hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Functionality from untrusted sources query (CWE-830)

Browse Source
This commit is contained in:
Stephan Brandauer
2022-02-14 09:47:54 +01:00
parent e42f759f6b
commit 6722c17bb0
6 changed files with 138 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected Normal file
View File

@@ -0,0 +1,3 @@
| test.html:6:9:6:56 | <script>...</> | HTML-element imports untrusted content (script elements should use an https link and/or use the integrity attribute) |
| test.html:9:9:9:58 | <iframe>...</> | HTML-element imports untrusted content (iframe elements should use an https link) |
| test.html:11:9:11:53 | <iframe>...</> | HTML-element imports untrusted content (iframe elements should use an https link) |

1
javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-830/FunctionalityFromUntrustedSource.ql

13
javascript/ql/test/query-tests/Security/CWE-830/test.html Normal file
View File

@@ -0,0 +1,13 @@
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<script src="http://test.local/foo.js"></script>> <!-- NOT OK -->
<script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>> <!-- OK (integrity digest present) -->
<script src="https://test.local/bar.js"></script>> <!-- OK (https) -->
<iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
<iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
<iframe src="//test.local/foo.html"></iframe> <!-- NOT OK (protocol-relative url) -->
</body>
</html>