JS: Accept to web socket-based SSRF alerts

2026-04-25 08:45:14 +02:00 · 2025-02-25 16:52:45 +01:00
parent 764eb98809
commit 4d7cbe6f60
1 changed files with 2 additions and 2 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
+++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
@@ -106,7 +106,7 @@ import * as ws from 'ws';
 new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
  socket.on('message', function(message) {
    const url = request.url;
-    const socket = new ws(url);
+    const socket = new ws(url); // $ Alert[js/request-forgery]
  });
 });

@@ -114,7 +114,7 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
  socket.on('message', function (message) {
    const url = new URL(request.url, base);
    const target = new URL(url.pathname, base);
-    const socket = new ws(url);
+    const socket = new ws(url); // $ Alert[js/request-forgery]
  });
 });