hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into mergeback-2018-10-17

Browse Source
This commit is contained in:
Tom Hvitved
2018-10-17 13:24:37 +02:00
parent f2663d43aa 1da873e819
commit 58a0815033
753 changed files with 30532 additions and 25013 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
View File

@@ -1,6 +1,18 @@
| mongodb.js:18:16:18:20 | query | This query depends on $@. | mongodb.js:13:19:13:26 | req.body | a user-provided value |
| mongodb.js:39:16:39:20 | query | This query depends on $@. | mongodb.js:34:19:34:33 | req.query.title | a user-provided value |
| mongoose.js:24:19:24:23 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:27:20:27:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:30:25:30:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:33:24:33:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:36:31:36:35 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:39:19:39:23 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:42:22:42:26 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:45:31:45:35 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:48:31:48:35 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:51:31:51:35 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:54:25:54:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:57:21:57:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:60:25:60:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:63:24:63:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
| tst2.js:9:27:9:84 | "select ... d + "'" | This query depends on $@. | tst2.js:9:66:9:78 | req.params.id | a user-provided value |
| tst3.js:10:14:10:19 | query1 | This query depends on $@. | tst3.js:9:16:9:34 | req.params.category | a user-provided value |

39
javascript/ql/test/query-tests/Security/CWE-089/mongoose.js
View File

@@ -20,7 +20,46 @@ app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.body.title;
// NOT OK: query is tainted by user-provided object value
Document.aggregate('type', query);
// NOT OK: query is tainted by user-provided object value
Document.count(query);
// NOT OK: query is tainted by user-provided object value
Document.deleteMany(query);
// NOT OK: query is tainted by user-provided object value
Document.deleteOne(query);
// NOT OK: query is tainted by user-provided object value
Document.distinct('type', query);
// NOT OK: query is tainted by user-provided object value
Document.find(query);
// NOT OK: query is tainted by user-provided object value
Document.findOne(query);
// NOT OK: query is tainted by user-provided object value
Document.findOneAndDelete(query);
// NOT OK: query is tainted by user-provided object value
Document.findOneAndRemove(query);
// NOT OK: query is tainted by user-provided object value
Document.findOneAndUpdate(query);
// NOT OK: query is tainted by user-provided object value
Document.replaceOne(query);
// NOT OK: query is tainted by user-provided object value
Document.update(query);
// NOT OK: query is tainted by user-provided object value
Document.updateMany(query);
// NOT OK: query is tainted by user-provided object value
Document.updateOne(query);
});

2
javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected
View File

@@ -10,3 +10,5 @@
| tst.js:76:9:76:10 | v1 | This condition guards a sensitive $@, but $@ controls it. | tst.js:78:9:78:22 | process.exit() | action | tst.js:75:14:75:24 | req.cookies | a user-provided value |
| tst.js:76:9:76:10 | v1 | This condition guards a sensitive $@, but $@ controls it. | tst.js:78:9:78:22 | process.exit() | action | tst.js:75:39:75:58 | req.params.requestId | a user-provided value |
| tst.js:90:9:90:41 | req.coo ... secret" | This condition guards a sensitive $@, but $@ controls it. | tst.js:92:9:92:22 | process.exit() | action | tst.js:90:9:90:19 | req.cookies | a user-provided value |
| tst.js:111:13:111:32 | req.query.vulnerable | This condition guards a sensitive $@, but $@ controls it. | tst.js:114:9:114:16 | verify() | action | tst.js:111:13:111:32 | req.query.vulnerable | a user-provided value |
| tst.js:118:13:118:32 | req.query.vulnerable | This condition guards a sensitive $@, but $@ controls it. | tst.js:121:13:121:20 | verify() | action | tst.js:118:13:118:32 | req.query.vulnerable | a user-provided value |

31
javascript/ql/test/query-tests/Security/CWE-807/tst.js
View File

@@ -99,3 +99,34 @@ app.get('/user/:id', function(req, res) {
console.log(commit.author().toString());
}
});
app.get('/user/:id', function(req, res) {
if (!req.body || !username || !password || riskAssessnment == null) { // OK: early return below
res.status(400).send({ error: '...', id: '...' });
return
}
customerLogin.customerLogin(username, password, riskAssessment, clientIpAddress);
while (!verified) {
if (req.query.vulnerable) { // NOT OK
break;
}
verify();
}
while (!verified) {
if (req.query.vulnerable) { // NOT OK
break;
} else {
verify();
}
}
while (!verified) {
if (req.query.vulnerable) { // OK: early return
return;
}
verify();
}
});