JS: Add test with route handler indirection

2026-05-02 04:05:14 +02:00 · 2021-10-28 10:09:36 +02:00
parent 3cbe94ac0a
commit 7492293c5b
3 changed files with 8 additions and 1 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected
@@ -0,0 +1 @@
+| query-tests/Security/CWE-073/routes.js:2 | expected an alert, but found none | NOT OK |  |
--- a/javascript/ql/test/query-tests/Security/CWE-073/routes.js
+++ b/javascript/ql/test/query-tests/Security/CWE-073/routes.js
@@ -0,0 +1,3 @@
+exports.foo = function(req, res) {
+    res.render('foo', req.body); // NOT OK
+}
--- a/javascript/ql/test/query-tests/Security/CWE-073/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-073/tst.js
@@ -27,4 +27,7 @@ function indirect(res, obj) {
    res.render("template", str); // OK 

    res.render("template", JSON.parse(str)); // NOT OK
-}
+}
+
+let routes = require('./routes');
+app.post('/foo', routes.foo);
				`@@ -0,0 +1 @@`
				`\| query-tests/Security/CWE-073/routes.js:2 \| expected an alert, but found none \| NOT OK \| \|`