files for qhelp

javascript/ql/src/experimental/Security/CWE-918/SSRF.js

@@ -0,0 +1,15 @@
+const axios = require('axios');
+
+export const handler = async (req, res, next) => {
+  const { target } = req.body;
+
+  try {
+    // BAD: `target` is controlled by the attacker
+    const response = await axios.get('https://example.com/current_api/' + target);
+
+    // process request response
+    use(response);
+  } catch (err) {
+    // process error
+  }
+};

javascript/ql/src/experimental/Security/CWE-918/SSRFGood.js

@@ -0,0 +1,20 @@
+const axios = require('axios');
+const validator = require('validator');
+
+export const handler = async (req, res, next) => {
+  const { target } = req.body;
+
+  if (!validator.isAlphanumeric(target)) {
+    return next(new Error('Bad request'));
+  }
+
+  try {
+    // `target` is validated
+    const response = await axios.get('https://example.com/current_api/' + target);
+
+    // process request response
+    use(response);
+  } catch (err) {
+    // process error
+  }
+};