hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add angular.merge sink to prototype pollution query

Browse Source
This commit is contained in:
Asger F
2019-09-03 15:24:12 +01:00
parent bd32931f45
commit 5aa948cd17
5 changed files with 71 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected
View File

@@ -1,4 +1,8 @@
nodes
| angularmerge.js:1:30:1:34 | event |
| angularmerge.js:2:21:2:42 | JSON.pa ... t.data) |
| angularmerge.js:2:32:2:36 | event |
| angularmerge.js:2:32:2:41 | event.data |
| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo |
| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } |
| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value |
@@ -6,10 +10,14 @@ nodes
| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } |
| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
edges
| angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
| angularmerge.js:2:32:2:36 | event | angularmerge.js:2:32:2:41 | event.data |
| angularmerge.js:2:32:2:41 | event.data | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) |
| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } |
| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } |
#select
| angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a user-controlled value from $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | here | angularmerge.js:2:3:2:43 | angular ... .data)) | angular |
| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a user-controlled value from $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | here | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | Prototype pollution caused by merging a user-controlled value from $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | here | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | Prototype pollution caused by merging a user-controlled value from $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | here | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |

3
javascript/ql/test/query-tests/Security/CWE-400/angularmerge.js vendored Normal file
View File

@@ -0,0 +1,3 @@
addEventListener("message", (event) => {
angular.merge({}, JSON.parse(event.data)); // NOT OK
});