hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: use StringConcatenation library in ConcatSanitizer

Browse Source
This commit is contained in:
Asger F
2018-11-20 18:12:07 +00:00
parent 1c06f45046
commit 49cd2876c9
4 changed files with 13 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.expected
View File

@@ -10,14 +10,14 @@ nodes
| tst.js:6:9:6:28 | window[message.name] |
| tst.js:6:16:6:22 | message |
| tst.js:6:16:6:27 | message.name |
| tst.js:10:5:10:19 | f[message.name] |
| tst.js:10:7:10:13 | message |
| tst.js:10:7:10:18 | message.name |
| tst.js:11:5:11:19 | f[message.name] |
| tst.js:11:7:11:13 | message |
| tst.js:11:7:11:18 | message.name |
edges
| tst.js:3:37:3:38 | ev | tst.js:4:30:4:31 | ev |
| tst.js:4:9:4:37 | message | tst.js:5:12:5:18 | message |
| tst.js:4:9:4:37 | message | tst.js:6:16:6:22 | message |
| tst.js:4:9:4:37 | message | tst.js:10:7:10:13 | message |
| tst.js:4:9:4:37 | message | tst.js:11:7:11:13 | message |
| tst.js:4:19:4:37 | JSON.parse(ev.data) | tst.js:4:9:4:37 | message |
| tst.js:4:30:4:31 | ev | tst.js:4:30:4:36 | ev.data |
| tst.js:4:30:4:36 | ev.data | tst.js:4:19:4:37 | JSON.parse(ev.data) |
@@ -25,9 +25,9 @@ edges
| tst.js:5:12:5:23 | message.name | tst.js:5:5:5:24 | window[message.name] |
| tst.js:6:16:6:22 | message | tst.js:6:16:6:27 | message.name |
| tst.js:6:16:6:27 | message.name | tst.js:6:9:6:28 | window[message.name] |
| tst.js:10:7:10:13 | message | tst.js:10:7:10:18 | message.name |
| tst.js:10:7:10:18 | message.name | tst.js:10:5:10:19 | f[message.name] |
| tst.js:11:7:11:13 | message | tst.js:11:7:11:18 | message.name |
| tst.js:11:7:11:18 | message.name | tst.js:11:5:11:19 | f[message.name] |
#select
| tst.js:5:5:5:24 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:5:5:5:24 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
| tst.js:6:9:6:28 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:6:9:6:28 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
| tst.js:10:5:10:19 | f[message.name] | tst.js:3:37:3:38 | ev | tst.js:10:5:10:19 | f[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
| tst.js:11:5:11:19 | f[message.name] | tst.js:3:37:3:38 | ev | tst.js:11:5:11:19 | f[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |

1
javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/tst.js
View File

@@ -5,6 +5,7 @@ window.addEventListener('message', (ev) => {
window[message.name](message.payload); // NOT OK - may invoke eval
new window[message.name](message.payload); // NOT OK - may invoke jQuery $ function or similar
window["HTMLElement" + message.name](message.payload); // OK - concatenation restricts choice of methods
window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods
function f() {}
f[message.name](message.payload)(); // NOT OK - may acccess Function constructor