hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-25 08:37:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'codeql-cli/latest' into auto/sync-main-pr

Browse Source 
Compatible with the latest released version of the CodeQL CLI
This commit is contained in:
dilanbhalla
2025-05-01 13:06:40 +00:00
parent f7d081874b 005a27bff9
commit 63884ff714
717 changed files with 80140 additions and 7299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/integration-tests/query-suite/javascript-code-quality.qls.expected Normal file
View File

@@ -0,0 +1,5 @@
ql/javascript/ql/src/Declarations/IneffectiveParameterType.ql
ql/javascript/ql/src/Expressions/ExprHasNoEffect.ql
ql/javascript/ql/src/Expressions/MissingAwait.ql
ql/javascript/ql/src/LanguageFeatures/SpuriousArguments.ql
ql/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql

90
javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected Normal file
View File

@@ -0,0 +1,90 @@
ql/javascript/ql/src/AngularJS/DisablingSce.ql
ql/javascript/ql/src/AngularJS/DoubleCompilation.ql
ql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
ql/javascript/ql/src/Diagnostics/ExtractedFiles.ql
ql/javascript/ql/src/Diagnostics/ExtractionErrors.ql
ql/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
ql/javascript/ql/src/Electron/DisablingWebSecurity.ql
ql/javascript/ql/src/Performance/PolynomialReDoS.ql
ql/javascript/ql/src/Performance/ReDoS.ql
ql/javascript/ql/src/RegExp/IdentityReplacement.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
ql/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
ql/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
ql/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
ql/javascript/ql/src/Security/CWE-022/TaintedPath.ql
ql/javascript/ql/src/Security/CWE-022/ZipSlip.ql
ql/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
ql/javascript/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
ql/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
ql/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
ql/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
ql/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
ql/javascript/ql/src/Security/CWE-079/StoredXss.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
ql/javascript/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
ql/javascript/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
ql/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
ql/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql
ql/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
ql/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
ql/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
ql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
ql/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
ql/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
ql/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
ql/javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql
ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
ql/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
ql/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/Security/CWE-347/MissingJWTKeyVerification.ql
ql/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
ql/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
ql/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql
ql/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
ql/javascript/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
ql/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/Security/CWE-730/ServerCrash.ql
ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
ql/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
ql/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql
ql/javascript/ql/src/Summary/LinesOfCode.ql
ql/javascript/ql/src/Summary/LinesOfUserCode.ql

205
javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected Normal file
View File

@@ -0,0 +1,205 @@
ql/javascript/ql/src/AngularJS/DependencyMismatch.ql
ql/javascript/ql/src/AngularJS/DisablingSce.ql
ql/javascript/ql/src/AngularJS/DoubleCompilation.ql
ql/javascript/ql/src/AngularJS/DuplicateDependency.ql
ql/javascript/ql/src/AngularJS/IncompatibleService.ql
ql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
ql/javascript/ql/src/AngularJS/MissingExplicitInjection.ql
ql/javascript/ql/src/AngularJS/RepeatedInjection.ql
ql/javascript/ql/src/AngularJS/UseNgSrc.ql
ql/javascript/ql/src/DOM/DuplicateAttributes.ql
ql/javascript/ql/src/DOM/MalformedIdAttribute.ql
ql/javascript/ql/src/DOM/PseudoEval.ql
ql/javascript/ql/src/Declarations/ArgumentsRedefined.ql
ql/javascript/ql/src/Declarations/AssignmentToConst.ql
ql/javascript/ql/src/Declarations/ClobberingVarInit.ql
ql/javascript/ql/src/Declarations/ConflictingFunctions.ql
ql/javascript/ql/src/Declarations/DeadStoreOfLocal.ql
ql/javascript/ql/src/Declarations/DeadStoreOfProperty.ql
ql/javascript/ql/src/Declarations/DeclBeforeUse.ql
ql/javascript/ql/src/Declarations/DefaultArgumentReferencesNestedFunction.ql
ql/javascript/ql/src/Declarations/DuplicateVarDecl.ql
ql/javascript/ql/src/Declarations/IneffectiveParameterType.ql
ql/javascript/ql/src/Declarations/MissingThisQualifier.ql
ql/javascript/ql/src/Declarations/MissingVarDecl.ql
ql/javascript/ql/src/Declarations/MixedStaticInstanceThisAccess.ql
ql/javascript/ql/src/Declarations/SuspiciousMethodNameDeclaration.ql
ql/javascript/ql/src/Declarations/TemporalDeadZone.ql
ql/javascript/ql/src/Declarations/UniqueParameterNames.ql
ql/javascript/ql/src/Declarations/UniquePropertyNames.ql
ql/javascript/ql/src/Declarations/UnreachableMethodOverloads.ql
ql/javascript/ql/src/Declarations/UnusedVariable.ql
ql/javascript/ql/src/Diagnostics/ExtractedFiles.ql
ql/javascript/ql/src/Diagnostics/ExtractionErrors.ql
ql/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
ql/javascript/ql/src/Electron/DisablingWebSecurity.ql
ql/javascript/ql/src/Expressions/ComparisonWithNaN.ql
ql/javascript/ql/src/Expressions/DuplicateCondition.ql
ql/javascript/ql/src/Expressions/DuplicateProperty.ql
ql/javascript/ql/src/Expressions/DuplicateSwitchCase.ql
ql/javascript/ql/src/Expressions/ExprHasNoEffect.ql
ql/javascript/ql/src/Expressions/HeterogeneousComparison.ql
ql/javascript/ql/src/Expressions/ImplicitOperandConversion.ql
ql/javascript/ql/src/Expressions/MissingAwait.ql
ql/javascript/ql/src/Expressions/MissingDotLengthInComparison.ql
ql/javascript/ql/src/Expressions/MissingSpaceInAppend.ql
ql/javascript/ql/src/Expressions/MisspelledVariableName.ql
ql/javascript/ql/src/Expressions/RedundantExpression.ql
ql/javascript/ql/src/Expressions/SelfAssignment.ql
ql/javascript/ql/src/Expressions/ShiftOutOfRange.ql
ql/javascript/ql/src/Expressions/StringInsteadOfRegex.ql
ql/javascript/ql/src/Expressions/SuspiciousInvocation.ql
ql/javascript/ql/src/Expressions/SuspiciousPropAccess.ql
ql/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql
ql/javascript/ql/src/Expressions/UnclearOperatorPrecedence.ql
ql/javascript/ql/src/Expressions/UnknownDirective.ql
ql/javascript/ql/src/Expressions/UnneededDefensiveProgramming.ql
ql/javascript/ql/src/Expressions/WhitespaceContradictsPrecedence.ql
ql/javascript/ql/src/LanguageFeatures/BadTypeof.ql
ql/javascript/ql/src/LanguageFeatures/ConditionalComments.ql
ql/javascript/ql/src/LanguageFeatures/DeleteVar.ql
ql/javascript/ql/src/LanguageFeatures/ExpressionClosures.ql
ql/javascript/ql/src/LanguageFeatures/ForInComprehensionBlocks.ql
ql/javascript/ql/src/LanguageFeatures/IllegalInvocation.ql
ql/javascript/ql/src/LanguageFeatures/InconsistentNew.ql
ql/javascript/ql/src/LanguageFeatures/InvalidPrototype.ql
ql/javascript/ql/src/LanguageFeatures/LengthComparisonOffByOne.ql
ql/javascript/ql/src/LanguageFeatures/NonLinearPattern.ql
ql/javascript/ql/src/LanguageFeatures/PropertyWriteOnPrimitive.ql
ql/javascript/ql/src/LanguageFeatures/SemicolonInsertion.ql
ql/javascript/ql/src/LanguageFeatures/SetterReturn.ql
ql/javascript/ql/src/LanguageFeatures/SpuriousArguments.ql
ql/javascript/ql/src/LanguageFeatures/StrictModeCallStackIntrospection.ql
ql/javascript/ql/src/LanguageFeatures/SyntaxError.ql
ql/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql
ql/javascript/ql/src/LanguageFeatures/ThisBeforeSuper.ql
ql/javascript/ql/src/LanguageFeatures/UnusedIndexVariable.ql
ql/javascript/ql/src/LanguageFeatures/WithStatement.ql
ql/javascript/ql/src/LanguageFeatures/YieldInNonGenerator.ql
ql/javascript/ql/src/NodeJS/InvalidExport.ql
ql/javascript/ql/src/NodeJS/MissingExports.ql
ql/javascript/ql/src/Performance/PolynomialReDoS.ql
ql/javascript/ql/src/Performance/ReDoS.ql
ql/javascript/ql/src/React/DirectStateMutation.ql
ql/javascript/ql/src/React/InconsistentStateUpdate.ql
ql/javascript/ql/src/React/UnsupportedStateUpdateInLifecycleMethod.ql
ql/javascript/ql/src/React/UnusedOrUndefinedStateProperty.ql
ql/javascript/ql/src/RegExp/BackrefBeforeGroup.ql
ql/javascript/ql/src/RegExp/BackrefIntoNegativeLookahead.ql
ql/javascript/ql/src/RegExp/DuplicateCharacterInCharacterClass.ql
ql/javascript/ql/src/RegExp/EmptyCharacterClass.ql
ql/javascript/ql/src/RegExp/IdentityReplacement.ql
ql/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql
ql/javascript/ql/src/RegExp/UnboundBackref.ql
ql/javascript/ql/src/RegExp/UnmatchableCaret.ql
ql/javascript/ql/src/RegExp/UnmatchableDollar.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
ql/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
ql/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
ql/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
ql/javascript/ql/src/Security/CWE-022/TaintedPath.ql
ql/javascript/ql/src/Security/CWE-022/ZipSlip.ql
ql/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
ql/javascript/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
ql/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
ql/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
ql/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
ql/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
ql/javascript/ql/src/Security/CWE-079/StoredXss.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
ql/javascript/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
ql/javascript/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
ql/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
ql/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql
ql/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
ql/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
ql/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
ql/javascript/ql/src/Security/CWE-117/LogInjection.ql
ql/javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
ql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
ql/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
ql/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
ql/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
ql/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
ql/javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql
ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
ql/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
ql/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/Security/CWE-347/MissingJWTKeyVerification.ql
ql/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
ql/javascript/ql/src/Security/CWE-367/FileSystemRace.ql
ql/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
ql/javascript/ql/src/Security/CWE-384/SessionFixation.ql
ql/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
ql/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
ql/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
ql/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql
ql/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
ql/javascript/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
ql/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/Security/CWE-730/ServerCrash.ql
ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
ql/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
ql/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
ql/javascript/ql/src/Security/CWE-862/EmptyPasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
ql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql
ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql
ql/javascript/ql/src/Statements/DanglingElse.ql
ql/javascript/ql/src/Statements/IgnoreArrayResult.ql
ql/javascript/ql/src/Statements/InconsistentLoopOrientation.ql
ql/javascript/ql/src/Statements/LabelInCase.ql
ql/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql
ql/javascript/ql/src/Statements/MisleadingIndentationAfterControlStmt.ql
ql/javascript/ql/src/Statements/ReturnAssignsLocal.ql
ql/javascript/ql/src/Statements/SuspiciousUnusedLoopIterationVariable.ql
ql/javascript/ql/src/Statements/UnreachableStatement.ql
ql/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
ql/javascript/ql/src/Statements/UselessComparisonTest.ql
ql/javascript/ql/src/Statements/UselessConditional.ql
ql/javascript/ql/src/Summary/LinesOfCode.ql
ql/javascript/ql/src/Summary/LinesOfUserCode.ql
ql/javascript/ql/src/Vue/ArrowMethodOnVueInstance.ql

107
javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected Normal file
View File

@@ -0,0 +1,107 @@
ql/javascript/ql/src/AngularJS/DisablingSce.ql
ql/javascript/ql/src/AngularJS/DoubleCompilation.ql
ql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
ql/javascript/ql/src/Diagnostics/ExtractedFiles.ql
ql/javascript/ql/src/Diagnostics/ExtractionErrors.ql
ql/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
ql/javascript/ql/src/Electron/DisablingWebSecurity.ql
ql/javascript/ql/src/Performance/PolynomialReDoS.ql
ql/javascript/ql/src/Performance/ReDoS.ql
ql/javascript/ql/src/RegExp/IdentityReplacement.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
ql/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
ql/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
ql/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
ql/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
ql/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
ql/javascript/ql/src/Security/CWE-022/TaintedPath.ql
ql/javascript/ql/src/Security/CWE-022/ZipSlip.ql
ql/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
ql/javascript/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
ql/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
ql/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
ql/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
ql/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
ql/javascript/ql/src/Security/CWE-079/StoredXss.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
ql/javascript/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
ql/javascript/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
ql/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.ql
ql/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
ql/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql
ql/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
ql/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
ql/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
ql/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
ql/javascript/ql/src/Security/CWE-117/LogInjection.ql
ql/javascript/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
ql/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
ql/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
ql/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
ql/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
ql/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
ql/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
ql/javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql
ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
ql/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
ql/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/Security/CWE-347/MissingJWTKeyVerification.ql
ql/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
ql/javascript/ql/src/Security/CWE-367/FileSystemRace.ql
ql/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
ql/javascript/ql/src/Security/CWE-384/SessionFixation.ql
ql/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
ql/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
ql/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
ql/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
ql/javascript/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql
ql/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
ql/javascript/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
ql/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/Security/CWE-730/ServerCrash.ql
ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
ql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
ql/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
ql/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
ql/javascript/ql/src/Security/CWE-862/EmptyPasswordInConfigurationFile.ql
ql/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
ql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql
ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql
ql/javascript/ql/src/Summary/LinesOfCode.ql
ql/javascript/ql/src/Summary/LinesOfUserCode.ql

148
javascript/ql/integration-tests/query-suite/not_included_in_qls.expected Normal file
View File

@@ -0,0 +1,148 @@
ql/javascript/ql/src/AlertSuppression.ql
ql/javascript/ql/src/AngularJS/DeadAngularJSEventListener.ql
ql/javascript/ql/src/AngularJS/UnusedAngularDependency.ql
ql/javascript/ql/src/Comments/CommentedOutCode.ql
ql/javascript/ql/src/Comments/FCommentedOutCode.ql
ql/javascript/ql/src/Comments/TodoComments.ql
ql/javascript/ql/src/DOM/Alert.ql
ql/javascript/ql/src/DOM/AmbiguousIdAttribute.ql
ql/javascript/ql/src/DOM/ConflictingAttributes.ql
ql/javascript/ql/src/DOM/TargetBlank.ql
ql/javascript/ql/src/Declarations/DeadStoreOfGlobal.ql
ql/javascript/ql/src/Declarations/RedeclaredVariable.ql
ql/javascript/ql/src/Declarations/TooManyParameters.ql
ql/javascript/ql/src/Declarations/UnstableCyclicImport.ql
ql/javascript/ql/src/Declarations/UnusedParameter.ql
ql/javascript/ql/src/Declarations/UnusedProperty.ql
ql/javascript/ql/src/Electron/EnablingNodeIntegration.ql
ql/javascript/ql/src/Expressions/BitwiseSignCheck.ql
ql/javascript/ql/src/Expressions/CompareIdenticalValues.ql
ql/javascript/ql/src/Expressions/MisspelledIdentifier.ql
ql/javascript/ql/src/JSDoc/BadParamTag.ql
ql/javascript/ql/src/JSDoc/JSDocForNonExistentParameter.ql
ql/javascript/ql/src/JSDoc/UndocumentedParameter.ql
ql/javascript/ql/src/LanguageFeatures/ArgumentsCallerCallee.ql
ql/javascript/ql/src/LanguageFeatures/DebuggerStatement.ql
ql/javascript/ql/src/LanguageFeatures/EmptyArrayInit.ql
ql/javascript/ql/src/LanguageFeatures/Eval.ql
ql/javascript/ql/src/LanguageFeatures/JumpFromFinally.ql
ql/javascript/ql/src/LanguageFeatures/SetterIgnoresParameter.ql
ql/javascript/ql/src/LanguageFeatures/WrongExtensionJSON.ql
ql/javascript/ql/src/Metrics/Dependencies/ExternalDependencies.ql
ql/javascript/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
ql/javascript/ql/src/Metrics/FCommentRatio.ql
ql/javascript/ql/src/Metrics/FCyclomaticComplexity.ql
ql/javascript/ql/src/Metrics/FFunctions.ql
ql/javascript/ql/src/Metrics/FLines.ql
ql/javascript/ql/src/Metrics/FLinesOfCode.ql
ql/javascript/ql/src/Metrics/FLinesOfComment.ql
ql/javascript/ql/src/Metrics/FLinesOfDuplicatedCode.ql
ql/javascript/ql/src/Metrics/FLinesOfSimilarCode.ql
ql/javascript/ql/src/Metrics/FNumberOfStatements.ql
ql/javascript/ql/src/Metrics/FNumberOfTests.ql
ql/javascript/ql/src/Metrics/FUseOfES6.ql
ql/javascript/ql/src/Metrics/FunCyclomaticComplexity.ql
ql/javascript/ql/src/Metrics/FunLinesOfCode.ql
ql/javascript/ql/src/NodeJS/CyclicImport.ql
ql/javascript/ql/src/NodeJS/DubiousImport.ql
ql/javascript/ql/src/NodeJS/UnresolvableImport.ql
ql/javascript/ql/src/NodeJS/UnusedDependency.ql
ql/javascript/ql/src/Performance/NonLocalForIn.ql
ql/javascript/ql/src/Performance/ReassignParameterAndUseArguments.ql
ql/javascript/ql/src/RegExp/BackspaceEscape.ql
ql/javascript/ql/src/RegExp/MalformedRegExp.ql
ql/javascript/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
ql/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
ql/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
ql/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
ql/javascript/ql/src/Security/trest/test.ql
ql/javascript/ql/src/Statements/EphemeralLoop.ql
ql/javascript/ql/src/Statements/ImplicitReturn.ql
ql/javascript/ql/src/Statements/InconsistentReturn.ql
ql/javascript/ql/src/Statements/NestedLoopsSameVariable.ql
ql/javascript/ql/src/Statements/ReturnOutsideFunction.ql
ql/javascript/ql/src/Summary/TaintSinks.ql
ql/javascript/ql/src/Summary/TaintSources.ql
ql/javascript/ql/src/definitions.ql
ql/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
ql/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql
ql/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
ql/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
ql/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
ql/javascript/ql/src/experimental/Security/CWE-444/InsecureHttpParser.ql
ql/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql
ql/javascript/ql/src/experimental/Security/CWE-918/SSRF.ql
ql/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
ql/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-094/CodeInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-117/LogInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-134/TaintedFormatString.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-400/RemotePropertyInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-502/UnsafeDeserialization.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-611/Xxe.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-643/XpathInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-730/RegExpInjection.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-770/ResourceExhaustion.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-776/XmlBomb.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-807/ConditionalBypass.ql
ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
ql/javascript/ql/src/external/DuplicateFunction.ql
ql/javascript/ql/src/external/DuplicateToplevel.ql
ql/javascript/ql/src/external/SimilarFunction.ql
ql/javascript/ql/src/external/SimilarToplevel.ql
ql/javascript/ql/src/filters/ClassifyFiles.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphEdges.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphNodes.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphPointsToEdges.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
ql/javascript/ql/src/meta/ApiGraphs/ApiGraphUseNodes.ql
ql/javascript/ql/src/meta/Consistency.ql
ql/javascript/ql/src/meta/SSA/DeadDef.ql
ql/javascript/ql/src/meta/SSA/Dominance.ql
ql/javascript/ql/src/meta/SSA/MultipleDefs.ql
ql/javascript/ql/src/meta/SSA/MultipleRefinementInputs.ql
ql/javascript/ql/src/meta/SSA/NoDefs.ql
ql/javascript/ql/src/meta/SSA/NoPhiInputs.ql
ql/javascript/ql/src/meta/SSA/NoRefinementInputs.ql
ql/javascript/ql/src/meta/SSA/SinglePhiInput.ql
ql/javascript/ql/src/meta/alerts/CallGraph.ql
ql/javascript/ql/src/meta/alerts/ImportGraph.ql
ql/javascript/ql/src/meta/alerts/LibraryInputs.ql
ql/javascript/ql/src/meta/alerts/TaintSinks.ql
ql/javascript/ql/src/meta/alerts/TaintSources.ql
ql/javascript/ql/src/meta/alerts/TaintedNodes.ql
ql/javascript/ql/src/meta/alerts/ThreatModelSources.ql
ql/javascript/ql/src/meta/analysis-quality/CalledFunctionCandidates.ql
ql/javascript/ql/src/meta/analysis-quality/CalledFunctionRatio.ql
ql/javascript/ql/src/meta/analysis-quality/CalledFunctions.ql
ql/javascript/ql/src/meta/analysis-quality/DomValueRefs.ql
ql/javascript/ql/src/meta/analysis-quality/NumModules.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableCallCandidates.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableCallRatio.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableCalls.ql
ql/javascript/ql/src/meta/analysis-quality/ResolvableImports.ql
ql/javascript/ql/src/meta/analysis-quality/RouteHandlers.ql
ql/javascript/ql/src/meta/analysis-quality/SanitizersReachableFromSource.ql
ql/javascript/ql/src/meta/analysis-quality/SinksReachableFromSanitizer.ql
ql/javascript/ql/src/meta/analysis-quality/TaintSinks.ql
ql/javascript/ql/src/meta/analysis-quality/TaintSources.ql
ql/javascript/ql/src/meta/analysis-quality/TaintSteps.ql
ql/javascript/ql/src/meta/analysis-quality/TaintedNodes.ql
ql/javascript/ql/src/meta/analysis-quality/UncalledFunctions.ql
ql/javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
ql/javascript/ql/src/meta/analysis-quality/UnpromotedRouteHandlerCandidate.ql
ql/javascript/ql/src/meta/analysis-quality/UnpromotedRouteSetupCandidate.ql
ql/javascript/ql/src/meta/analysis-quality/UnresolvableCalls.ql
ql/javascript/ql/src/meta/analysis-quality/UnresolvableImports.ql
ql/javascript/ql/src/meta/extraction-metrics/FileData.ql
ql/javascript/ql/src/meta/extraction-metrics/MissingMetrics.ql
ql/javascript/ql/src/meta/extraction-metrics/PhaseTimings.ql
ql/javascript/ql/src/meta/types/TypedExprs.ql
ql/javascript/ql/src/meta/types/TypesWithQualifiedName.ql

14
javascript/ql/integration-tests/query-suite/test.py Normal file
View File

@@ -0,0 +1,14 @@
import runs_on
import pytest
from query_suites import *
well_known_query_suites = ['javascript-code-quality.qls', 'javascript-security-and-quality.qls', 'javascript-security-extended.qls', 'javascript-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
def test(codeql, javascript, check_query_suite, query_suite):
check_query_suite(query_suite)
@runs_on.posix
def test_not_included_queries(codeql, javascript, check_queries_not_included):
check_queries_not_included('javascript', well_known_query_suites)

4
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 2.6.2
No user-facing changes.
## 2.6.1
### Minor Analysis Improvements

3
javascript/ql/lib/change-notes/released/2.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.6.2
No user-facing changes.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.6.1
lastReleaseVersion: 2.6.2

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 2.6.1
version: 2.6.2
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

5
javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
View File

@@ -1610,6 +1610,11 @@ module DataFlow {
pred = TElementPatternNode(_, element) and
succ = lvalueNodeInternal(element)
)
or
exists(Expr rest |
pred = TRestPatternNode(_, rest) and
succ = lvalueNodeInternal(rest)
)
}
/**

4
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.5.4
No user-facing changes.
## 1.5.3
### Minor Analysis Improvements

3
javascript/ql/src/change-notes/released/1.5.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.5.4
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.5.3
lastReleaseVersion: 1.5.4

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 1.5.3
version: 1.5.4
groups:
- javascript
- queries

4
javascript/ql/test/library-tests/DataFlow/tests.expected
View File

@@ -1094,6 +1094,7 @@ flowStep
| tst.js:87:11:87:24 | o | tst.js:90:15:90:15 | o |
| tst.js:87:11:87:24 | x | tst.js:91:10:91:10 | x |
| tst.js:87:13:87:16 | p: x | tst.js:87:11:87:24 | x |
| tst.js:87:22:87:22 | ...o | tst.js:87:11:87:24 | o |
| tst.js:88:7:88:18 | y | tst.js:91:14:91:14 | y |
| tst.js:88:9:88:12 | q: y | tst.js:88:7:88:18 | y |
| tst.js:88:18:88:18 | o | tst.js:88:7:88:14 | { q: y } |
@@ -1110,6 +1111,7 @@ flowStep
| tst.js:98:11:98:24 | rest | tst.js:101:13:101:16 | rest |
| tst.js:98:11:98:24 | x | tst.js:102:10:102:10 | x |
| tst.js:98:13:98:13 | x | tst.js:98:11:98:24 | x |
| tst.js:98:19:98:22 | ...rest | tst.js:98:11:98:24 | rest |
| tst.js:99:7:99:18 | y | tst.js:102:14:102:14 | y |
| tst.js:99:9:99:9 | y | tst.js:99:7:99:18 | y |
| tst.js:99:15:99:18 | rest | tst.js:99:7:99:11 | [ y ] |
@@ -1264,6 +1266,7 @@ getImmediatePredecessor
| tst.js:87:11:87:24 | o | tst.js:90:15:90:15 | o |
| tst.js:87:11:87:24 | x | tst.js:91:10:91:10 | x |
| tst.js:87:13:87:16 | p: x | tst.js:87:11:87:24 | x |
| tst.js:87:22:87:22 | ...o | tst.js:87:11:87:24 | o |
| tst.js:88:7:88:18 | y | tst.js:91:14:91:14 | y |
| tst.js:88:9:88:12 | q: y | tst.js:88:7:88:18 | y |
| tst.js:88:18:88:18 | o | tst.js:88:7:88:14 | { q: y } |
@@ -1279,6 +1282,7 @@ getImmediatePredecessor
| tst.js:98:11:98:24 | rest | tst.js:101:13:101:16 | rest |
| tst.js:98:11:98:24 | x | tst.js:102:10:102:10 | x |
| tst.js:98:13:98:13 | x | tst.js:98:11:98:24 | x |
| tst.js:98:19:98:22 | ...rest | tst.js:98:11:98:24 | rest |
| tst.js:99:7:99:18 | y | tst.js:102:14:102:14 | y |
| tst.js:99:9:99:9 | y | tst.js:99:7:99:18 | y |
| tst.js:99:15:99:18 | rest | tst.js:99:7:99:11 | [ y ] |

15
javascript/ql/test/library-tests/GetALocalSource/rest-pattern.js Normal file
View File

@@ -0,0 +1,15 @@
function t1() {
const { ...rest } = source('t1.1');
rest; // $ getALocalSource=rest
}
function t2() {
const [ ...rest ] = source('t2.1');
rest; // $ getALocalSource=rest
}
function t3() {
const { p1, ...rest } = source('t3.1');
p1; // $ getALocalSource=p1
rest; // $ getALocalSource=rest
}

4
javascript/ql/test/library-tests/GetALocalSource/test.expected Normal file
View File

@@ -0,0 +1,4 @@
| rest-pattern.js:3:5:3:8 | rest | rest |
| rest-pattern.js:8:5:8:8 | rest | rest |
| rest-pattern.js:13:5:13:6 | p1 | p1 |
| rest-pattern.js:14:5:14:8 | rest | rest |

30
javascript/ql/test/library-tests/GetALocalSource/test.ql Normal file
View File

@@ -0,0 +1,30 @@
import javascript
string nodeName(DataFlow::SourceNode node) {
result = node.getAstNode().(VarRef).getName()
or
result = node.getAstNode().(PropertyPattern).getName()
or
result = node.getAstNode().(PropAccess).getPropertyName()
or
exists(DataFlow::InvokeNode invoke |
node = invoke and
invoke.getCalleeName() = "source" and
result = invoke.getArgument(0).getStringValue()
)
}
bindingset[node1, node2]
pragma[inline_late]
predicate sameLine(DataFlow::Node node1, DataFlow::Node node2) {
node1.getLocation().getFile() = node2.getLocation().getFile() and
node1.getLocation().getStartLine() = node2.getLocation().getStartLine()
}
query predicate getALocalSource(DataFlow::Node node, string name) {
exists(DataFlow::SourceNode sn |
sn = node.getALocalSource() and
name = nodeName(sn) and
not sameLine(node, sn)
)
}

2
javascript/ql/test/library-tests/GetALocalSource/test.qlref Normal file
View File

@@ -0,0 +1,2 @@
query: test.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

6
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js
View File

@@ -36,7 +36,7 @@ var server = http.createServer(function(req, res) {
sh = 'cmd.exe', flag = '/c';
else
sh = '/bin/sh', flag = '-c';
cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink
cp.spawn(sh, [ flag, cmd ]); // $ Alert
let args = [];
args[0] = "-c";
@@ -53,8 +53,8 @@ var server = http.createServer(function(req, res) {
args[1] = cmd; // $ Sink
cp.execFile(`/bin` + "/bash", args); // $ Alert
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert
let myArgs = [];
myArgs.push(`-` + "c");

2
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js
View File

@@ -12,7 +12,7 @@ function getShell() {
function execSh(command, options) {
var shell = getShell()
return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink
return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert
}
http.createServer(function (req, res) {

2
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js
View File

@@ -7,7 +7,7 @@ function getShell() {
}
function execSh(command, options) {
return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink
return cp.spawn(getShell(), ["-c", command], options) // $ Alert
};
http.createServer(function (req, res) {

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js
View File

@@ -3,5 +3,5 @@
const cp = require("child_process");
module.exports.thisMethodIsImported = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
cp.exec("rm -rf " + name); // $ Alert
}

152
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
View File

@@ -1,30 +1,30 @@
var cp = require("child_process")
module.exports.blah = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
cp.execFile(name, [name]);
cp.execFile(name, name);
};
module.exports.foo = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
module.exports.foo.bar = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
function cla() { }
cla.prototype.method = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
module.exports.cla = new cla();
function cla2() { }
cla2.prototype.method = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
module.exports.bla = new cla2();
@@ -32,13 +32,13 @@ module.exports.lib2 = require("./lib2.js")
class Cla3 {
constructor(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
static foo(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
bar(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + notASource);
}
@@ -47,14 +47,14 @@ class Cla3 {
module.exports.cla3 = Cla3;
module.exports.mz = function (name) { // $ Source
require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink
require("mz/child_process").exec("rm -rf " + name); // $ Alert
}
module.exports.flow = function (name) { // $ Source
var cmd1 = "rm -rf " + name; // $ Alert Sink
var cmd1 = "rm -rf " + name; // $ Alert
cp.exec(cmd1);
var cmd2 = "rm -rf " + name; // $ Alert Sink
var cmd2 = "rm -rf " + name; // $ Alert
function myExec(cmd) {
cp.exec(cmd);
}
@@ -62,25 +62,25 @@ module.exports.flow = function (name) { // $ Source
}
module.exports.stringConcat = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
cp.exec(name);
cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink
cp.exec("for foo in (" + name + ") do bla end"); // $ Alert
cp.exec("cat /foO/BAR/" + name) // $ Alert Sink
cp.exec("cat /foO/BAR/" + name) // $ Alert
cp.exec("cat \"" + name + "\"") // $ Alert Sink
cp.exec("cat \"" + name + "\"") // $ Alert
cp.exec("cat '" + name + "'") // $ Alert Sink
cp.exec("cat '" + name + "'") // $ Alert
cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink
cp.exec("cat '/foo/bar" + name + "'") // $ Alert
cp.exec(name + " some file")
}
module.exports.arrays = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
var args1 = ["node"];
args1.push(name); // $ Alert
@@ -109,7 +109,7 @@ module.exports.format = function (name) { // $ Source
}
module.exports.valid = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (!isValidName(name)) {
return;
@@ -118,7 +118,7 @@ module.exports.valid = function (name) { // $ Source
}
module.exports.safe = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (!isSafeName(name)) {
return;
@@ -128,7 +128,7 @@ module.exports.safe = function (name) { // $ Source
class Cla4 {
wha(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
static bla(name) {
@@ -146,7 +146,7 @@ function Cla5(name) {
module.exports.cla5 = new Cla5();
module.exports.indirect = function (name) { // $ Source
let cmd = "rm -rf " + name; // $ Alert Sink
let cmd = "rm -rf " + name; // $ Alert
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb);
@@ -158,7 +158,7 @@ module.exports.indirect2 = function (name) { // $ Source
let args = ["-c", cmd];
cp.spawn(sh, args, cb);
let cmd2 = "rm -rf " + name; // $ Alert Sink
let cmd2 = "rm -rf " + name; // $ Alert
var args2 = [cmd2];
cp.spawn(
'cmd.exe',
@@ -170,7 +170,7 @@ module.exports.indirect2 = function (name) { // $ Source
module.exports.cmd = function (command, name) { // $ Source
cp.exec("fo | " + command);
cp.exec("fo | " + name); // $ Alert Sink
cp.exec("fo | " + name); // $ Alert
}
@@ -178,54 +178,54 @@ module.exports.sanitizer = function (name) { // $ Source
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
cp.exec("rm -rf " + sanitized);
var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink
cp.exec("rm -rf " + broken); // $ Alert Sink
var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert
cp.exec("rm -rf " + broken); // $ Alert
}
var path = require("path");
module.exports.guard = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (!path.exist(name)) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
return;
}
cp.exec("rm -rf " + name);
}
module.exports.blacklistOfChars = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name);
}
}
module.exports.whitelistOfChars = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
cp.exec("rm -rf " + name);
} else {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
}
module.exports.blackList2 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
process.exit(-1);
}
cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`.
cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`.
}
module.exports.accessSync = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
try {
path.accessSync(name);
@@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { // $ Source
return;
}
cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer.
cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer.
}
var cleanInput = function (s) {
@@ -246,26 +246,26 @@ var cleanInput = function (s) {
}
module.exports.goodSanitizer = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
var cleaned = cleanInput(name);
cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node.
cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node.
}
var fs = require("fs");
module.exports.guard2 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (!fs.existsSync("prefix/" + name)) {
cp.exec("rm -rf prefix/" + name); // $ Alert Sink
cp.exec("rm -rf prefix/" + name); // $ Alert
return;
}
cp.exec("rm -rf prefix/" + name);
}
module.exports.sanitizerProperty = function (obj) { // $ Source
cp.exec("rm -rf " + obj.version); // $ Alert Sink
cp.exec("rm -rf " + obj.version); // $ Alert
obj.version = "";
@@ -274,11 +274,11 @@ module.exports.sanitizerProperty = function (obj) { // $ Source
module.exports.Foo = class Foo {
start(opts) { // $ Source
cp.exec("rm -rf " + opts.bla); // $ Alert Sink
cp.exec("rm -rf " + opts.bla); // $ Alert
this.opts = {};
this.opts.bla = opts.bla
cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink
cp.exec("rm -rf " + this.opts.bla); // $ Alert
}
}
@@ -305,24 +305,24 @@ function sanitizeShellString(str) {
}
module.exports.sanitizer2 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
var sanitized = sanitizeShellString(name);
cp.exec("rm -rf " + sanitized);
}
module.exports.typeofcheck = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (typeof name === "undefined") {
cp.exec("rm -rf " + name);
} else {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
}
module.exports.typeofcheck = function (arg) { // $ Source
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert
cp.exec(cmd);
}
@@ -337,7 +337,7 @@ module.exports.unproblematic = function() {
};
module.exports.problematic = function(n) { // $ Source
cp.exec("rm -rf " + id(n)); // $ Alert Sink
cp.exec("rm -rf " + id(n)); // $ Alert
};
module.exports.typeofNumber = function(n) {
@@ -348,7 +348,7 @@ module.exports.typeofNumber = function(n) {
function boundProblem(safe, unsafe) { // $ Source
cp.exec("rm -rf " + safe);
cp.exec("rm -rf " + unsafe); // $ Alert Sink
cp.exec("rm -rf " + unsafe); // $ Alert
}
Object.defineProperty(module.exports, "boundProblem", {
@@ -403,7 +403,7 @@ function yetAnohterSanitizer(str) {
}
module.exports.sanitizer3 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
var sanitized = yetAnohterSanitizer(name);
cp.exec("rm -rf " + sanitized);
@@ -412,7 +412,7 @@ module.exports.sanitizer3 = function (name) { // $ Source
const cp = require("child_process");
const spawn = cp.spawn;
module.exports.shellOption = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert
cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert
@@ -439,12 +439,12 @@ function build(first, last) {
var asyncExec = require("async-execute");
module.exports.asyncStuff = function (name) { // $ Source
asyncExec("rm -rf " + name); // $ Alert Sink
asyncExec("rm -rf " + name); // $ Alert
}
const myFuncs = {
myFunc: function (name) { // $ Source
asyncExec("rm -rf " + name); // $ Alert Sink
asyncExec("rm -rf " + name); // $ Alert
}
};
@@ -480,7 +480,7 @@ module.exports.check = function check(config) { // $ Source
}
module.exports.splitConcat = function (name) { // $ Source
let args = ' my name is ' + name; // $ Alert Sink
let args = ' my name is ' + name; // $ Alert
let cmd = 'echo';
cp.exec(cmd + args);
}
@@ -496,7 +496,7 @@ module.exports.myCommand = function (myCommand) {
};
module.exports.myIndirectThing = function (name) { // $ Source
MyThing.cp.exec("rm -rf " + name); // $ Alert Sink
MyThing.cp.exec("rm -rf " + name); // $ Alert
}
});
@@ -507,42 +507,42 @@ for (var name in imp){
}
module.exports.sanitizer4 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (isNaN(name)) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(parseInt(name))) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(+name)) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(parseInt(name, 10))) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(name - 0)) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(name | 0)) { // <- not a sanitizer
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
} else {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
}
@@ -557,26 +557,26 @@ module.exports.shellThing = function (name) { // $ Source
module.exports.badSanitizer = function (name) { // $ Source
if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer
exec("rm -rf " + name); // $ Alert Sink
exec("rm -rf " + name); // $ Alert
} else {
exec("rm -rf " + name); // $ Alert Sink
exec("rm -rf " + name); // $ Alert
}
if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer
exec("rm -rf " + name); // $ Alert Sink
exec("rm -rf " + name); // $ Alert
} else {
exec("rm -rf " + name);
}
}
module.exports.safeWithBool = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (isSafeName(name)) {
cp.exec("rm -rf " + name);
}
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (isSafeName(name) === true) {
cp.exec("rm -rf " + name);
@@ -587,10 +587,10 @@ module.exports.safeWithBool = function (name) { // $ Source
}
if (isSafeName(name) == false) {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
function indirectThing(name) {
@@ -606,7 +606,7 @@ function moreIndirect(name) {
}
module.exports.veryIndeirect = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
if (indirectThing(name)) {
cp.exec("rm -rf " + name);
@@ -623,15 +623,15 @@ module.exports.veryIndeirect = function (name) { // $ Source
if (moreIndirect(name) !== false) {
cp.exec("rm -rf " + name);
} else {
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + name); // $ Alert
}
module.exports.sanitizer = function (name) { // $ Source
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink
cp.exec("rm -rf " + sanitized); // $ Alert Sink
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert
cp.exec("rm -rf " + sanitized); // $ Alert
var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'"
cp.exec("rm -rf " + sanitized);

6
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js
View File

@@ -1,9 +1,9 @@
var cp = require("child_process")
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module.
cp.exec("rm -rf " + name); // $ Alert - is imported from main module.
};
module.exports.foo = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module.
};
cp.exec("rm -rf " + name); // $ Alert - is imported from main module.
};

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js
View File

@@ -1,5 +1,5 @@
const cp = require("child_process");
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js`
};
cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js`
};

6
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js
View File

@@ -1,15 +1,15 @@
var cp = require("child_process")
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
};
module.exports.foo = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js
cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js
};
module.exports.amd = require("./amd.js");
module.exports.arrToShell = function (cmd, arr) { // $ Source
cp.spawn("echo", arr, {shell: true}); // $ Alert
}
}

2
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts
View File

@@ -1,5 +1,5 @@
var cp = require("child_process")
export default function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file.
cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file.
}

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js
View File

@@ -1,5 +1,5 @@
var cp = require("child_process")
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file.
};
cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file.
};

2
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts
View File

@@ -1,5 +1,5 @@
var cp = require("child_process")
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
};

2
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js
View File

@@ -1,5 +1,5 @@
const cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
};

4
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/closure.js
View File

@@ -1,5 +1,5 @@
goog.module('x.y.z.closure2');
exports = function (x) { // $ Source[js/polynomial-redos]
/u*o/.test(x); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
}
/u*o/.test(x); // $ Alert[js/polynomial-redos]
}

4
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/indirect.js
View File

@@ -1,3 +1,3 @@
module.exports.foo = function (x) { // $ Source[js/polynomial-redos]
/k*h/.test(x); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
}
/k*h/.test(x); // $ Alert[js/polynomial-redos]
}

14
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js
View File

@@ -1,11 +1,11 @@
var regexp = /a*b/;
module.exports = function (name) { // $ Source[js/polynomial-redos]
regexp.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
regexp.test(name); // $ Alert[js/polynomial-redos]
};
function bar(reg, name) { // $ Source[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos]
}
if (typeof define !== 'undefined' && define.amd) { // AMD
@@ -33,16 +33,16 @@ module.exports.useArguments = function () {
}
function usedWithArguments(name) {
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos]
}
module.exports.snapdragon = require("./snapdragon")
module.exports.foo = function (name) { // $ Source[js/polynomial-redos]
var data1 = name.match(/f*g/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
var data1 = name.match(/f*g/); // $ Alert[js/polynomial-redos]
name = name.substr(1);
var data2 = name.match(/f*g/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
var data2 = name.match(/f*g/); // $ Alert[js/polynomial-redos]
}
var indirectAssign = {};
@@ -50,6 +50,6 @@ module.exports.indirectAssign = indirectAssign;
Object.assign(indirectAssign, {
myThing: function (name) { // $ Source[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos]
},
});
});

2
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/moduleLib/moduleLib.js
View File

@@ -1,3 +1,3 @@
module.exports = function (name) { // $ Source[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos]
};

2
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/otherLib/js/src/index.js
View File

@@ -1,3 +1,3 @@
module.exports = function (name) { // $ Source[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos]
};

6
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/snapdragon.js
View File

@@ -4,7 +4,7 @@ module.exports.test1 = function (input) { // $ Source[js/polynomial-redos]
var snapdragon = new Snapdragon();
var ast = snapdragon.parser
.set("foo", function () {
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos]
})
.parse(input, options);
};
@@ -12,7 +12,7 @@ module.exports.test1 = function (input) { // $ Source[js/polynomial-redos]
module.exports.test2 = function (input) { // $ Source[js/polynomial-redos]
var snapdragon = new Snapdragon();
snapdragon.parser.set("foo", function () {
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos]
});
snapdragon.parse(input, options);
};
@@ -20,7 +20,7 @@ module.exports.test2 = function (input) { // $ Source[js/polynomial-redos]
module.exports.test3 = function (input) { // $ Source[js/polynomial-redos]
var snapdragon = new Snapdragon();
snapdragon.compiler.set("foo", function (node) {
node.val.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
node.val.match(/aa*$/); // $ Alert[js/polynomial-redos]
});
snapdragon.compile(input, options);
};

4
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib4/factory.js
View File

@@ -5,6 +5,6 @@
}(this, (function (exports) { 'use strict';
exports.foo = function (name) { // $ Source[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos]
}
})));
})));

4
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/feature.js
View File

@@ -1,3 +1,3 @@
module.exports = function (name) { // $ Source[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
};
/a*b/.test(name); // $ Alert[js/polynomial-redos]
}

2
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js
View File

@@ -1,5 +1,5 @@
module.exports = function (name) { // $ Source[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos]
};
const SubClass = require('./subclass');

2
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js
View File

@@ -2,7 +2,7 @@ class Subclass {
constructor() {}
define(name) { // $ Source[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/a*b/.test(name); // $ Alert[js/polynomial-redos]
}
}

4
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js
View File

@@ -1,3 +1,3 @@
module.exports.foo = function (name) { // $ Source[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
}
/f*g/.test(name); // $ Alert[js/polynomial-redos]
}

2
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/sublib/factory.js
View File

@@ -10,7 +10,7 @@
}(this, function () {
function create() {
return function (name) { // $ Source[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/f*g/.test(name); // $ Alert[js/polynomial-redos]
}
}
return create()

144
javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js
View File

@@ -4,140 +4,140 @@ var app = express();
app.use(function(req, res) {
let tainted = req.query.tainted; // $ Source[js/polynomial-redos]
tainted.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.split(/ *, */); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replace(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos]
tainted.split(/ *, */); // $ Alert[js/polynomial-redos]
tainted.replace(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos]
tainted.split('\n');
tainted.replace(/.*[/\\]/, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replace(/.*\./, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replace(/.*[/\\]/, ''); // $ Alert[js/polynomial-redos]
tainted.replace(/.*\./, ''); // $ Alert[js/polynomial-redos]
tainted.replace(/^.*[/\\]/, '');
tainted.replace(/^.*\./, '');
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos] Sink[js/polynomial-redos]
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - even though it is a proposed fix for the above
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos]
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos]
/^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos]
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos]
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] - even though it is a proposed fix for the above
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos]
if (tainted.length < 7000) {
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // OK - but flagged
}
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // $ Alert[js/polynomial-redos]
tainted.match(/^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/);
/[a-z][A-Z]|[A-Z]{2,}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted); // $ MISSING: Alert[js/polynomial-redos] - not detected due to not supporting ranges
/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted);
tainted.replace(/[?]+.*$/g, ""); // $ Sink[js/polynomial-redos] SPURIOUS: Alert[js/polynomial-redos] - can not fail once a match has started
tainted.replace(/[?]+.*$/g, ""); // $ SPURIOUS: Alert[js/polynomial-redos] - can not fail once a match has started
tainted.replace(/\-\-+/g, "-").replace(/-+$/, ""); // OK - indirectly sanitized
tainted.replace(/\n\n\n+/g, "\n").replace(/\n*$/g, ""); // OK - indirectly sanitized
tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // $ Alert[js/polynomial-redos]
tainted.match(/<head>(?![\s\S]*<head>)/i);
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/<.*style="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
tainted.match(/<.*style="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos]
tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert[js/redos] - it is a fix for the above, but it introduces exponential complexity elsewhere
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos]
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/);
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert[js/redos]
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/);
tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos]
/Y.*X/.test(tainted); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/B?(YH|K)(YH|J)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/B?(YH|K).*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/f(B|Y)+(Y)*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/f(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/f(B|Y)+(Y|K)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/f(B|Y)+.*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/f(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
/Y.*X/.test(tainted); // $ Alert[js/polynomial-redos]
/B?(YH|K)(YH|J)*X/.test(tainted) // $ Alert[js/polynomial-redos]
(/B?(YH|K).*X/.test(tainted)); // $ Alert[js/polynomial-redos]
/(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos]
(/(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos]
(/f(B|Y)+(Y)*X/.test(tainted)); // $ Alert[js/polynomial-redos]
/f(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos]
(/f(B|Y)+(Y|K)*X/.test(tainted)) // $ Alert[js/polynomial-redos]
(/f(B|Y)+.*X/.test(tainted)) // $ Alert[js/polynomial-redos]
(/f(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos]
(/^(.)*X/.test(tainted));
(/^Y(Y)*X/.test(tainted));
(/^Y*Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/^(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/^foo(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/^foo(K|Y)+.*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/(K|Y).*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/[^Y].*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/^Y*Y*X/.test(tainted)); // $ Alert[js/polynomial-redos]
(/^(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos]
(/^foo(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos]
(/^foo(K|Y)+.*X/.test(tainted)); // $ Alert[js/polynomial-redos]
(/(K|Y).*X/.test(tainted)); // $ Alert[js/polynomial-redos]
(/[^Y].*X/.test(tainted)); // $ Alert[js/polynomial-redos]
(/[^Y].*$/.test(req.url)); // OK - the input cannot contain newlines.
(/[^Y].*$/.test(req.body)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
(/[^Y].*$/.test(req.body)); // $ Alert[js/polynomial-redos]
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos]
tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // $ Alert[js/polynomial-redos]
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
tainted.match(/Y.*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/Y.*X/); // $ Alert[js/polynomial-redos]
tatined.match(/B?(YH|K)(YH|J)*X/); // $ MISSING: Alert[js/polynomial-redos]
tainted.match(/a*b/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - the initial repetition can start matching anywhere.
tainted.match(/cc*D/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/a*b/); // $ Alert[js/polynomial-redos] - the initial repetition can start matching anywhere.
tainted.match(/cc*D/); // $ Alert[js/polynomial-redos]
tainted.match(/^ee*F/);
tainted.match(/^g*g*/);
tainted.match(/^h*i*/);
tainted.match(/^(ab)*ab(ab)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^(ab)*ab(ab)*X/); // $ Alert[js/polynomial-redos]
tainted.match(/aa*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^a*a*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/\wa*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/aa*X/); // $ Alert[js/polynomial-redos]
tainted.match(/^a*a*X/); // $ Alert[js/polynomial-redos]
tainted.match(/\wa*X/); // $ Alert[js/polynomial-redos]
tainted.match(/a*b*c*/);
tainted.match(/a*a*a*a*/);
tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^\d*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([3-7]|A)*\d*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // $ Alert[js/polynomial-redos]
tainted.match(/^\d*([2-5]|B)*X/); // $ Alert[js/polynomial-redos]
tainted.match(/^([3-7]|A)*\d*X/); // $ Alert[js/polynomial-redos]
tainted.match(/^(ab)+ab(ab)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^(ab)+ab(ab)+X/); // $ Alert[js/polynomial-redos]
tainted.match(/aa+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/a+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^a+a+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/\wa+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/a+b+c+/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/aa+X/); // $ Alert[js/polynomial-redos]
tainted.match(/a+X/); // $ Alert[js/polynomial-redos]
tainted.match(/^a+a+X/); // $ Alert[js/polynomial-redos]
tainted.match(/\wa+X/); // $ Alert[js/polynomial-redos]
tainted.match(/a+b+c+/); // $ Alert[js/polynomial-redos]
tainted.match(/a+a+a+a+/);
tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^\d+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([3-7]|A)+\d+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // $ Alert[js/polynomial-redos]
tainted.match(/^\d+([2-5]|B)+X/); // $ Alert[js/polynomial-redos]
tainted.match(/^([3-7]|A)+\d+X/); // $ Alert[js/polynomial-redos]
tainted.match(/\s*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/\s+$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/\s*$/); // $ Alert[js/polynomial-redos]
tainted.match(/\s+$/); // $ Alert[js/polynomial-redos]
tainted.match(/^\d*5\w*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/^\d*5\w*$/); // $ Alert[js/polynomial-redos]
tainted.match(/\/\*[\d\D]*?\*\//g); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/\/\*[\d\D]*?\*\//g); // $ Alert[js/polynomial-redos]
tainted.match(/(#\d+)+/); // $ Sink[js/polynomial-redos] SPURIOUS: Alert[js/polynomial-redos] - flagged due to insufficient suffix-checking.
tainted.match(/(#\d+)+/); // $ SPURIOUS: Alert[js/polynomial-redos] - flagged due to insufficient suffix-checking.
(function foo() {
var replaced = tainted.replace(/[^\w\s\-\.\_~]/g, '');
var result = ""
result += replaced;
result = result.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
result = result.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos]
})();
tainted.match(/(https?:\/\/[^\s]+)/gm);
var modified = tainted.replace(/a/g, "b");
modified.replace(/cc+D/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
modified.replace(/cc+D/g, "b"); // $ Alert[js/polynomial-redos]
var modified2 = tainted.replace(/a|b|c|\d/g, "e");
modified2.replace(/ff+G/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
modified2.replace(/ff+G/g, "b"); // $ Alert[js/polynomial-redos]
var modified3 = tainted.replace(/\s+/g, "");
modified3.replace(/hh+I/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
modified3.replace(/hh+I/g, "b"); // $ Alert[js/polynomial-redos]
tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // $ Alert[js/polynomial-redos]
modified3.replace(new RegExp("hh+I", "g"), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
modified3.replace(new RegExp("hh+I", ""), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos]
modified3.replace(new RegExp("hh+I", "g"), "b"); // $ Alert[js/polynomial-redos]
modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // $ Alert[js/polynomial-redos]
modified3.replace(new RegExp("hh+I", ""), "b"); // $ Alert[js/polynomial-redos]
});

2
javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts
View File

@@ -1,5 +1,5 @@
export async function POST(req: Request) {
const { url } = await req.json(); // $ Source[js/request-forgery]
const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
const res = await fetch(url); // $ Alert[js/request-forgery]
return new Response(res.body, { headers: res.headers });
}

2
javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts
View File

@@ -2,7 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
export async function POST(req: NextRequest) {
const { url } = await req.json(); // $ Source[js/request-forgery]
const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
const res = await fetch(url); // $ Alert[js/request-forgery]
const data = await res.text();
return new NextResponse(data, { headers: res.headers });
}

5
javascript/ql/test/query-tests/Security/CWE-918/Request/middleware.ts
View File

@@ -4,15 +4,14 @@ export async function middleware(req: NextRequest) {
const target = req.nextUrl // $ Source[js/request-forgery]
const target2 = target.searchParams.get('target'); // $ Source[js/request-forgery]
if (target) {
const res = await fetch(target) // $ Alert[js/request-forgery] Sink[js/request-forgery]
const res = await fetch(target) // $ Alert[js/request-forgery]
const data = await res.text()
return new NextResponse(data)
}
if (target2) {
const res = await fetch(target2); // $ Alert[js/request-forgery] Sink[js/request-forgery]
const res = await fetch(target2); // $ Alert[js/request-forgery]
const data = await res.text();
return new NextResponse(data);
}
return NextResponse.next()
}

4
javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts
View File

@@ -5,7 +5,7 @@ function createApolloServer(typeDefs) {
const resolvers = {
Mutation: {
downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery]
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery]
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery]
return true;
},
},
@@ -15,7 +15,7 @@ function createApolloServer(typeDefs) {
const resolvers2 = {
Mutation: {
downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery]
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery]
files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery]
return true;
},
},

8
javascript/ql/test/query-tests/Security/CWE-918/clientSide.js
View File

@@ -9,16 +9,16 @@ export function MyComponent() {
request(params.foo); // Possibly problematic, but not currently flagged.
const query = window.location.search.substring(1); // $ Source[js/client-side-request-forgery]
request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery]
request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery]
request('https://example.com/api?q=' + query);
request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] - likely OK - but currently flagged anyway
request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] - likely OK - but currently flagged anyway
const fragment = window.location.hash.substring(1); // $ Source[js/client-side-request-forgery]
request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery]
request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery]
request('https://example.com/api?q=' + fragment);
const name = window.name; // $ Source[js/client-side-request-forgery]
request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery]
request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery]
request('https://example.com/api?q=' + name);
request(window.location.href + '?q=123');

46
javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
View File

@@ -15,34 +15,34 @@ var server = http.createServer(function(req, res) {
request("example.com");
request(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request(tainted); // $ Alert[js/request-forgery]
request.get(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request.get(tainted); // $ Alert[js/request-forgery]
var options = {};
options.url = tainted; // $ Sink[js/request-forgery]
request(options); // $ Alert[js/request-forgery]
request("http://" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request("http://" + tainted); // $ Alert[js/request-forgery]
request("http://example.com" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request("http://example.com" + tainted); // $ Alert[js/request-forgery]
request("http://example.com/" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request("http://example.com/" + tainted); // $ Alert[js/request-forgery]
request("http://example.com/?" + tainted);
http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery]
XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery]
new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery]
XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery]
new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery]
let base = require('./config').base;
request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery]
request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery]
request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery]
request('http://example.com/' + base + ('/' + tainted)); // $ MISSING: Alert
@@ -58,14 +58,14 @@ var server = http.createServer(async function(req, res) {
var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
var client = await CDP(options);
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
CDP(options).catch((ignored) => {}).then((client) => {
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
})
CDP(options, (client) => {
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery]
client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery]
});
})
@@ -73,7 +73,7 @@ import {JSDOM} from "jsdom";
var server = http.createServer(async function(req, res) {
var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
JSDOM.fromURL(tainted); // $ Alert[js/request-forgery]
});
var route = require('koa-route');
@@ -81,15 +81,15 @@ var Koa = require('koa');
var app = new Koa();
app.use(route.get('/pets', (context, param1, param2, param3) => { // $ Source[js/request-forgery]
JSDOM.fromURL(param1); // $ Alert[js/request-forgery] Sink[js/request-forgery]
JSDOM.fromURL(param1); // $ Alert[js/request-forgery]
}));
const router = require('koa-router')();
const app = new Koa();
router.get('/', async (ctx, next) => {
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery]
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery]
}).post('/', async (ctx, next) => {
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery]
JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery]
});
app.use(router.routes());
@@ -97,7 +97,7 @@ import {JSDOM} from "jsdom";
var server = http.createServer(async function(req, res) {
var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery]
new WebSocket(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery]
new WebSocket(tainted); // $ Alert[js/request-forgery]
});
@@ -106,7 +106,7 @@ import * as ws from 'ws';
new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
socket.on('message', function(message) {
const url = request.url; // $ Source[js/request-forgery]
const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
const socket = new ws(url); // $ Alert[js/request-forgery]
});
});
@@ -114,7 +114,7 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
socket.on('message', function (message) {
const url = new URL(request.url, base); // $ Source[js/request-forgery]
const target = new URL(url.pathname, base);
const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
const socket = new ws(url); // $ Alert[js/request-forgery]
});
});
@@ -128,8 +128,8 @@ var server2 = http.createServer(function(req, res) {
}) // $ Alert[js/request-forgery]
var myUrl = `${something}/bla/${tainted}`;
axios.get(myUrl); // $ Alert[js/request-forgery] Sink[js/request-forgery]
axios.get(myUrl); // $ Alert[js/request-forgery]
var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`;
axios.get(myEncodedUrl);
})
})