add js/sensitive-get-query query

2026-05-05 05:35:13 +02:00 · 2021-11-04 12:30:44 +01:00
parent 061fc16730
commit 4ba5ae09b0
7 changed files with 120 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.expected
@@ -0,0 +1 @@
+| tst.js:8:22:8:39 | req.query.password | $@ for GET requests uses query parameter as sensitive data. | tst.js:6:19:14:1 | (req, r ... serId\\n} | Route handler |
--- a/javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.qlref
@@ -0,0 +1 @@
+Security/CWE-598/SensitiveGetQuery.ql
--- a/javascript/ql/test/query-tests/Security/CWE-598/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-598/tst.js
@@ -0,0 +1,22 @@
+const express = require('express');
+const app = express();
+const bodyParser = require('body-parser');
+app.use(bodyParser.urlencoded({extended: true}));
+
+app.get("/login", (req, res) => {
+    const username = req.query.username; // OK - usernames are fine
+    const password = req.query.password; // NOT OK - password read
+    checkUser(username, password, (result) => {
+        res.send(result);
+    });
+
+    doThing(req.query.userId); // OK - userId
+});
+
+app.post("/login", (req, res) => {
+    const username = req.body.username; // OK - usernames are fine
+    const password = req.body.password; // OK - not a query parameter
+    checkUser(username, password, (result) => {
+        res.send(result);
+    });
+});
				`@@ -0,0 +1 @@`
				`\| tst.js:8:22:8:39 \| req.query.password \| $@ for GET requests uses query parameter as sensitive data. \| tst.js:6:19:14:1 \| (req, r ... serId\\n} \| Route handler \|`