.location.search.substring(1);
request('https://example.com/api/' + query + '/id'); // NOT OK
request('https://example.com/api?q=' + query); // OK
request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway
const fragment = window.location.hash.substring(1);
request('https://example.com/api/' + fragment + '/id'); // NOT OK
request('https://example.com/api?q=' + fragment); // OK
const name = window.name;
request('https://example.com/api/' + name + '/id'); // NOT OK
request('https://example.com/api?q=' + name); // OK
request(window.location.href + '?q=123'); // OK
}