hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Enable association with headers without needing a route handler

Browse Source 
Previously it was not possible to associate a ResponseSendArgument with its header definitions if they did not have the same route handler.

But for calls like `new Response(body, { headers })` the headers are fairly obvious whereas the route handler is unnecessarily hard to find. So we use the direct and obvious association between 'body' and 'headers' in the call.
This commit is contained in:
Asger F
2025-04-02 13:52:55 +02:00
parent db2720ea5b
commit 6c33013788
6 changed files with 33 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
View File

@@ -43,14 +43,10 @@
| response-object.js:9:18:9:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:10:18:10:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:11:18:11:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:13:18:13:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:13:18:13:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:14:18:14:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:16:18:16:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:16:18:16:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:17:18:17:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:20:18:20:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:20:18:20:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:23:18:23:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:26:18:26:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:30:18:30:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:30:18:30:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:34:18:34:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:38:18:38:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:6:9:6:9 | p | user-provided value |
@@ -165,14 +161,10 @@ edges
| response-object.js:7:11:7:25 | data | response-object.js:9:18:9:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:10:18:10:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:11:18:11:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:13:18:13:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:14:18:14:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:16:18:16:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:17:18:17:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:20:18:20:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:23:18:23:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:26:18:26:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:30:18:30:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:34:18:34:21 | data | provenance | |
| response-object.js:7:11:7:25 | data | response-object.js:38:18:38:21 | data | provenance | |
| response-object.js:7:18:7:25 | req.body | response-object.js:7:11:7:25 | data | provenance | |
@@ -364,14 +356,10 @@ nodes
| response-object.js:9:18:9:21 | data | semmle.label | data |
| response-object.js:10:18:10:21 | data | semmle.label | data |
| response-object.js:11:18:11:21 | data | semmle.label | data |
| response-object.js:13:18:13:21 | data | semmle.label | data |
| response-object.js:14:18:14:21 | data | semmle.label | data |
| response-object.js:16:18:16:21 | data | semmle.label | data |
| response-object.js:17:18:17:21 | data | semmle.label | data |
| response-object.js:20:18:20:21 | data | semmle.label | data |
| response-object.js:23:18:23:21 | data | semmle.label | data |
| response-object.js:26:18:26:21 | data | semmle.label | data |
| response-object.js:30:18:30:21 | data | semmle.label | data |
| response-object.js:34:18:34:21 | data | semmle.label | data |
| response-object.js:38:18:38:21 | data | semmle.label | data |
| tst2.js:6:7:6:30 | p | semmle.label | p |

4
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
View File

@@ -41,14 +41,10 @@
| response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:13:18:13:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:16:18:16:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:20:18:20:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:30:18:30:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
| tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |

8
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/response-object.js
View File

@@ -10,14 +10,14 @@ express().get('/foo', (req) => {
new Response(data, {}); // $ Alert
new Response(data, { headers: null }); // $ Alert
new Response(data, { headers: { 'content-type': 'text/plain'}}); // $ SPURIOUS: Alert
new Response(data, { headers: { 'content-type': 'text/plain'}});
new Response(data, { headers: { 'content-type': 'text/html'}}); // $ Alert
new Response(data, { headers: { 'Content-Type': 'text/plain'}}); // $ SPURIOUS: Alert
new Response(data, { headers: { 'Content-Type': 'text/plain'}});
new Response(data, { headers: { 'Content-Type': 'text/html'}}); // $ Alert
const headers1 = new Headers({ 'content-type': 'text/plain'});
new Response(data, { headers: headers1 }); // $ SPURIOUS: Alert
new Response(data, { headers: headers1 });
const headers2 = new Headers({ 'content-type': 'text/html'});
new Response(data, { headers: headers2 }); // $ Alert
@@ -27,7 +27,7 @@ express().get('/foo', (req) => {
const headers4 = new Headers();
headers4.set('content-type', 'text/plain');
new Response(data, { headers: headers4 }); // $ SPURIOUS: Alert
new Response(data, { headers: headers4 });
const headers5 = new Headers();
headers5.set('content-type', 'text/html');