hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add explicit body-parsers to TemplateObjectInjection test

Browse Source
This commit is contained in:
Asger Feldthaus
2021-10-28 10:05:15 +02:00
parent 8af430d40f
commit 64db70f3ac
2 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/test/query-tests/Security/CWE-073/tst.js
View File

@@ -1,8 +1,8 @@
var app = require('express')();
app.set('view engine', 'hbs');
app.use(require('body-parser').json());
app.use(require('body-parser').urlencoded({ extended: false }));
app.post('/path', function(req, res) {
var bodyParameter = req.body.bodyParameter;
var queryParameter = req.query.queryParameter;

14
javascript/ql/test/query-tests/Security/CWE-073/tst2.js
View File

@@ -2,27 +2,27 @@ const handlebars = require("express-handlebars");
var app = require('express')();
app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) );
app.set('view engine', '.hbs')
app.post('/path', function(req, res) {
app.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});
var app2 = require('express')();
app2.post('/path', function(req, res) {
app2.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // OK
});
var app3 = require('express')();
app3.set('view engine', 'pug');
app3.post('/path', function(req, res) {
app3.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // OK
});
var app4 = require('express')();
app4.set('view engine', 'ejs');
app4.post('/path', function(req, res) {
app4.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});
@@ -30,7 +30,7 @@ app4.post('/path', function(req, res) {
var app5 = require('express')();
app5.engine("foobar", require("consolidate").whiskers);
app5.set('view engine', 'foobar');
app5.post('/path', function(req, res) {
app5.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});
@@ -38,7 +38,7 @@ app5.post('/path', function(req, res) {
var app6 = require('express')();
app6.register(".html", require("consolidate").whiskers);
app6.set('view engine', 'html');
app6.post('/path', function(req, res) {
app6.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});
@@ -47,7 +47,7 @@ const express = require('express');
var router = express.Router();
var app7 = express();
app7.set('view engine', 'ejs');
router.post('/path', function(req, res) {
router.post('/path', require('body-parser').json(), function(req, res) {
var bodyParameter = req.body.bodyParameter;
res.render('template', bodyParameter); // NOT OK
});