JS: Accept Sources/Sink tags

2026-05-05 13:45:19 +02:00 · 2025-02-26 13:57:10 +01:00
parent 19cada38ff
commit 64d39da5f8
211 changed files with 796 additions and 796 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
@@ -2,7 +2,7 @@ var express = require('express');
 var app = express();
 var URI = require("urijs");
 app.get('/findKey', function(req, res) {
-  var key = req.param("key"), input = req.param("input");
+  var key = req.param("key"), input = req.param("input"); // $ Source[js/regex-injection]

  var re = new RegExp("\\b" + key + "=(.*)\n"); // $ Alert[js/regex-injection] - Unsanitized user input is used to construct a regular expression

@@ -18,7 +18,7 @@ app.get('/findKey', function(req, res) {
  new RegExp(wrap(key)); // $ Alert[js/regex-injection] - duplicated to test precision of flow tracking

  function getKey() {
-    return req.param("key");
+    return req.param("key"); // $ Source[js/regex-injection]
  }
  new RegExp(getKey()); // $ Alert[js/regex-injection]

@@ -52,7 +52,7 @@ app.get('/findKey', function(req, res) {
 import * as Search from './search';

 app.get('/findKey', function(req, res) {
-  var key = req.param("key"), input = req.param("input");
+  var key = req.param("key"), input = req.param("input"); // $ Source[js/regex-injection]

  Search.search(input);

@@ -74,7 +74,7 @@ function escape2(str){
 };

 app.get('/has-sanitizer', function(req, res) {
-  var input = req.param("input");
+  var input = req.param("input"); // $ Source[js/regex-injection]

  new RegExp(escape1(input));
  new RegExp(escape2(input));
@@ -89,7 +89,7 @@ app.get("argv", function(req, res) {
 });

 app.get("argv", function(req, res) {
-  var input = req.param("input");
+  var input = req.param("input"); // $ Source[js/regex-injection]

  var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]"), "\\$&");
  new RegExp(sanitized); // $ Alert[js/regex-injection]
--- a/javascript/ql/test/query-tests/Security/CWE-730/server-crash.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/server-crash.js
@@ -13,7 +13,7 @@ let server = app.listen(port, () =>
 function indirection1() {
  fs.readFile("/foo", (err, x) => {
    throw err; // $ Alert[js/server-crash]
-  });
+  }); // $ Sink[js/server-crash]
 }
 function indirection2() {
  throw 42; // $ Alert[js/server-crash]
@@ -22,7 +22,7 @@ function indirection3() {
  try {
    fs.readFile("/foo", (err, x) => {
      throw err; // $ Alert[js/server-crash]
-    });
+    }); // $ Sink[js/server-crash]
  } catch (e) {}
 }
 function indirection4() {
@@ -34,12 +34,12 @@ function indirection5() {
 function indirection6() {
  fs.readFile("/foo", (err, x) => {
    throw err; // $ Alert[js/server-crash]
-  });
+  }); // $ Sink[js/server-crash]
 }
 app.get("/async-throw", (req, res) => {
  fs.readFile("/foo", (err, x) => {
    throw err; // $ Alert[js/server-crash]
-  });
+  }); // $ Sink[js/server-crash]
  fs.readFile("/foo", (err, x) => {
    try {
      throw err; // OK - guarded throw
@@ -57,7 +57,7 @@ app.get("/async-throw", (req, res) => {
  indirection1();
  fs.readFile("/foo", (err, x) => {
    indirection2();
-  });
+  }); // $ Sink[js/server-crash]

  indirection3();
  try {
@@ -86,13 +86,13 @@ app.get("/async-throw", (req, res) => {
 function indirection7() {
  fs.readFile("/foo", (err, x) => {
    throw err; // $ Alert[js/server-crash]
-  });
+  }); // $ Sink[js/server-crash]
 }

 app.get("/async-throw-again", (req, res) => {
  fs.readFile("foo", () => {
    throw "e"; // $ Alert[js/server-crash]
-  });
+  }); // $ Sink[js/server-crash]
  fs.readFileSync("foo", () => {
    throw "e"; // OK - does not take callbacks at all
  });
@@ -100,14 +100,14 @@ app.get("/async-throw-again", (req, res) => {
  fs.readFile("foo", () => {
    fs.readFile("bar", () => {
      throw "e"; // $ Alert[js/server-crash]
-    });
+    }); // $ Sink[js/server-crash]
  });
  fs.readFile("foo", () => {
    // can not catch async exceptions
    try {
      fs.readFile("bar", () => {
        throw "e"; // $ Alert[js/server-crash]
-      });
+      }); // $ Sink[js/server-crash]
    } catch (e) {}
  });
  // can mix sync/async calls
@@ -115,7 +115,7 @@ app.get("/async-throw-again", (req, res) => {
    (() =>
      fs.readFile("bar", () => {
        throw "e"; // $ Alert[js/server-crash]
-      }))();
+      }))(); // $ Sink[js/server-crash]
  });
 });

@@ -129,7 +129,7 @@ app.get("/throw-in-promise-2", async (req, res) => {
  async function fun() {
    fs.readFile("/foo", (err, x) => {
      throw err; // $ Alert[js/server-crash]
-    });
+    }); // $ Sink[js/server-crash]
  }
  await fun();
 });
@@ -155,7 +155,7 @@ app.get("/throw-with-ambiguous-paths", (req, res) => {

  function cb() {
    throwError(); // on path
-  }
+  } // $ Sink[js/server-crash]
  function withAsync() {
    throwError(); // not on path
    fs.stat(X, cb);
--- a/javascript/ql/test/query-tests/Security/CWE-730/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/tst.js
@@ -2,6 +2,6 @@ const express = require('express');
 const app = express();

 app.get('/foo', (req, res) => {
-    let data = req.query.data;
+    let data = req.query.data; // $ Source[js/regex-injection]
    new RegExp("^"+ data.name + "$", "i"); // $ Alert[js/regex-injection]
 });