mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Merge branch 'main' into aegilops/js/insecure-helmet-middleware
This commit is contained in:
Paul Hodgkinson
@@ -0,0 +1,391 @@
|
||||
nodes
|
||||
| adm-zip.js:13:13:13:21 | req.files |
|
||||
| adm-zip.js:13:13:13:21 | req.files |
|
||||
| adm-zip.js:13:13:13:33 | req.fil ... ombFile |
|
||||
| adm-zip.js:17:18:17:24 | tarFile |
|
||||
| adm-zip.js:24:22:24:28 | tarFile |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data |
|
||||
| adm-zip.js:28:25:28:42 | zipEntry.getData() |
|
||||
| adm-zip.js:28:25:28:42 | zipEntry.getData() |
|
||||
| adm-zip.js:32:17:32:41 | admZip. ... "10GB") |
|
||||
| adm-zip.js:32:17:32:41 | admZip. ... "10GB") |
|
||||
| adm-zip.js:34:5:34:55 | admZip. ... , true) |
|
||||
| adm-zip.js:34:5:34:55 | admZip. ... , true) |
|
||||
| adm-zip.js:36:5:36:38 | admZip. ... , true) |
|
||||
| adm-zip.js:36:5:36:38 | admZip. ... , true) |
|
||||
| decompress.js:11:16:11:33 | req.query.filePath |
|
||||
| decompress.js:11:16:11:33 | req.query.filePath |
|
||||
| decompress.js:11:16:11:33 | req.query.filePath |
|
||||
| jszip.js:12:13:12:21 | req.files |
|
||||
| jszip.js:12:13:12:21 | req.files |
|
||||
| jszip.js:12:13:12:33 | req.fil ... ombFile |
|
||||
| jszip.js:12:13:12:38 | req.fil ... le.data |
|
||||
| jszip.js:32:18:32:24 | zipFile |
|
||||
| jszip.js:33:22:33:28 | zipFile |
|
||||
| jszip.js:33:22:33:33 | zipFile.data |
|
||||
| jszip.js:33:22:33:33 | zipFile.data |
|
||||
| node-tar.js:15:13:15:21 | req.files |
|
||||
| node-tar.js:15:13:15:21 | req.files |
|
||||
| node-tar.js:15:13:15:33 | req.fil ... ombFile |
|
||||
| node-tar.js:15:13:15:38 | req.fil ... le.data |
|
||||
| node-tar.js:19:18:19:24 | tarFile |
|
||||
| node-tar.js:21:23:21:49 | Readabl ... e.data) |
|
||||
| node-tar.js:21:37:21:43 | tarFile |
|
||||
| node-tar.js:21:37:21:48 | tarFile.data |
|
||||
| node-tar.js:24:9:24:15 | tar.x() |
|
||||
| node-tar.js:24:9:24:15 | tar.x() |
|
||||
| node-tar.js:29:5:29:37 | fs.crea ... e.name) |
|
||||
| node-tar.js:29:25:29:31 | tarFile |
|
||||
| node-tar.js:29:25:29:36 | tarFile.name |
|
||||
| node-tar.js:30:9:33:10 | tar.x({ ... }) |
|
||||
| node-tar.js:30:9:33:10 | tar.x({ ... }) |
|
||||
| node-tar.js:45:5:45:37 | fs.crea ... e.name) |
|
||||
| node-tar.js:45:25:45:31 | tarFile |
|
||||
| node-tar.js:45:25:45:36 | tarFile.name |
|
||||
| node-tar.js:46:9:46:20 | decompressor |
|
||||
| node-tar.js:48:9:50:10 | tar.x({ ... }) |
|
||||
| node-tar.js:48:9:50:10 | tar.x({ ... }) |
|
||||
| node-tar.js:58:19:58:25 | tarFile |
|
||||
| node-tar.js:58:19:58:30 | tarFile.name |
|
||||
| node-tar.js:58:19:58:30 | tarFile.name |
|
||||
| node-tar.js:59:25:59:31 | tarFile |
|
||||
| node-tar.js:59:25:59:36 | tarFile.name |
|
||||
| node-tar.js:59:25:59:36 | tarFile.name |
|
||||
| pako.js:12:14:12:22 | req.files |
|
||||
| pako.js:12:14:12:22 | req.files |
|
||||
| pako.js:12:14:12:34 | req.fil ... ombFile |
|
||||
| pako.js:12:14:12:39 | req.fil ... le.data |
|
||||
| pako.js:13:14:13:22 | req.files |
|
||||
| pako.js:13:14:13:22 | req.files |
|
||||
| pako.js:13:14:13:34 | req.fil ... ombFile |
|
||||
| pako.js:13:14:13:39 | req.fil ... le.data |
|
||||
| pako.js:17:19:17:25 | zipFile |
|
||||
| pako.js:18:11:18:68 | myArray |
|
||||
| pako.js:18:21:18:68 | Buffer. ... uffer)) |
|
||||
| pako.js:18:33:18:67 | new Uin ... buffer) |
|
||||
| pako.js:18:48:18:54 | zipFile |
|
||||
| pako.js:18:48:18:59 | zipFile.data |
|
||||
| pako.js:18:48:18:66 | zipFile.data.buffer |
|
||||
| pako.js:21:31:21:37 | myArray |
|
||||
| pako.js:21:31:21:37 | myArray |
|
||||
| pako.js:28:19:28:25 | zipFile |
|
||||
| pako.js:29:11:29:62 | myArray |
|
||||
| pako.js:29:21:29:55 | new Uin ... buffer) |
|
||||
| pako.js:29:21:29:62 | new Uin ... .buffer |
|
||||
| pako.js:29:36:29:42 | zipFile |
|
||||
| pako.js:29:36:29:47 | zipFile.data |
|
||||
| pako.js:29:36:29:54 | zipFile.data.buffer |
|
||||
| pako.js:32:31:32:37 | myArray |
|
||||
| pako.js:32:31:32:37 | myArray |
|
||||
| unbzip2.js:12:5:12:43 | fs.crea ... lePath) |
|
||||
| unbzip2.js:12:25:12:42 | req.query.FilePath |
|
||||
| unbzip2.js:12:25:12:42 | req.query.FilePath |
|
||||
| unbzip2.js:12:50:12:54 | bz2() |
|
||||
| unbzip2.js:12:50:12:54 | bz2() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) |
|
||||
| unzipper.js:13:40:13:48 | req.files |
|
||||
| unzipper.js:13:40:13:48 | req.files |
|
||||
| unzipper.js:13:40:13:56 | req.files.ZipFile |
|
||||
| unzipper.js:13:40:13:61 | req.fil ... le.data |
|
||||
| unzipper.js:16:23:16:63 | unzippe ... ath' }) |
|
||||
| unzipper.js:16:23:16:63 | unzippe ... ath' }) |
|
||||
| unzipper.js:19:23:19:41 | unzipper.ParseOne() |
|
||||
| unzipper.js:19:23:19:41 | unzipper.ParseOne() |
|
||||
| unzipper.js:24:15:24:30 | unzipper.Parse() |
|
||||
| unzipper.js:24:15:24:30 | unzipper.Parse() |
|
||||
| unzipper.js:34:15:34:30 | unzipper.Parse() |
|
||||
| unzipper.js:34:15:34:30 | unzipper.Parse() |
|
||||
| unzipper.js:41:35:41:71 | unzippe ... true }) |
|
||||
| unzipper.js:41:35:41:71 | unzippe ... true }) |
|
||||
| unzipper.js:51:36:51:72 | unzippe ... true }) |
|
||||
| unzipper.js:51:36:51:72 | unzippe ... true }) |
|
||||
| unzipper.js:60:23:60:38 | unzipper.Parse() |
|
||||
| unzipper.js:60:23:60:38 | unzipper.Parse() |
|
||||
| unzipper.js:73:23:73:38 | unzipper.Parse() |
|
||||
| unzipper.js:73:23:73:38 | unzipper.Parse() |
|
||||
| yauzl.js:12:18:12:26 | req.files |
|
||||
| yauzl.js:12:18:12:26 | req.files |
|
||||
| yauzl.js:12:18:12:34 | req.files.zipFile |
|
||||
| yauzl.js:12:18:12:39 | req.fil ... le.data |
|
||||
| yauzl.js:12:18:12:39 | req.fil ... le.data |
|
||||
| yauzl.js:13:22:13:30 | req.files |
|
||||
| yauzl.js:13:22:13:30 | req.files |
|
||||
| yauzl.js:13:22:13:38 | req.files.zipFile |
|
||||
| yauzl.js:13:22:13:43 | req.fil ... le.data |
|
||||
| yauzl.js:13:22:13:43 | req.fil ... le.data |
|
||||
| yauzl.js:14:34:14:42 | req.files |
|
||||
| yauzl.js:14:34:14:42 | req.files |
|
||||
| yauzl.js:14:34:14:50 | req.files.zipFile |
|
||||
| yauzl.js:14:34:14:55 | req.fil ... le.data |
|
||||
| yauzl.js:14:34:14:55 | req.fil ... le.data |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath |
|
||||
| yauzl.js:39:9:39:27 | zipfile.readEntry() |
|
||||
| yauzl.js:39:9:39:27 | zipfile.readEntry() |
|
||||
| yauzl.js:41:64:41:73 | readStream |
|
||||
| yauzl.js:41:64:41:73 | readStream |
|
||||
| yauzl.js:43:21:43:39 | zipfile.readEntry() |
|
||||
| yauzl.js:43:21:43:39 | zipfile.readEntry() |
|
||||
| zlib.js:15:19:15:27 | req.files |
|
||||
| zlib.js:15:19:15:27 | req.files |
|
||||
| zlib.js:15:19:15:39 | req.fil ... ombFile |
|
||||
| zlib.js:15:19:15:44 | req.fil ... le.data |
|
||||
| zlib.js:17:18:17:26 | req.files |
|
||||
| zlib.js:17:18:17:26 | req.files |
|
||||
| zlib.js:17:18:17:38 | req.fil ... ombFile |
|
||||
| zlib.js:17:18:17:43 | req.fil ... le.data |
|
||||
| zlib.js:19:24:19:32 | req.files |
|
||||
| zlib.js:19:24:19:32 | req.files |
|
||||
| zlib.js:19:24:19:44 | req.fil ... ombFile |
|
||||
| zlib.js:19:24:19:49 | req.fil ... le.data |
|
||||
| zlib.js:21:32:21:40 | req.files |
|
||||
| zlib.js:21:32:21:40 | req.files |
|
||||
| zlib.js:21:32:21:52 | req.fil ... ombFile |
|
||||
| zlib.js:21:32:21:57 | req.fil ... le.data |
|
||||
| zlib.js:27:24:27:30 | zipFile |
|
||||
| zlib.js:29:9:29:15 | zipFile |
|
||||
| zlib.js:29:9:29:20 | zipFile.data |
|
||||
| zlib.js:29:9:29:20 | zipFile.data |
|
||||
| zlib.js:33:9:33:15 | zipFile |
|
||||
| zlib.js:33:9:33:20 | zipFile.data |
|
||||
| zlib.js:33:9:33:20 | zipFile.data |
|
||||
| zlib.js:38:9:38:15 | zipFile |
|
||||
| zlib.js:38:9:38:20 | zipFile.data |
|
||||
| zlib.js:38:9:38:20 | zipFile.data |
|
||||
| zlib.js:62:23:62:29 | zipFile |
|
||||
| zlib.js:63:21:63:27 | zipFile |
|
||||
| zlib.js:63:21:63:32 | zipFile.data |
|
||||
| zlib.js:63:21:63:32 | zipFile.data |
|
||||
| zlib.js:64:20:64:26 | zipFile |
|
||||
| zlib.js:64:20:64:31 | zipFile.data |
|
||||
| zlib.js:64:20:64:31 | zipFile.data |
|
||||
| zlib.js:65:31:65:37 | zipFile |
|
||||
| zlib.js:65:31:65:42 | zipFile.data |
|
||||
| zlib.js:65:31:65:42 | zipFile.data |
|
||||
| zlib.js:74:29:74:35 | zipFile |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) |
|
||||
| zlib.js:75:39:75:45 | zipFile |
|
||||
| zlib.js:75:39:75:50 | zipFile.data |
|
||||
| zlib.js:77:22:77:40 | zlib.createGunzip() |
|
||||
| zlib.js:77:22:77:40 | zlib.createGunzip() |
|
||||
| zlib.js:78:22:78:39 | zlib.createUnzip() |
|
||||
| zlib.js:78:22:78:39 | zlib.createUnzip() |
|
||||
| zlib.js:79:22:79:50 | zlib.cr ... press() |
|
||||
| zlib.js:79:22:79:50 | zlib.cr ... press() |
|
||||
| zlib.js:82:43:82:49 | zipFile |
|
||||
| zlib.js:83:11:83:51 | inputStream |
|
||||
| zlib.js:83:25:83:51 | Readabl ... e.data) |
|
||||
| zlib.js:83:39:83:45 | zipFile |
|
||||
| zlib.js:83:39:83:50 | zipFile.data |
|
||||
| zlib.js:86:9:86:19 | inputStream |
|
||||
| zlib.js:87:9:87:27 | zlib.createGunzip() |
|
||||
| zlib.js:87:9:87:27 | zlib.createGunzip() |
|
||||
edges
|
||||
| adm-zip.js:13:13:13:21 | req.files | adm-zip.js:13:13:13:33 | req.fil ... ombFile |
|
||||
| adm-zip.js:13:13:13:21 | req.files | adm-zip.js:13:13:13:33 | req.fil ... ombFile |
|
||||
| adm-zip.js:13:13:13:33 | req.fil ... ombFile | adm-zip.js:17:18:17:24 | tarFile |
|
||||
| adm-zip.js:17:18:17:24 | tarFile | adm-zip.js:24:22:24:28 | tarFile |
|
||||
| adm-zip.js:24:22:24:28 | tarFile | adm-zip.js:24:22:24:33 | tarFile.data |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:28:25:28:42 | zipEntry.getData() |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:28:25:28:42 | zipEntry.getData() |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:32:17:32:41 | admZip. ... "10GB") |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:32:17:32:41 | admZip. ... "10GB") |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:34:5:34:55 | admZip. ... , true) |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:34:5:34:55 | admZip. ... , true) |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:36:5:36:38 | admZip. ... , true) |
|
||||
| adm-zip.js:24:22:24:33 | tarFile.data | adm-zip.js:36:5:36:38 | admZip. ... , true) |
|
||||
| decompress.js:11:16:11:33 | req.query.filePath | decompress.js:11:16:11:33 | req.query.filePath |
|
||||
| jszip.js:12:13:12:21 | req.files | jszip.js:12:13:12:33 | req.fil ... ombFile |
|
||||
| jszip.js:12:13:12:21 | req.files | jszip.js:12:13:12:33 | req.fil ... ombFile |
|
||||
| jszip.js:12:13:12:33 | req.fil ... ombFile | jszip.js:12:13:12:38 | req.fil ... le.data |
|
||||
| jszip.js:12:13:12:38 | req.fil ... le.data | jszip.js:32:18:32:24 | zipFile |
|
||||
| jszip.js:32:18:32:24 | zipFile | jszip.js:33:22:33:28 | zipFile |
|
||||
| jszip.js:33:22:33:28 | zipFile | jszip.js:33:22:33:33 | zipFile.data |
|
||||
| jszip.js:33:22:33:28 | zipFile | jszip.js:33:22:33:33 | zipFile.data |
|
||||
| node-tar.js:15:13:15:21 | req.files | node-tar.js:15:13:15:33 | req.fil ... ombFile |
|
||||
| node-tar.js:15:13:15:21 | req.files | node-tar.js:15:13:15:33 | req.fil ... ombFile |
|
||||
| node-tar.js:15:13:15:33 | req.fil ... ombFile | node-tar.js:15:13:15:38 | req.fil ... le.data |
|
||||
| node-tar.js:15:13:15:38 | req.fil ... le.data | node-tar.js:19:18:19:24 | tarFile |
|
||||
| node-tar.js:19:18:19:24 | tarFile | node-tar.js:21:37:21:43 | tarFile |
|
||||
| node-tar.js:19:18:19:24 | tarFile | node-tar.js:29:25:29:31 | tarFile |
|
||||
| node-tar.js:19:18:19:24 | tarFile | node-tar.js:45:25:45:31 | tarFile |
|
||||
| node-tar.js:19:18:19:24 | tarFile | node-tar.js:58:19:58:25 | tarFile |
|
||||
| node-tar.js:19:18:19:24 | tarFile | node-tar.js:59:25:59:31 | tarFile |
|
||||
| node-tar.js:21:23:21:49 | Readabl ... e.data) | node-tar.js:24:9:24:15 | tar.x() |
|
||||
| node-tar.js:21:23:21:49 | Readabl ... e.data) | node-tar.js:24:9:24:15 | tar.x() |
|
||||
| node-tar.js:21:37:21:43 | tarFile | node-tar.js:21:37:21:48 | tarFile.data |
|
||||
| node-tar.js:21:37:21:48 | tarFile.data | node-tar.js:21:23:21:49 | Readabl ... e.data) |
|
||||
| node-tar.js:29:5:29:37 | fs.crea ... e.name) | node-tar.js:30:9:33:10 | tar.x({ ... }) |
|
||||
| node-tar.js:29:5:29:37 | fs.crea ... e.name) | node-tar.js:30:9:33:10 | tar.x({ ... }) |
|
||||
| node-tar.js:29:25:29:31 | tarFile | node-tar.js:29:25:29:36 | tarFile.name |
|
||||
| node-tar.js:29:25:29:36 | tarFile.name | node-tar.js:29:5:29:37 | fs.crea ... e.name) |
|
||||
| node-tar.js:45:5:45:37 | fs.crea ... e.name) | node-tar.js:46:9:46:20 | decompressor |
|
||||
| node-tar.js:45:25:45:31 | tarFile | node-tar.js:45:25:45:36 | tarFile.name |
|
||||
| node-tar.js:45:25:45:36 | tarFile.name | node-tar.js:45:5:45:37 | fs.crea ... e.name) |
|
||||
| node-tar.js:46:9:46:20 | decompressor | node-tar.js:48:9:50:10 | tar.x({ ... }) |
|
||||
| node-tar.js:46:9:46:20 | decompressor | node-tar.js:48:9:50:10 | tar.x({ ... }) |
|
||||
| node-tar.js:58:19:58:25 | tarFile | node-tar.js:58:19:58:30 | tarFile.name |
|
||||
| node-tar.js:58:19:58:25 | tarFile | node-tar.js:58:19:58:30 | tarFile.name |
|
||||
| node-tar.js:59:25:59:31 | tarFile | node-tar.js:59:25:59:36 | tarFile.name |
|
||||
| node-tar.js:59:25:59:31 | tarFile | node-tar.js:59:25:59:36 | tarFile.name |
|
||||
| pako.js:12:14:12:22 | req.files | pako.js:12:14:12:34 | req.fil ... ombFile |
|
||||
| pako.js:12:14:12:22 | req.files | pako.js:12:14:12:34 | req.fil ... ombFile |
|
||||
| pako.js:12:14:12:34 | req.fil ... ombFile | pako.js:12:14:12:39 | req.fil ... le.data |
|
||||
| pako.js:12:14:12:39 | req.fil ... le.data | pako.js:17:19:17:25 | zipFile |
|
||||
| pako.js:13:14:13:22 | req.files | pako.js:13:14:13:34 | req.fil ... ombFile |
|
||||
| pako.js:13:14:13:22 | req.files | pako.js:13:14:13:34 | req.fil ... ombFile |
|
||||
| pako.js:13:14:13:34 | req.fil ... ombFile | pako.js:13:14:13:39 | req.fil ... le.data |
|
||||
| pako.js:13:14:13:39 | req.fil ... le.data | pako.js:28:19:28:25 | zipFile |
|
||||
| pako.js:17:19:17:25 | zipFile | pako.js:18:48:18:54 | zipFile |
|
||||
| pako.js:18:11:18:68 | myArray | pako.js:21:31:21:37 | myArray |
|
||||
| pako.js:18:11:18:68 | myArray | pako.js:21:31:21:37 | myArray |
|
||||
| pako.js:18:21:18:68 | Buffer. ... uffer)) | pako.js:18:11:18:68 | myArray |
|
||||
| pako.js:18:33:18:67 | new Uin ... buffer) | pako.js:18:21:18:68 | Buffer. ... uffer)) |
|
||||
| pako.js:18:48:18:54 | zipFile | pako.js:18:48:18:59 | zipFile.data |
|
||||
| pako.js:18:48:18:59 | zipFile.data | pako.js:18:48:18:66 | zipFile.data.buffer |
|
||||
| pako.js:18:48:18:66 | zipFile.data.buffer | pako.js:18:33:18:67 | new Uin ... buffer) |
|
||||
| pako.js:28:19:28:25 | zipFile | pako.js:29:36:29:42 | zipFile |
|
||||
| pako.js:29:11:29:62 | myArray | pako.js:32:31:32:37 | myArray |
|
||||
| pako.js:29:11:29:62 | myArray | pako.js:32:31:32:37 | myArray |
|
||||
| pako.js:29:21:29:55 | new Uin ... buffer) | pako.js:29:21:29:62 | new Uin ... .buffer |
|
||||
| pako.js:29:21:29:62 | new Uin ... .buffer | pako.js:29:11:29:62 | myArray |
|
||||
| pako.js:29:36:29:42 | zipFile | pako.js:29:36:29:47 | zipFile.data |
|
||||
| pako.js:29:36:29:47 | zipFile.data | pako.js:29:36:29:54 | zipFile.data.buffer |
|
||||
| pako.js:29:36:29:54 | zipFile.data.buffer | pako.js:29:21:29:55 | new Uin ... buffer) |
|
||||
| unbzip2.js:12:5:12:43 | fs.crea ... lePath) | unbzip2.js:12:50:12:54 | bz2() |
|
||||
| unbzip2.js:12:5:12:43 | fs.crea ... lePath) | unbzip2.js:12:50:12:54 | bz2() |
|
||||
| unbzip2.js:12:25:12:42 | req.query.FilePath | unbzip2.js:12:5:12:43 | fs.crea ... lePath) |
|
||||
| unbzip2.js:12:25:12:42 | req.query.FilePath | unbzip2.js:12:5:12:43 | fs.crea ... lePath) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:16:23:16:63 | unzippe ... ath' }) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:16:23:16:63 | unzippe ... ath' }) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:19:23:19:41 | unzipper.ParseOne() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:19:23:19:41 | unzipper.ParseOne() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:24:15:24:30 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:24:15:24:30 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:34:15:34:30 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:34:15:34:30 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:41:35:41:71 | unzippe ... true }) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:41:35:41:71 | unzippe ... true }) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:51:36:51:72 | unzippe ... true }) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:51:36:51:72 | unzippe ... true }) |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:60:23:60:38 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:60:23:60:38 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:73:23:73:38 | unzipper.Parse() |
|
||||
| unzipper.js:13:26:13:62 | Readabl ... e.data) | unzipper.js:73:23:73:38 | unzipper.Parse() |
|
||||
| unzipper.js:13:40:13:48 | req.files | unzipper.js:13:40:13:56 | req.files.ZipFile |
|
||||
| unzipper.js:13:40:13:48 | req.files | unzipper.js:13:40:13:56 | req.files.ZipFile |
|
||||
| unzipper.js:13:40:13:56 | req.files.ZipFile | unzipper.js:13:40:13:61 | req.fil ... le.data |
|
||||
| unzipper.js:13:40:13:61 | req.fil ... le.data | unzipper.js:13:26:13:62 | Readabl ... e.data) |
|
||||
| yauzl.js:12:18:12:26 | req.files | yauzl.js:12:18:12:34 | req.files.zipFile |
|
||||
| yauzl.js:12:18:12:26 | req.files | yauzl.js:12:18:12:34 | req.files.zipFile |
|
||||
| yauzl.js:12:18:12:34 | req.files.zipFile | yauzl.js:12:18:12:39 | req.fil ... le.data |
|
||||
| yauzl.js:12:18:12:34 | req.files.zipFile | yauzl.js:12:18:12:39 | req.fil ... le.data |
|
||||
| yauzl.js:13:22:13:30 | req.files | yauzl.js:13:22:13:38 | req.files.zipFile |
|
||||
| yauzl.js:13:22:13:30 | req.files | yauzl.js:13:22:13:38 | req.files.zipFile |
|
||||
| yauzl.js:13:22:13:38 | req.files.zipFile | yauzl.js:13:22:13:43 | req.fil ... le.data |
|
||||
| yauzl.js:13:22:13:38 | req.files.zipFile | yauzl.js:13:22:13:43 | req.fil ... le.data |
|
||||
| yauzl.js:14:34:14:42 | req.files | yauzl.js:14:34:14:50 | req.files.zipFile |
|
||||
| yauzl.js:14:34:14:42 | req.files | yauzl.js:14:34:14:50 | req.files.zipFile |
|
||||
| yauzl.js:14:34:14:50 | req.files.zipFile | yauzl.js:14:34:14:55 | req.fil ... le.data |
|
||||
| yauzl.js:14:34:14:50 | req.files.zipFile | yauzl.js:14:34:14:55 | req.fil ... le.data |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:39:9:39:27 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:39:9:39:27 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:39:9:39:27 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:39:9:39:27 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:41:64:41:73 | readStream |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:41:64:41:73 | readStream |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:41:64:41:73 | readStream |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:41:64:41:73 | readStream |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:43:21:43:39 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:43:21:43:39 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:43:21:43:39 | zipfile.readEntry() |
|
||||
| yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:43:21:43:39 | zipfile.readEntry() |
|
||||
| zlib.js:15:19:15:27 | req.files | zlib.js:15:19:15:39 | req.fil ... ombFile |
|
||||
| zlib.js:15:19:15:27 | req.files | zlib.js:15:19:15:39 | req.fil ... ombFile |
|
||||
| zlib.js:15:19:15:39 | req.fil ... ombFile | zlib.js:15:19:15:44 | req.fil ... le.data |
|
||||
| zlib.js:15:19:15:44 | req.fil ... le.data | zlib.js:27:24:27:30 | zipFile |
|
||||
| zlib.js:17:18:17:26 | req.files | zlib.js:17:18:17:38 | req.fil ... ombFile |
|
||||
| zlib.js:17:18:17:26 | req.files | zlib.js:17:18:17:38 | req.fil ... ombFile |
|
||||
| zlib.js:17:18:17:38 | req.fil ... ombFile | zlib.js:17:18:17:43 | req.fil ... le.data |
|
||||
| zlib.js:17:18:17:43 | req.fil ... le.data | zlib.js:62:23:62:29 | zipFile |
|
||||
| zlib.js:19:24:19:32 | req.files | zlib.js:19:24:19:44 | req.fil ... ombFile |
|
||||
| zlib.js:19:24:19:32 | req.files | zlib.js:19:24:19:44 | req.fil ... ombFile |
|
||||
| zlib.js:19:24:19:44 | req.fil ... ombFile | zlib.js:19:24:19:49 | req.fil ... le.data |
|
||||
| zlib.js:19:24:19:49 | req.fil ... le.data | zlib.js:74:29:74:35 | zipFile |
|
||||
| zlib.js:21:32:21:40 | req.files | zlib.js:21:32:21:52 | req.fil ... ombFile |
|
||||
| zlib.js:21:32:21:40 | req.files | zlib.js:21:32:21:52 | req.fil ... ombFile |
|
||||
| zlib.js:21:32:21:52 | req.fil ... ombFile | zlib.js:21:32:21:57 | req.fil ... le.data |
|
||||
| zlib.js:21:32:21:57 | req.fil ... le.data | zlib.js:82:43:82:49 | zipFile |
|
||||
| zlib.js:27:24:27:30 | zipFile | zlib.js:29:9:29:15 | zipFile |
|
||||
| zlib.js:27:24:27:30 | zipFile | zlib.js:33:9:33:15 | zipFile |
|
||||
| zlib.js:27:24:27:30 | zipFile | zlib.js:38:9:38:15 | zipFile |
|
||||
| zlib.js:29:9:29:15 | zipFile | zlib.js:29:9:29:20 | zipFile.data |
|
||||
| zlib.js:29:9:29:15 | zipFile | zlib.js:29:9:29:20 | zipFile.data |
|
||||
| zlib.js:33:9:33:15 | zipFile | zlib.js:33:9:33:20 | zipFile.data |
|
||||
| zlib.js:33:9:33:15 | zipFile | zlib.js:33:9:33:20 | zipFile.data |
|
||||
| zlib.js:38:9:38:15 | zipFile | zlib.js:38:9:38:20 | zipFile.data |
|
||||
| zlib.js:38:9:38:15 | zipFile | zlib.js:38:9:38:20 | zipFile.data |
|
||||
| zlib.js:62:23:62:29 | zipFile | zlib.js:63:21:63:27 | zipFile |
|
||||
| zlib.js:62:23:62:29 | zipFile | zlib.js:64:20:64:26 | zipFile |
|
||||
| zlib.js:62:23:62:29 | zipFile | zlib.js:65:31:65:37 | zipFile |
|
||||
| zlib.js:63:21:63:27 | zipFile | zlib.js:63:21:63:32 | zipFile.data |
|
||||
| zlib.js:63:21:63:27 | zipFile | zlib.js:63:21:63:32 | zipFile.data |
|
||||
| zlib.js:64:20:64:26 | zipFile | zlib.js:64:20:64:31 | zipFile.data |
|
||||
| zlib.js:64:20:64:26 | zipFile | zlib.js:64:20:64:31 | zipFile.data |
|
||||
| zlib.js:65:31:65:37 | zipFile | zlib.js:65:31:65:42 | zipFile.data |
|
||||
| zlib.js:65:31:65:37 | zipFile | zlib.js:65:31:65:42 | zipFile.data |
|
||||
| zlib.js:74:29:74:35 | zipFile | zlib.js:75:39:75:45 | zipFile |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) | zlib.js:77:22:77:40 | zlib.createGunzip() |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) | zlib.js:77:22:77:40 | zlib.createGunzip() |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) | zlib.js:78:22:78:39 | zlib.createUnzip() |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) | zlib.js:78:22:78:39 | zlib.createUnzip() |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) | zlib.js:79:22:79:50 | zlib.cr ... press() |
|
||||
| zlib.js:75:25:75:51 | Readabl ... e.data) | zlib.js:79:22:79:50 | zlib.cr ... press() |
|
||||
| zlib.js:75:39:75:45 | zipFile | zlib.js:75:39:75:50 | zipFile.data |
|
||||
| zlib.js:75:39:75:50 | zipFile.data | zlib.js:75:25:75:51 | Readabl ... e.data) |
|
||||
| zlib.js:82:43:82:49 | zipFile | zlib.js:83:39:83:45 | zipFile |
|
||||
| zlib.js:83:11:83:51 | inputStream | zlib.js:86:9:86:19 | inputStream |
|
||||
| zlib.js:83:25:83:51 | Readabl ... e.data) | zlib.js:83:11:83:51 | inputStream |
|
||||
| zlib.js:83:39:83:45 | zipFile | zlib.js:83:39:83:50 | zipFile.data |
|
||||
| zlib.js:83:39:83:50 | zipFile.data | zlib.js:83:25:83:51 | Readabl ... e.data) |
|
||||
| zlib.js:86:9:86:19 | inputStream | zlib.js:87:9:87:27 | zlib.createGunzip() |
|
||||
| zlib.js:86:9:86:19 | inputStream | zlib.js:87:9:87:27 | zlib.createGunzip() |
|
||||
#select
|
||||
| adm-zip.js:28:25:28:42 | zipEntry.getData() | adm-zip.js:13:13:13:21 | req.files | adm-zip.js:28:25:28:42 | zipEntry.getData() | This Decompression depends on a $@. | adm-zip.js:13:13:13:21 | req.files | potentially untrusted source |
|
||||
| adm-zip.js:32:17:32:41 | admZip. ... "10GB") | adm-zip.js:13:13:13:21 | req.files | adm-zip.js:32:17:32:41 | admZip. ... "10GB") | This Decompression depends on a $@. | adm-zip.js:13:13:13:21 | req.files | potentially untrusted source |
|
||||
| adm-zip.js:34:5:34:55 | admZip. ... , true) | adm-zip.js:13:13:13:21 | req.files | adm-zip.js:34:5:34:55 | admZip. ... , true) | This Decompression depends on a $@. | adm-zip.js:13:13:13:21 | req.files | potentially untrusted source |
|
||||
| adm-zip.js:36:5:36:38 | admZip. ... , true) | adm-zip.js:13:13:13:21 | req.files | adm-zip.js:36:5:36:38 | admZip. ... , true) | This Decompression depends on a $@. | adm-zip.js:13:13:13:21 | req.files | potentially untrusted source |
|
||||
| decompress.js:11:16:11:33 | req.query.filePath | decompress.js:11:16:11:33 | req.query.filePath | decompress.js:11:16:11:33 | req.query.filePath | This Decompression depends on a $@. | decompress.js:11:16:11:33 | req.query.filePath | potentially untrusted source |
|
||||
| jszip.js:33:22:33:33 | zipFile.data | jszip.js:12:13:12:21 | req.files | jszip.js:33:22:33:33 | zipFile.data | This Decompression depends on a $@. | jszip.js:12:13:12:21 | req.files | potentially untrusted source |
|
||||
| node-tar.js:24:9:24:15 | tar.x() | node-tar.js:15:13:15:21 | req.files | node-tar.js:24:9:24:15 | tar.x() | This Decompression depends on a $@. | node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
|
||||
| node-tar.js:30:9:33:10 | tar.x({ ... }) | node-tar.js:15:13:15:21 | req.files | node-tar.js:30:9:33:10 | tar.x({ ... }) | This Decompression depends on a $@. | node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
|
||||
| node-tar.js:48:9:50:10 | tar.x({ ... }) | node-tar.js:15:13:15:21 | req.files | node-tar.js:48:9:50:10 | tar.x({ ... }) | This Decompression depends on a $@. | node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
|
||||
| node-tar.js:58:19:58:30 | tarFile.name | node-tar.js:15:13:15:21 | req.files | node-tar.js:58:19:58:30 | tarFile.name | This Decompression depends on a $@. | node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
|
||||
| node-tar.js:59:25:59:36 | tarFile.name | node-tar.js:15:13:15:21 | req.files | node-tar.js:59:25:59:36 | tarFile.name | This Decompression depends on a $@. | node-tar.js:15:13:15:21 | req.files | potentially untrusted source |
|
||||
| pako.js:21:31:21:37 | myArray | pako.js:12:14:12:22 | req.files | pako.js:21:31:21:37 | myArray | This Decompression depends on a $@. | pako.js:12:14:12:22 | req.files | potentially untrusted source |
|
||||
| pako.js:32:31:32:37 | myArray | pako.js:13:14:13:22 | req.files | pako.js:32:31:32:37 | myArray | This Decompression depends on a $@. | pako.js:13:14:13:22 | req.files | potentially untrusted source |
|
||||
| unbzip2.js:12:50:12:54 | bz2() | unbzip2.js:12:25:12:42 | req.query.FilePath | unbzip2.js:12:50:12:54 | bz2() | This Decompression depends on a $@. | unbzip2.js:12:25:12:42 | req.query.FilePath | potentially untrusted source |
|
||||
| unzipper.js:16:23:16:63 | unzippe ... ath' }) | unzipper.js:13:40:13:48 | req.files | unzipper.js:16:23:16:63 | unzippe ... ath' }) | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:19:23:19:41 | unzipper.ParseOne() | unzipper.js:13:40:13:48 | req.files | unzipper.js:19:23:19:41 | unzipper.ParseOne() | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:24:15:24:30 | unzipper.Parse() | unzipper.js:13:40:13:48 | req.files | unzipper.js:24:15:24:30 | unzipper.Parse() | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:34:15:34:30 | unzipper.Parse() | unzipper.js:13:40:13:48 | req.files | unzipper.js:34:15:34:30 | unzipper.Parse() | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:41:35:41:71 | unzippe ... true }) | unzipper.js:13:40:13:48 | req.files | unzipper.js:41:35:41:71 | unzippe ... true }) | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:51:36:51:72 | unzippe ... true }) | unzipper.js:13:40:13:48 | req.files | unzipper.js:51:36:51:72 | unzippe ... true }) | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:60:23:60:38 | unzipper.Parse() | unzipper.js:13:40:13:48 | req.files | unzipper.js:60:23:60:38 | unzipper.Parse() | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| unzipper.js:73:23:73:38 | unzipper.Parse() | unzipper.js:13:40:13:48 | req.files | unzipper.js:73:23:73:38 | unzipper.Parse() | This Decompression depends on a $@. | unzipper.js:13:40:13:48 | req.files | potentially untrusted source |
|
||||
| yauzl.js:12:18:12:39 | req.fil ... le.data | yauzl.js:12:18:12:26 | req.files | yauzl.js:12:18:12:39 | req.fil ... le.data | This Decompression depends on a $@. | yauzl.js:12:18:12:26 | req.files | potentially untrusted source |
|
||||
| yauzl.js:13:22:13:43 | req.fil ... le.data | yauzl.js:13:22:13:30 | req.files | yauzl.js:13:22:13:43 | req.fil ... le.data | This Decompression depends on a $@. | yauzl.js:13:22:13:30 | req.files | potentially untrusted source |
|
||||
| yauzl.js:14:34:14:55 | req.fil ... le.data | yauzl.js:14:34:14:42 | req.files | yauzl.js:14:34:14:55 | req.fil ... le.data | This Decompression depends on a $@. | yauzl.js:14:34:14:42 | req.files | potentially untrusted source |
|
||||
| yauzl.js:39:9:39:27 | zipfile.readEntry() | yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:39:9:39:27 | zipfile.readEntry() | This Decompression depends on a $@. | yauzl.js:37:16:37:33 | req.query.filePath | potentially untrusted source |
|
||||
| yauzl.js:41:64:41:73 | readStream | yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:41:64:41:73 | readStream | This Decompression depends on a $@. | yauzl.js:37:16:37:33 | req.query.filePath | potentially untrusted source |
|
||||
| yauzl.js:43:21:43:39 | zipfile.readEntry() | yauzl.js:37:16:37:33 | req.query.filePath | yauzl.js:43:21:43:39 | zipfile.readEntry() | This Decompression depends on a $@. | yauzl.js:37:16:37:33 | req.query.filePath | potentially untrusted source |
|
||||
| zlib.js:29:9:29:20 | zipFile.data | zlib.js:15:19:15:27 | req.files | zlib.js:29:9:29:20 | zipFile.data | This Decompression depends on a $@. | zlib.js:15:19:15:27 | req.files | potentially untrusted source |
|
||||
| zlib.js:33:9:33:20 | zipFile.data | zlib.js:15:19:15:27 | req.files | zlib.js:33:9:33:20 | zipFile.data | This Decompression depends on a $@. | zlib.js:15:19:15:27 | req.files | potentially untrusted source |
|
||||
| zlib.js:38:9:38:20 | zipFile.data | zlib.js:15:19:15:27 | req.files | zlib.js:38:9:38:20 | zipFile.data | This Decompression depends on a $@. | zlib.js:15:19:15:27 | req.files | potentially untrusted source |
|
||||
| zlib.js:63:21:63:32 | zipFile.data | zlib.js:17:18:17:26 | req.files | zlib.js:63:21:63:32 | zipFile.data | This Decompression depends on a $@. | zlib.js:17:18:17:26 | req.files | potentially untrusted source |
|
||||
| zlib.js:64:20:64:31 | zipFile.data | zlib.js:17:18:17:26 | req.files | zlib.js:64:20:64:31 | zipFile.data | This Decompression depends on a $@. | zlib.js:17:18:17:26 | req.files | potentially untrusted source |
|
||||
| zlib.js:65:31:65:42 | zipFile.data | zlib.js:17:18:17:26 | req.files | zlib.js:65:31:65:42 | zipFile.data | This Decompression depends on a $@. | zlib.js:17:18:17:26 | req.files | potentially untrusted source |
|
||||
| zlib.js:77:22:77:40 | zlib.createGunzip() | zlib.js:19:24:19:32 | req.files | zlib.js:77:22:77:40 | zlib.createGunzip() | This Decompression depends on a $@. | zlib.js:19:24:19:32 | req.files | potentially untrusted source |
|
||||
| zlib.js:78:22:78:39 | zlib.createUnzip() | zlib.js:19:24:19:32 | req.files | zlib.js:78:22:78:39 | zlib.createUnzip() | This Decompression depends on a $@. | zlib.js:19:24:19:32 | req.files | potentially untrusted source |
|
||||
| zlib.js:79:22:79:50 | zlib.cr ... press() | zlib.js:19:24:19:32 | req.files | zlib.js:79:22:79:50 | zlib.cr ... press() | This Decompression depends on a $@. | zlib.js:19:24:19:32 | req.files | potentially untrusted source |
|
||||
| zlib.js:87:9:87:27 | zlib.createGunzip() | zlib.js:21:32:21:40 | req.files | zlib.js:87:9:87:27 | zlib.createGunzip() | This Decompression depends on a $@. | zlib.js:21:32:21:40 | req.files | potentially untrusted source |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql
|
||||
@@ -0,0 +1,37 @@
|
||||
const AdmZip = require("adm-zip");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const fs = require("fs");
|
||||
const app = express();
|
||||
const port = 3000;
|
||||
app.use(fileUpload());
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening on port ${port}`)
|
||||
});
|
||||
|
||||
app.post('/upload', (req, res) => {
|
||||
zipBomb(req.files.zipBombFile)
|
||||
res.send('Hello World!')
|
||||
});
|
||||
|
||||
function zipBomb(tarFile) {
|
||||
fs.writeFileSync(tarFile.name, tarFile.data);
|
||||
// or using fs.writeFile
|
||||
|
||||
// file path is a tmp file name that can get from DB after saving to DB with remote file upload
|
||||
// so the input file name will come from a DB source
|
||||
const admZip
|
||||
= new AdmZip(tarFile.data);
|
||||
const zipEntries = admZip.getEntries();
|
||||
zipEntries.forEach(function (zipEntry) {
|
||||
if (zipEntry.entryName === "my_file.txt") {
|
||||
console.log(zipEntry.getData().toString("utf8"));
|
||||
}
|
||||
});
|
||||
// outputs the content of file named 10GB
|
||||
console.log(admZip.readAsText("10GB"));
|
||||
// extracts the specified file to the specified location
|
||||
admZip.extractEntryTo("10GB", "/tmp/", false, true);
|
||||
// extracts everything
|
||||
admZip.extractAllTo("./tmp", true);
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
const decompress = require('decompress');
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
decompress(req.query.filePath, 'dist').then(files => {
|
||||
console.log('done!');
|
||||
});
|
||||
|
||||
res.send("OK")
|
||||
});
|
||||
@@ -0,0 +1,63 @@
|
||||
const fflate = require('fflate');
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
|
||||
const { writeFileSync } = require("fs");
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
// NOT OK
|
||||
fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data));
|
||||
fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data)));
|
||||
fflate.unzlib(new Uint8Array(req.files.CompressedFile.data));
|
||||
fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data));
|
||||
fflate.gunzip(new Uint8Array(req.files.CompressedFile.data));
|
||||
fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data));
|
||||
fflate.decompress(new Uint8Array(req.files.CompressedFile.data));
|
||||
fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data));
|
||||
|
||||
// OK
|
||||
fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data)), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.unzlib(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.gunzip(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.decompress(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data), {
|
||||
filter(file) {
|
||||
return file.originalSize <= 1_000_000;
|
||||
}
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,14 @@
|
||||
const gunzipmaybe = require("gunzip-maybe");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const { Readable } = require('stream');
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
// Unsafe
|
||||
const RemoteStream = Readable.from(req.files.ZipFile.data);
|
||||
RemoteStream.pipe(gunzipmaybe).createWriteStream("tmp")
|
||||
});
|
||||
@@ -0,0 +1,44 @@
|
||||
const jszipp = require("jszip");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const app = express();
|
||||
const port = 3000;
|
||||
app.use(fileUpload());
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening on port ${port}`)
|
||||
});
|
||||
|
||||
app.post('/upload', (req, res) => {
|
||||
zipBomb(req.files.zipBombFile.data)
|
||||
zipBombSafe(req.files.zipBombFile.data)
|
||||
res.send("OK")
|
||||
});
|
||||
|
||||
function zipBombSafe(zipFile) {
|
||||
jszipp.loadAsync(zipFile.data).then(function (zip) {
|
||||
if (zip.file("10GB")["_data"]["uncompressedSize"] > 1024 * 1024 * 8) {
|
||||
console.log("error")
|
||||
return
|
||||
}
|
||||
zip.files["10GB"].async("uint8array").then(function (u8) {
|
||||
console.log(u8);
|
||||
});
|
||||
zip.file("10GB").async("uint8array").then(function (u8) {
|
||||
console.log(u8);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
function zipBomb(zipFile) {
|
||||
jszipp.loadAsync(zipFile.data).then(function (zip) {
|
||||
zip.files["10GB"].async("uint8array").then(function (u8) {
|
||||
console.log(u8);
|
||||
});
|
||||
zip.file("10GB").async("uint8array").then(function (u8) {
|
||||
console.log(u8);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
module.exports = { localZipLoad };
|
||||
@@ -0,0 +1,67 @@
|
||||
const tar = require("tar");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const { Readable, writeFileSync } = require("stream");
|
||||
const fs = require("fs");
|
||||
const { createGunzip } = require("zlib");
|
||||
const app = express();
|
||||
const port = 3000;
|
||||
app.use(fileUpload());
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening on port ${port}`)
|
||||
});
|
||||
|
||||
app.post('/upload', (req, res) => {
|
||||
zipBomb(req.files.zipBombFile.data)
|
||||
res.send('Hello World!')
|
||||
});
|
||||
|
||||
function zipBomb(tarFile) {
|
||||
// scenario 1
|
||||
const inputFile = Readable.from(tarFile.data);
|
||||
const outputFile = fs.createWriteStream('/tmp/untar');
|
||||
inputFile.pipe(
|
||||
tar.x()
|
||||
).pipe(outputFile);
|
||||
|
||||
// scenario 2
|
||||
fs.writeFileSync(tarFile.name, tarFile.data);
|
||||
fs.createReadStream(tarFile.name).pipe(
|
||||
tar.x({
|
||||
strip: 1,
|
||||
C: 'some-dir'
|
||||
})
|
||||
)
|
||||
// safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90
|
||||
fs.createReadStream(tarFile.name).pipe(
|
||||
tar.x({
|
||||
strip: 1,
|
||||
C: 'some-dir',
|
||||
maxReadSize: 16 * 1024 * 1024 // 16 MB
|
||||
})
|
||||
)
|
||||
// scenario 3
|
||||
const decompressor = createGunzip();
|
||||
fs.createReadStream(tarFile.name).pipe(
|
||||
decompressor
|
||||
).pipe(
|
||||
tar.x({
|
||||
cwd: "dest"
|
||||
})
|
||||
)
|
||||
|
||||
// scenario 4
|
||||
fs.writeFileSync(tarFile.name, tarFile.data);
|
||||
// or using fs.writeFile
|
||||
// file path is a tmp file name that can get from DB after saving to DB with remote file upload
|
||||
// so the input file name will come from a DB source
|
||||
tar.x({ file: tarFile.name })
|
||||
tar.extract({ file: tarFile.name })
|
||||
// safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90
|
||||
tar.x({
|
||||
file: tarFile.name,
|
||||
strip: 1,
|
||||
C: 'some-dir',
|
||||
maxReadSize: 16 * 1024 * 1024 // 16 MB
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
const pako = require('pako');
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const app = express();
|
||||
const port = 3000;
|
||||
app.use(fileUpload());
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening on port ${port}`)
|
||||
});
|
||||
|
||||
app.post('/upload', (req, res) => {
|
||||
zipBomb1(req.files.zipBombFile.data);
|
||||
zipBomb2(req.files.zipBombFile.data);
|
||||
res.send('Hello World!');
|
||||
});
|
||||
|
||||
function zipBomb1(zipFile) {
|
||||
const myArray = Buffer.from(new Uint8Array(zipFile.data.buffer));
|
||||
let output;
|
||||
try {
|
||||
output = pako.inflate(myArray);
|
||||
console.log(output);
|
||||
} catch (err) {
|
||||
console.log(err);
|
||||
}
|
||||
}
|
||||
|
||||
function zipBomb2(zipFile) {
|
||||
const myArray = new Uint8Array(zipFile.data.buffer).buffer;
|
||||
let output;
|
||||
try {
|
||||
output = pako.inflate(myArray);
|
||||
console.log(output);
|
||||
} catch (err) {
|
||||
console.log(err);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
var bz2 = require('unbzip2-stream');
|
||||
var fs = require('fs');
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout);
|
||||
});
|
||||
@@ -0,0 +1,26 @@
|
||||
const unzip = require("unzip");
|
||||
const { createWriteStream } = require("fs");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const { Readable } = require("stream");
|
||||
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
const InputStream = Readable.from(req.files.ZipFile.data);
|
||||
InputStream.pipe(unzip.Parse())
|
||||
.on('entry', function (entry) {
|
||||
if (entry.uncompressedSize > 1024) {
|
||||
throw "uncompressed size exceed"
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
let writeStream = createWriteStream('output/path');
|
||||
InputStream
|
||||
.pipe(unzip.Parse())
|
||||
.pipe(writeStream)
|
||||
});
|
||||
@@ -0,0 +1,106 @@
|
||||
const unzipper = require("unzipper");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const { Readable } = require('stream');
|
||||
const { createWriteStream, readFileSync } = require("fs");
|
||||
const stream = require("node:stream");
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
const RemoteStream = Readable.from(req.files.ZipFile.data);
|
||||
|
||||
// Unsafe
|
||||
RemoteStream.pipe(unzipper.Extract({ path: 'output/path' }));
|
||||
|
||||
// Unsafe
|
||||
RemoteStream.pipe(unzipper.ParseOne())
|
||||
.pipe(createWriteStream('firstFile.txt'));
|
||||
|
||||
// Safe because of uncompressedSize
|
||||
RemoteStream
|
||||
.pipe(unzipper.Parse())
|
||||
.on('entry', function (entry) {
|
||||
const size = entry.vars.uncompressedSize;
|
||||
if (size < 1024 * 1024 * 1024) {
|
||||
entry.pipe(createWriteStream('output/path'));
|
||||
}
|
||||
});
|
||||
|
||||
// Unsafe
|
||||
RemoteStream
|
||||
.pipe(unzipper.Parse())
|
||||
.on('entry', function (entry) {
|
||||
const size = entry.vars.uncompressedSize;
|
||||
entry.pipe(createWriteStream('output/path'));
|
||||
});
|
||||
|
||||
// Unsafe
|
||||
const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true }));
|
||||
for await (const entry of zip) {
|
||||
const fileName = entry.path;
|
||||
if (fileName === "this IS the file I'm looking for") {
|
||||
entry.pipe(createWriteStream('output/path'));
|
||||
} else {
|
||||
entry.autodrain();
|
||||
}
|
||||
}
|
||||
// Safe
|
||||
const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true }));
|
||||
for await (const entry of zip2) {
|
||||
const size = entry.vars.uncompressedSize;
|
||||
if (size < 1024 * 1024 * 1024) {
|
||||
entry.pipe(createWriteStream('output/path'));
|
||||
}
|
||||
}
|
||||
|
||||
// Safe because of uncompressedSize
|
||||
RemoteStream.pipe(unzipper.Parse())
|
||||
.pipe(stream.Transform({
|
||||
objectMode: true,
|
||||
transform: function (entry, e, cb) {
|
||||
const size = entry.vars.uncompressedSize; // There is also compressedSize;
|
||||
if (size < 1024 * 1024 * 1024) {
|
||||
entry.pipe(createWriteStream('output/path'))
|
||||
.on('finish', cb);
|
||||
}
|
||||
}
|
||||
}));
|
||||
|
||||
// Unsafe
|
||||
RemoteStream.pipe(unzipper.Parse())
|
||||
.pipe(stream.Transform({
|
||||
objectMode: true,
|
||||
transform: function (entry, e, cb) {
|
||||
entry.pipe(createWriteStream('output/path'))
|
||||
.on('finish', cb);
|
||||
}
|
||||
}));
|
||||
|
||||
let directory = await unzipper.Open.file('path/to/archive.zip');
|
||||
new Promise((resolve, reject) => {
|
||||
directory.files[0]
|
||||
.stream()
|
||||
.pipe(fs.createWriteStream('firstFile'))
|
||||
.on('error', reject)
|
||||
.on('finish', resolve)
|
||||
});
|
||||
|
||||
const request = require('request');
|
||||
// Unsafe
|
||||
directory = await unzipper.Open.url(request, 'http://example.com/example.zip');
|
||||
const file = directory.files.find(d => d.path === 'example.xml');
|
||||
await file.buffer();
|
||||
|
||||
// Unsafe
|
||||
const buffer = readFileSync(request.query.FilePath);
|
||||
directory = await unzipper.Open.buffer(buffer);
|
||||
directory.files[0].buffer();
|
||||
|
||||
// Unsafe
|
||||
unzipper.Open.file(request.query.FilePath)
|
||||
.then(d => d.extract({ path: '/extraction/path', concurrency: 5 }));
|
||||
|
||||
});
|
||||
@@ -0,0 +1,54 @@
|
||||
const { pipeline } = require('stream/promises');
|
||||
const yauzl = require("yauzl");
|
||||
const fs = require("fs");
|
||||
const express = require('express')
|
||||
const fileUpload = require("express-fileupload");
|
||||
const app = express();
|
||||
app.use(fileUpload());
|
||||
app.listen(3000, () => {
|
||||
});
|
||||
|
||||
app.post('/upload', (req, res) => {
|
||||
yauzl.fromFd(req.files.zipFile.data)
|
||||
yauzl.fromBuffer(req.files.zipFile.data)
|
||||
yauzl.fromRandomAccessReader(req.files.zipFile.data)
|
||||
// Safe
|
||||
yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) {
|
||||
if (err) throw err;
|
||||
zipfile.readEntry();
|
||||
zipfile.on("entry", function (entry) {
|
||||
zipfile.openReadStream(entry, async function (err, readStream) {
|
||||
if (err) throw err;
|
||||
if (entry.uncompressedSize > 1024 * 1024 * 1024) {
|
||||
throw err
|
||||
}
|
||||
readStream.on("end", function () {
|
||||
zipfile.readEntry();
|
||||
});
|
||||
const outputFile = fs.createWriteStream('testiness');
|
||||
await pipeline(
|
||||
readStream,
|
||||
outputFile
|
||||
)
|
||||
});
|
||||
});
|
||||
});
|
||||
// Unsafe
|
||||
yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) {
|
||||
if (err) throw err;
|
||||
zipfile.readEntry();
|
||||
zipfile.on("entry", function (entry) {
|
||||
zipfile.openReadStream(entry, async function (err, readStream) {
|
||||
readStream.on("end", function () {
|
||||
zipfile.readEntry();
|
||||
});
|
||||
const outputFile = fs.createWriteStream('testiness');
|
||||
await pipeline(
|
||||
readStream,
|
||||
outputFile
|
||||
)
|
||||
});
|
||||
});
|
||||
});
|
||||
res.send("OK")
|
||||
});
|
||||
@@ -0,0 +1,98 @@
|
||||
const fs = require("fs");
|
||||
const zlib = require("node:zlib");
|
||||
const { Readable } = require('stream');
|
||||
const express = require('express');
|
||||
const fileUpload = require("express-fileupload");
|
||||
const app = express();
|
||||
const port = 3000;
|
||||
const stream = require('stream/promises');
|
||||
app.use(fileUpload());
|
||||
app.listen(port, () => {
|
||||
console.log(`Example app listening on port ${port}`)
|
||||
});
|
||||
|
||||
app.post('/upload', async (req, res) => {
|
||||
zlibBombAsync(req.files.zipBombFile.data)
|
||||
zlibBombAsyncSafe(req.files.zipBombFile.data);
|
||||
zlibBombSync(req.files.zipBombFile.data)
|
||||
zlibBombSyncSafe(req.files.zipBombFile.data)
|
||||
zlibBombPipeStream(req.files.zipBombFile.data)
|
||||
zlibBombPipeStreamSafe(req.files.zipBombFile.data)
|
||||
zlibBombPipeStreamPromises(req.files.zipBombFile.data).then(r =>
|
||||
console.log("sone"));
|
||||
res.send('Hello World!')
|
||||
});
|
||||
|
||||
|
||||
function zlibBombAsync(zipFile) {
|
||||
zlib.gunzip(
|
||||
zipFile.data,
|
||||
(err, buffer) => {
|
||||
});
|
||||
zlib.unzip(
|
||||
zipFile.data,
|
||||
(err, buffer) => {
|
||||
});
|
||||
|
||||
zlib.brotliDecompress(
|
||||
zipFile.data,
|
||||
(err, buffer) => {
|
||||
});
|
||||
}
|
||||
|
||||
function zlibBombAsyncSafe(zipFile) {
|
||||
zlib.gunzip(
|
||||
zipFile.data,
|
||||
{ maxOutputLength: 1024 * 1024 * 5 },
|
||||
(err, buffer) => {
|
||||
});
|
||||
zlib.unzip(
|
||||
zipFile.data,
|
||||
{ maxOutputLength: 1024 * 1024 * 5 },
|
||||
(err, buffer) => {
|
||||
});
|
||||
|
||||
zlib.brotliDecompress(
|
||||
zipFile.data,
|
||||
{ maxOutputLength: 1024 * 1024 * 5 },
|
||||
(err, buffer) => {
|
||||
});
|
||||
}
|
||||
|
||||
function zlibBombSync(zipFile) {
|
||||
zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH });
|
||||
zlib.unzipSync(zipFile.data);
|
||||
zlib.brotliDecompressSync(zipFile.data);
|
||||
}
|
||||
|
||||
function zlibBombSyncSafe(zipFile) {
|
||||
zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH, maxOutputLength: 1024 * 1024 * 5 });
|
||||
zlib.unzipSync(zipFile.data, { maxOutputLength: 1024 * 1024 * 5 });
|
||||
zlib.brotliDecompressSync(zipFile.data, { maxOutputLength: 1024 * 1024 * 5 });
|
||||
}
|
||||
|
||||
function zlibBombPipeStream(zipFile) {
|
||||
const inputStream = Readable.from(zipFile.data);
|
||||
const outputFile = fs.createWriteStream('unzip.txt');
|
||||
inputStream.pipe(zlib.createGunzip()).pipe(outputFile);
|
||||
inputStream.pipe(zlib.createUnzip()).pipe(outputFile);
|
||||
inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile);
|
||||
}
|
||||
|
||||
async function zlibBombPipeStreamPromises(zipFile) {
|
||||
const inputStream = Readable.from(zipFile.data);
|
||||
const outputFile = fs.createWriteStream('unzip.txt');
|
||||
await stream.pipeline(
|
||||
inputStream,
|
||||
zlib.createGunzip(),
|
||||
outputFile
|
||||
)
|
||||
}
|
||||
|
||||
function zlibBombPipeStreamSafe(zipFile) {
|
||||
const inputFile = Readable.from(zipFile.data);
|
||||
const outputFile = fs.createWriteStream('unzip.txt');
|
||||
inputFile.pipe(zlib.createGunzip({ maxOutputLength: 1024 * 1024 * 5 })).pipe(outputFile);
|
||||
inputFile.pipe(zlib.createUnzip({ maxOutputLength: 1024 * 1024 * 5 })).pipe(outputFile);
|
||||
inputFile.pipe(zlib.createBrotliDecompress({ maxOutputLength: 1024 * 1024 * 5 })).pipe(outputFile);
|
||||
}
|
||||
@@ -153,12 +153,12 @@ nodes
|
||||
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
|
||||
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
|
||||
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
|
||||
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
|
||||
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
|
||||
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
|
||||
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
|
||||
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
|
||||
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
|
||||
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
|
||||
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
|
||||
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
|
||||
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
|
||||
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
|
||||
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
|
||||
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
|
||||
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
|
||||
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
|
||||
@@ -271,6 +271,18 @@ nodes
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
|
||||
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
|
||||
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
|
||||
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
|
||||
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
|
||||
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
|
||||
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
|
||||
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
|
||||
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
|
||||
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
|
||||
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
|
||||
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
|
||||
edges
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
|
||||
@@ -326,8 +338,8 @@ edges
|
||||
| HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' |
|
||||
| HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
|
||||
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
|
||||
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
|
||||
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
|
||||
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
|
||||
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
|
||||
| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
|
||||
| HardcodedCredentials.js:171:11:171:25 | USER | HardcodedCredentials.js:173:35:173:38 | USER |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
|
||||
@@ -399,6 +411,10 @@ edges
|
||||
| HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` | HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
|
||||
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
|
||||
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
|
||||
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
|
||||
#select
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
|
||||
@@ -448,8 +464,8 @@ edges
|
||||
| HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | key |
|
||||
| HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | key |
|
||||
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | key |
|
||||
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
|
||||
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
|
||||
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | The hard-coded value "oiuneawrgiyubaegr" is used as $@. | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | key |
|
||||
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | The hard-coded value "oiuneawrgiyubaegr" is used as $@. | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | key |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | authorization header |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization header |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization header |
|
||||
@@ -464,3 +480,4 @@ edges
|
||||
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
|
||||
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | authorization header |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | authorization header |
|
||||
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
|
||||
|
||||
@@ -157,8 +157,8 @@
|
||||
})();
|
||||
|
||||
(function(){
|
||||
require("cookie-session")({ secret: "change_me" }); // NOT OK
|
||||
require('crypto').createHmac('sha256', 'change_me'); // NOT OK
|
||||
require("cookie-session")({ secret: "oiuneawrgiyubaegr" }); // NOT OK
|
||||
require('crypto').createHmac('sha256', 'oiuneawrgiyubaegr'); // NOT OK
|
||||
|
||||
var basicAuth = require('express-basic-auth');
|
||||
basicAuth({users: { [adminName]: 'change_me' }}); // OK
|
||||
@@ -294,3 +294,10 @@
|
||||
headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
|
||||
headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
|
||||
});
|
||||
|
||||
(function () {
|
||||
require('crypto').createHmac('sha256', 'mytoken'); // OK
|
||||
require('crypto').createHmac('sha256', 'SampleToken'); // OK
|
||||
require('crypto').createHmac('sha256', 'MyPassword'); // OK
|
||||
require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
|
||||
})();
|
||||
Reference in New Issue
Block a user