Merge pull request #14293 from am0o0/amammad-js-CodeInjection_dynamic_import

JS: Dynamic import as code injection sink
2026-04-26 01:05:15 +02:00 · 2024-06-20 21:19:57 +02:00
parent 60ed51781e bb03a9faba
commit 555d7e5958
7 changed files with 231 additions and 0 deletions
--- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected
+++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected
@@ -0,0 +1,51 @@
+nodes
+| test.js:5:11:5:44 | payload |
+| test.js:5:21:5:44 | req.que ... rameter |
+| test.js:5:21:5:44 | req.que ... rameter |
+| test.js:6:9:6:43 | payloadURL |
+| test.js:6:22:6:43 | new URL ...  + sth) |
+| test.js:6:30:6:36 | payload |
+| test.js:6:30:6:42 | payload + sth |
+| test.js:7:16:7:25 | payloadURL |
+| test.js:7:16:7:25 | payloadURL |
+| test.js:9:5:9:39 | payloadURL |
+| test.js:9:18:9:39 | new URL ...  + sth) |
+| test.js:9:26:9:32 | payload |
+| test.js:9:26:9:38 | payload + sth |
+| test.js:10:16:10:25 | payloadURL |
+| test.js:10:16:10:25 | payloadURL |
+| test.js:17:11:17:44 | payload |
+| test.js:17:21:17:44 | req.que ... rameter |
+| test.js:17:21:17:44 | req.que ... rameter |
+| test.js:18:18:18:24 | payload |
+| test.js:18:18:18:24 | payload |
+| test.js:19:18:19:24 | payload |
+| test.js:19:18:19:30 | payload + sth |
+| test.js:19:18:19:30 | payload + sth |
+edges
+| test.js:5:11:5:44 | payload | test.js:6:30:6:36 | payload |
+| test.js:5:11:5:44 | payload | test.js:9:26:9:32 | payload |
+| test.js:5:21:5:44 | req.que ... rameter | test.js:5:11:5:44 | payload |
+| test.js:5:21:5:44 | req.que ... rameter | test.js:5:11:5:44 | payload |
+| test.js:6:9:6:43 | payloadURL | test.js:7:16:7:25 | payloadURL |
+| test.js:6:9:6:43 | payloadURL | test.js:7:16:7:25 | payloadURL |
+| test.js:6:22:6:43 | new URL ...  + sth) | test.js:6:9:6:43 | payloadURL |
+| test.js:6:30:6:36 | payload | test.js:6:30:6:42 | payload + sth |
+| test.js:6:30:6:42 | payload + sth | test.js:6:22:6:43 | new URL ...  + sth) |
+| test.js:9:5:9:39 | payloadURL | test.js:10:16:10:25 | payloadURL |
+| test.js:9:5:9:39 | payloadURL | test.js:10:16:10:25 | payloadURL |
+| test.js:9:18:9:39 | new URL ...  + sth) | test.js:9:5:9:39 | payloadURL |
+| test.js:9:26:9:32 | payload | test.js:9:26:9:38 | payload + sth |
+| test.js:9:26:9:38 | payload + sth | test.js:9:18:9:39 | new URL ...  + sth) |
+| test.js:17:11:17:44 | payload | test.js:18:18:18:24 | payload |
+| test.js:17:11:17:44 | payload | test.js:18:18:18:24 | payload |
+| test.js:17:11:17:44 | payload | test.js:19:18:19:24 | payload |
+| test.js:17:21:17:44 | req.que ... rameter | test.js:17:11:17:44 | payload |
+| test.js:17:21:17:44 | req.que ... rameter | test.js:17:11:17:44 | payload |
+| test.js:19:18:19:24 | payload | test.js:19:18:19:30 | payload + sth |
+| test.js:19:18:19:24 | payload | test.js:19:18:19:30 | payload + sth |
+#select
+| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value |
+| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value |
+| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value |
+| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value |
--- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-094-dataURL/CodeInjection.ql
--- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js
+++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js
@@ -0,0 +1,22 @@
+const { Worker } = require('node:worker_threads');
+var app = require('express')();
+
+app.post('/path', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    let payloadURL = new URL(payload + sth) // NOT OK
+    new Worker(payloadURL);
+
+    payloadURL = new URL(payload + sth) // NOT OK
+    new Worker(payloadURL);
+
+    payloadURL = new URL(sth + payload) // OK
+    new Worker(payloadURL);
+});
+
+app.post('/path2', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    await import(payload) // NOT OK
+    await import(payload + sth) // NOT OK
+    await import(sth + payload) // OK
+});
+
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-094-dataURL/CodeInjection.ql`