mirror of
https://github.com/github/codeql.git
synced 2026-05-03 04:39:29 +02:00
Merge branch 'js-team-sprint' into priv-file-polish
This commit is contained in:
Erik Krogh Kristensen
@@ -69,6 +69,16 @@ nodes
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| bad-code-sanitization.js:56:7:56:47 | taint |
|
||||
| bad-code-sanitization.js:56:15:56:36 | [req.bo ... "foo"] |
|
||||
| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body |
|
||||
| bad-code-sanitization.js:56:16:56:28 | req.body.name |
|
||||
| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| bad-code-sanitization.js:58:44:58:48 | taint |
|
||||
| express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:44:7:62 | req.param("wobble") |
|
||||
@@ -202,6 +212,15 @@ edges
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:56:7:56:47 | taint | bad-code-sanitization.js:58:44:58:48 | taint |
|
||||
| bad-code-sanitization.js:56:15:56:36 | [req.bo ... "foo"] | bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
|
||||
| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") | bad-code-sanitization.js:56:7:56:47 | taint |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
|
||||
| bad-code-sanitization.js:56:16:56:28 | req.body.name | bad-code-sanitization.js:56:15:56:36 | [req.bo ... "foo"] |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:44:58:48 | taint | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
|
||||
@@ -271,6 +290,7 @@ edges
|
||||
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
|
||||
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
|
||||
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | User-provided value |
|
||||
| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` | bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:56:16:56:23 | req.body | User-provided value |
|
||||
| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
|
||||
| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
|
||||
| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |
|
||||
|
||||
@@ -69,6 +69,16 @@ nodes
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| bad-code-sanitization.js:56:7:56:47 | taint |
|
||||
| bad-code-sanitization.js:56:15:56:36 | [req.bo ... "foo"] |
|
||||
| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body |
|
||||
| bad-code-sanitization.js:56:16:56:28 | req.body.name |
|
||||
| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| bad-code-sanitization.js:58:44:58:48 | taint |
|
||||
| eslint-escope-build.js:20:22:20:22 | c |
|
||||
| eslint-escope-build.js:20:22:20:22 | c |
|
||||
| eslint-escope-build.js:21:16:21:16 | c |
|
||||
@@ -206,6 +216,15 @@ edges
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:56:7:56:47 | taint | bad-code-sanitization.js:58:44:58:48 | taint |
|
||||
| bad-code-sanitization.js:56:15:56:36 | [req.bo ... "foo"] | bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
|
||||
| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") | bad-code-sanitization.js:56:7:56:47 | taint |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
|
||||
| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
|
||||
| bad-code-sanitization.js:56:16:56:28 | req.body.name | bad-code-sanitization.js:56:15:56:36 | [req.bo ... "foo"] |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
|
||||
| bad-code-sanitization.js:58:44:58:48 | taint | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
|
||||
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
|
||||
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
|
||||
|
||||
@@ -31,6 +31,15 @@ nodes
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| bad-code-sanitization.js:63:11:63:55 | assignment |
|
||||
| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
|
||||
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
|
||||
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
|
||||
| bad-code-sanitization.js:64:27:64:36 | assignment |
|
||||
| bad-code-sanitization.js:64:27:64:36 | assignment |
|
||||
edges
|
||||
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
|
||||
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
|
||||
@@ -49,6 +58,12 @@ edges
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
|
||||
| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
|
||||
| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
|
||||
| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` | bad-code-sanitization.js:63:11:63:55 | assignment |
|
||||
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
|
||||
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
|
||||
#select
|
||||
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | $@ flows to here and is used to construct code. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Improperly sanitized value |
|
||||
@@ -57,3 +72,4 @@ edges
|
||||
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:64:27:64:36 | assignment | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:64:27:64:36 | assignment | $@ flows to here and is used to construct code. | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | Improperly sanitized value |
|
||||
|
||||
@@ -52,4 +52,41 @@ app.get('/some/path', function(req, res) {
|
||||
var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink.
|
||||
|
||||
setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection.
|
||||
|
||||
var taint = [req.body.name, "foo"].join("\n");
|
||||
|
||||
setTimeout(`(function(){${JSON.stringify(taint)}))`); // OK - the source is remote-flow, and the sink is code-injection.
|
||||
});
|
||||
|
||||
// Bad documentation example:
|
||||
function createObjectWrite() {
|
||||
const assignment = `obj[${JSON.stringify(key)}]=42`;
|
||||
return `(function(){${assignment}})` // NOT OK
|
||||
}
|
||||
|
||||
// Good documentation example:
|
||||
function good() {
|
||||
const charMap = {
|
||||
'<': '\\u003C',
|
||||
'>' : '\\u003E',
|
||||
'/': '\\u002F',
|
||||
'\\': '\\\\',
|
||||
'\b': '\\b',
|
||||
'\f': '\\f',
|
||||
'\n': '\\n',
|
||||
'\r': '\\r',
|
||||
'\t': '\\t',
|
||||
'\0': '\\0',
|
||||
'\u2028': '\\u2028',
|
||||
'\u2029': '\\u2029'
|
||||
};
|
||||
|
||||
function escapeUnsafeChars(str) {
|
||||
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x])
|
||||
}
|
||||
|
||||
function createObjectWrite() {
|
||||
const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;
|
||||
return `(function(){${assignment}})` // OK
|
||||
}
|
||||
}
|
||||
9
javascript/ql/test/query-tests/Security/CWE-094/tmp.html
Normal file
9
javascript/ql/test/query-tests/Security/CWE-094/tmp.html
Normal file
@@ -0,0 +1,9 @@
|
||||
<html>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var foo ="bla</script onload=\"\">";
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Reference in New Issue
Block a user