hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

remove FPs in js/build-artifact-leak where the "leaked" properties are constrained to a safe subset

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-11-18 10:35:02 +01:00
parent 06733eadea
commit 64828713d6
2 changed files with 72 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js
View File

@@ -40,3 +40,54 @@ var server = https.createServer(function (req, res) {
let pw = url.parse(req.url, true).query.current_password;
var plugin = new webpack.DefinePlugin({ "process.env.secret": JSON.stringify(pw) }); // NOT OK
});
(function () {
const REACT_APP = /^REACT_APP_/i;
function getOnlyReactVariables() {
const raw = Object.keys(process.env)
.filter(key => REACT_APP.test(key)) // This filters makes it safe.
.reduce(
(env, key) => {
env[key] = process.env[key];
return env;
},
{}
);
return raw;
}
new webpack.DefinePlugin(getOnlyReactVariables()); // OK
function getOnlyReactVariables2() {
const raw = Object.keys(process.env)
.reduce(
(env, key) => {
if (REACT_APP.test(key)) {
env[key] = process.env[key];
}
return env;
},
{}
);
return raw;
}
new webpack.DefinePlugin(getOnlyReactVariables2()); // OK
function getOnlyReactVariables3() {
const raw = Object.keys(process.env)
.reduce(
(env, key) => {
if (key == ["1", "2", "3"]) {
env[key] = process.env[key];
}
return env;
},
{}
);
return raw;
}
new webpack.DefinePlugin(getOnlyReactVariables3()); // OK
})();