hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port experimental queries

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:19:46 +02:00
parent aa5a2836f5
commit 449ec72dbe
16 changed files with 133 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll
View File

@@ -53,11 +53,17 @@ class TaintedPathAtmConfig extends AtmConfig {
*/
private class BarrierGuardNodeAsSanitizerGuardNode extends TaintTracking::LabeledSanitizerGuardNode instanceof TaintedPath::BarrierGuardNode
{
override predicate sanitizes(boolean outcome, Expr e) {
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
predicate blocksExpr(boolean outcome, Expr e) {
this.blocks(outcome, e) or this.blocks(outcome, e, _)
}
override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
this.blocksExpr(outcome, e, lbl)
}
predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
this.sanitizes(outcome, e) and exists(label)
}
}

4
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll
View File

@@ -59,7 +59,9 @@ class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNo
)
}
override predicate sanitizes(boolean outcome, Expr e) {
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
predicate blocksExpr(boolean outcome, Expr e) {
polarity = outcome and
e = operand
}

17
javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
View File

@@ -14,7 +14,6 @@
import javascript
import DataFlow
import DataFlow::PathGraph
class PredictableResultSource extends DataFlow::Node {
PredictableResultSource() {
@@ -38,14 +37,16 @@ class TokenAssignmentValueSink extends DataFlow::Node {
}
}
class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
where config.hasFlowPath(source, sink)
module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;
import TokenBuiltFromUuidFlow::PathGraph
from TokenBuiltFromUuidFlow::PathNode source, TokenBuiltFromUuidFlow::PathNode sink
where TokenBuiltFromUuidFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"

6
javascript/ql/src/experimental/Security/CWE-918/SSRF.ql
View File

@@ -12,9 +12,9 @@
import javascript
import SSRF
import DataFlow::PathGraph
import SsrfFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
from SsrfFlow::PathNode source, SsrfFlow::PathNode sink, DataFlow::Node request
where
cfg.hasFlowPath(source, sink) and request = sink.getNode().(RequestForgery::Sink).getARequest()
SsrfFlow::flowPath(source, sink) and request = sink.getNode().(RequestForgery::Sink).getARequest()
select sink, source, sink, "The URL of this request depends on a user-provided value."

48
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
View File

@@ -2,42 +2,48 @@ import javascript
import semmle.javascript.security.dataflow.RequestForgeryCustomizations
import semmle.javascript.security.dataflow.UrlConcatenation
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "SSRF" }
module SsrfConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
override predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof RequestForgery::Sanitizer
predicate isBarrier(DataFlow::Node node) {
node instanceof RequestForgery::Sanitizer or node = Guards::getABarrierNode()
}
private predicate hasSanitizingSubstring(DataFlow::Node nd) {
nd.getStringValue().regexpMatch(".*[?#].*")
or
this.hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
or
this.hasSanitizingSubstring(nd.getAPredecessor())
hasSanitizingSubstring(nd.getAPredecessor())
}
private predicate strictSanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sink) {
exists(DataFlow::Node operator, int n |
StringConcatenation::taintStep(source, sink, operator, n) and
this.hasSanitizingSubstring(StringConcatenation::getOperand(operator, [0 .. n - 1]))
hasSanitizingSubstring(StringConcatenation::getOperand(operator, [0 .. n - 1]))
)
}
override predicate isSanitizerOut(DataFlow::Node node) {
this.strictSanitizingPrefixEdge(node, _)
}
predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) }
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {
private predicate isBarrierGuard(DataFlow::BarrierGuardNode nd) {
nd instanceof IntegerCheck or
nd instanceof ValidatorCheck or
nd instanceof TernaryOperatorSanitizerGuard
}
private module Guards = DataFlow::MakeLegacyBarrierGuard<isBarrierGuard/1>;
}
module SsrfFlow = TaintTracking::Global<SsrfConfig>;
/**
* DEPRECATED. Use the `SsrfFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "SSRF" }
}
/**
@@ -104,7 +110,9 @@ class TernaryOperatorSanitizerGuard extends TaintTracking::SanitizerGuardNode {
not this.asExpr() instanceof LogicalBinaryExpr
}
override predicate sanitizes(boolean outcome, Expr e) {
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
predicate blocksExpr(boolean outcome, Expr e) {
not this.asExpr() instanceof LogNotExpr and
originalGuard.sanitizes(outcome, e)
or
@@ -126,7 +134,9 @@ class TernaryOperatorSanitizerGuard extends TaintTracking::SanitizerGuardNode {
class IntegerCheck extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
IntegerCheck() { this = DataFlow::globalVarRef("Number").getAMemberCall("isInteger") }
override predicate sanitizes(boolean outcome, Expr e) {
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
predicate blocksExpr(boolean outcome, Expr e) {
outcome = true and
e = this.getArgument(0).asExpr()
}
@@ -149,7 +159,9 @@ class ValidatorCheck extends TaintTracking::SanitizerGuardNode, DataFlow::CallNo
)
}
override predicate sanitizes(boolean outcome, Expr e) {
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
predicate blocksExpr(boolean outcome, Expr e) {
outcome = true and
e = this.getArgument(0).asExpr()
}

6
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-094/CodeInjection.ql
View File

@@ -17,10 +17,10 @@
import javascript
import semmle.javascript.security.dataflow.CodeInjectionQuery
import DataFlow::PathGraph
import CodeInjectionFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
where CodeInjectionFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
source.getNode(), "user-provided value"

7
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-134/TaintedFormatString.ql
View File

@@ -13,10 +13,11 @@
import javascript
import semmle.javascript.security.dataflow.TaintedFormatStringQuery
import DataFlow::PathGraph
import TaintedFormatStringFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from TaintedFormatStringFlow::PathNode source, TaintedFormatStringFlow::PathNode sink
where
TaintedFormatStringFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "Format string depends on a $@.", source.getNode(),
"user-provided value"

7
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
View File

@@ -15,11 +15,12 @@
import javascript
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsQuery
import DataFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
import CorsMisconfigurationFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink
where
CorsMisconfigurationFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.",
sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(),
"misconfigured CORS header value"

8
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-400/RemotePropertyInjection.ql
View File

@@ -15,10 +15,12 @@
import javascript
import semmle.javascript.security.dataflow.RemotePropertyInjectionQuery
import DataFlow::PathGraph
import RemotePropertyInjectionFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from RemotePropertyInjectionFlow::PathNode source, RemotePropertyInjectionFlow::PathNode sink
where
RemotePropertyInjectionFlow::flowPath(source, sink) and
source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, sink.getNode().(Sink).getMessage() + " depends on a $@.",
source.getNode(), "user-provided value"

7
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-502/UnsafeDeserialization.ql
View File

@@ -14,10 +14,11 @@
import javascript
import semmle.javascript.security.dataflow.UnsafeDeserializationQuery
import DataFlow::PathGraph
import UnsafeDeserializationFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink
where
UnsafeDeserializationFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
"user-provided value"

6
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-611/Xxe.ql
View File

@@ -15,11 +15,11 @@
import javascript
import semmle.javascript.security.dataflow.XxeQuery
import DataFlow::PathGraph
import XxeFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from XxeFlow::PathNode source, XxeFlow::PathNode sink
where XxeFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink,
"XML parsing depends on a $@ without guarding against external entity expansion.",
source.getNode(), "user-provided value"

6
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-643/XpathInjection.ql
View File

@@ -14,10 +14,10 @@
import javascript
import semmle.javascript.security.dataflow.XpathInjectionQuery
import DataFlow::PathGraph
import XpathInjectionFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from XpathInjectionFlow::PathNode source, XpathInjectionFlow::PathNode sink
where XpathInjectionFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
"user-provided value"

6
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-730/RegExpInjection.ql
View File

@@ -16,10 +16,10 @@
import javascript
import semmle.javascript.security.dataflow.RegExpInjectionQuery
import DataFlow::PathGraph
import RegExpInjectionFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from RegExpInjectionFlow::PathNode source, RegExpInjectionFlow::PathNode sink
where RegExpInjectionFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
source.getNode(), "user-provided value"

6
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-776/XmlBomb.ql
View File

@@ -15,11 +15,11 @@
import javascript
import semmle.javascript.security.dataflow.XmlBombQuery
import DataFlow::PathGraph
import XmlBombFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from XmlBombFlow::PathNode source, XmlBombFlow::PathNode sink
where XmlBombFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink,
"XML parsing depends on a $@ without guarding against uncontrolled entity expansion.",
source.getNode(), "user-provided value"

9
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
View File

@@ -20,11 +20,14 @@
import javascript
import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery
import DataFlow::PathGraph
import PrototypePollutingAssignmentFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
from
PrototypePollutingAssignmentFlow::PathNode source, PrototypePollutingAssignmentFlow::PathNode sink
where
PrototypePollutingAssignmentFlow::flowPath(source, sink) and
source.getNode() instanceof HeuristicSource
select sink, source, sink,
"This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@.",
source.getNode(), source.getNode().(Source).describe()

174
javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
View File

@@ -1,157 +1,67 @@
nodes
| check-domain.js:16:9:16:27 | url |
| check-domain.js:16:15:16:27 | req.query.url |
| check-domain.js:16:15:16:27 | req.query.url |
| check-domain.js:17:13:17:15 | url |
| check-domain.js:17:13:17:15 | url |
| check-domain.js:26:15:26:27 | req.query.url |
| check-domain.js:26:15:26:27 | req.query.url |
| check-domain.js:26:15:26:27 | req.query.url |
| check-middleware.js:9:13:9:43 | "test.c ... tainted |
| check-middleware.js:9:13:9:43 | "test.c ... tainted |
| check-middleware.js:9:27:9:43 | req.query.tainted |
| check-middleware.js:9:27:9:43 | req.query.tainted |
| check-path.js:19:13:19:43 | 'test.c ... tainted |
| check-path.js:19:13:19:43 | 'test.c ... tainted |
| check-path.js:19:27:19:43 | req.query.tainted |
| check-path.js:19:27:19:43 | req.query.tainted |
| check-path.js:23:13:23:45 | `/addre ... inted}` |
| check-path.js:23:13:23:45 | `/addre ... inted}` |
| check-path.js:23:27:23:43 | req.query.tainted |
| check-path.js:23:27:23:43 | req.query.tainted |
| check-path.js:33:15:33:45 | 'test.c ... tainted |
| check-path.js:33:15:33:45 | 'test.c ... tainted |
| check-path.js:33:29:33:45 | req.query.tainted |
| check-path.js:33:29:33:45 | req.query.tainted |
| check-path.js:37:15:37:45 | 'test.c ... tainted |
| check-path.js:37:15:37:45 | 'test.c ... tainted |
| check-path.js:37:29:37:45 | req.query.tainted |
| check-path.js:37:29:37:45 | req.query.tainted |
| check-path.js:45:13:45:44 | `${base ... inted}` |
| check-path.js:45:13:45:44 | `${base ... inted}` |
| check-path.js:45:26:45:42 | req.query.tainted |
| check-path.js:45:26:45:42 | req.query.tainted |
| check-regex.js:16:15:16:45 | "test.c ... tainted |
| check-regex.js:16:15:16:45 | "test.c ... tainted |
| check-regex.js:16:29:16:45 | req.query.tainted |
| check-regex.js:16:29:16:45 | req.query.tainted |
| check-regex.js:24:15:24:42 | baseURL ... tainted |
| check-regex.js:24:15:24:42 | baseURL ... tainted |
| check-regex.js:24:25:24:42 | req.params.tainted |
| check-regex.js:24:25:24:42 | req.params.tainted |
| check-regex.js:31:15:31:45 | "test.c ... tainted |
| check-regex.js:31:15:31:45 | "test.c ... tainted |
| check-regex.js:31:29:31:45 | req.query.tainted |
| check-regex.js:31:29:31:45 | req.query.tainted |
| check-regex.js:34:15:34:42 | baseURL ... tainted |
| check-regex.js:34:15:34:42 | baseURL ... tainted |
| check-regex.js:34:25:34:42 | req.params.tainted |
| check-regex.js:34:25:34:42 | req.params.tainted |
| check-regex.js:41:13:41:43 | "test.c ... tainted |
| check-regex.js:41:13:41:43 | "test.c ... tainted |
| check-regex.js:41:27:41:43 | req.query.tainted |
| check-regex.js:41:27:41:43 | req.query.tainted |
| check-validator.js:15:15:15:45 | "test.c ... tainted |
| check-validator.js:15:15:15:45 | "test.c ... tainted |
| check-validator.js:15:29:15:45 | req.query.tainted |
| check-validator.js:15:29:15:45 | req.query.tainted |
| check-validator.js:27:15:27:45 | "test.c ... tainted |
| check-validator.js:27:15:27:45 | "test.c ... tainted |
| check-validator.js:27:29:27:45 | req.query.tainted |
| check-validator.js:27:29:27:45 | req.query.tainted |
| check-validator.js:50:15:50:45 | "test.c ... tainted |
| check-validator.js:50:15:50:45 | "test.c ... tainted |
| check-validator.js:50:29:50:45 | req.query.tainted |
| check-validator.js:50:29:50:45 | req.query.tainted |
| check-validator.js:54:9:54:37 | numberURL |
| check-validator.js:54:21:54:37 | req.query.tainted |
| check-validator.js:54:21:54:37 | req.query.tainted |
| check-validator.js:59:15:59:45 | "test.c ... tainted |
| check-validator.js:59:15:59:45 | "test.c ... tainted |
| check-validator.js:59:29:59:45 | req.query.tainted |
| check-validator.js:59:29:59:45 | req.query.tainted |
| check-validator.js:62:15:62:37 | "test.c ... mberURL |
| check-validator.js:62:15:62:37 | "test.c ... mberURL |
| check-validator.js:62:29:62:37 | numberURL |
| check-validator.js:68:15:68:45 | "test.c ... tainted |
| check-validator.js:68:15:68:45 | "test.c ... tainted |
| check-validator.js:68:29:68:45 | req.query.tainted |
| check-validator.js:68:29:68:45 | req.query.tainted |
edges
| check-domain.js:16:9:16:27 | url | check-domain.js:17:13:17:15 | url |
| check-domain.js:16:9:16:27 | url | check-domain.js:17:13:17:15 | url |
| check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:27 | url |
| check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:27 | url |
| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url |
| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
| check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted |
| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
| check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
| check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
| check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
| check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
| check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
| check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted |
| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
| check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted |
| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
| check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
| check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
| check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted |
| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
| check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted |
| check-validator.js:54:9:54:37 | numberURL | check-validator.js:62:29:62:37 | numberURL |
| check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:54:9:54:37 | numberURL |
| check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:54:9:54:37 | numberURL |
| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
| check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted |
| check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL |
| check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL |
| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
| check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted |
nodes
| check-domain.js:16:9:16:27 | url | semmle.label | url |
| check-domain.js:16:15:16:27 | req.query.url | semmle.label | req.query.url |
| check-domain.js:17:13:17:15 | url | semmle.label | url |
| check-domain.js:26:15:26:27 | req.query.url | semmle.label | req.query.url |
| check-middleware.js:9:13:9:43 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-middleware.js:9:27:9:43 | req.query.tainted | semmle.label | req.query.tainted |
| check-path.js:19:13:19:43 | 'test.c ... tainted | semmle.label | 'test.c ... tainted |
| check-path.js:19:27:19:43 | req.query.tainted | semmle.label | req.query.tainted |
| check-path.js:23:13:23:45 | `/addre ... inted}` | semmle.label | `/addre ... inted}` |
| check-path.js:23:27:23:43 | req.query.tainted | semmle.label | req.query.tainted |
| check-path.js:33:15:33:45 | 'test.c ... tainted | semmle.label | 'test.c ... tainted |
| check-path.js:33:29:33:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-path.js:37:15:37:45 | 'test.c ... tainted | semmle.label | 'test.c ... tainted |
| check-path.js:37:29:37:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-path.js:45:13:45:44 | `${base ... inted}` | semmle.label | `${base ... inted}` |
| check-path.js:45:26:45:42 | req.query.tainted | semmle.label | req.query.tainted |
| check-regex.js:16:15:16:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-regex.js:16:29:16:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-regex.js:24:15:24:42 | baseURL ... tainted | semmle.label | baseURL ... tainted |
| check-regex.js:24:25:24:42 | req.params.tainted | semmle.label | req.params.tainted |
| check-regex.js:31:15:31:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-regex.js:31:29:31:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-regex.js:34:15:34:42 | baseURL ... tainted | semmle.label | baseURL ... tainted |
| check-regex.js:34:25:34:42 | req.params.tainted | semmle.label | req.params.tainted |
| check-regex.js:41:13:41:43 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-regex.js:41:27:41:43 | req.query.tainted | semmle.label | req.query.tainted |
| check-validator.js:15:15:15:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-validator.js:15:29:15:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-validator.js:27:15:27:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-validator.js:27:29:27:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-validator.js:50:15:50:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-validator.js:50:29:50:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-validator.js:54:9:54:37 | numberURL | semmle.label | numberURL |
| check-validator.js:54:21:54:37 | req.query.tainted | semmle.label | req.query.tainted |
| check-validator.js:59:15:59:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-validator.js:59:29:59:45 | req.query.tainted | semmle.label | req.query.tainted |
| check-validator.js:62:15:62:37 | "test.c ... mberURL | semmle.label | "test.c ... mberURL |
| check-validator.js:62:29:62:37 | numberURL | semmle.label | numberURL |
| check-validator.js:68:15:68:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
| check-validator.js:68:29:68:45 | req.query.tainted | semmle.label | req.query.tainted |
subpaths
#select
| check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value. |
| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. |