Merge pull request #7633 from erik-krogh/CWE-300

JS: add js/http-dependency query
2026-05-05 13:45:19 +02:00 · 2022-01-28 12:10:14 +01:00
parent 47a57e0c0a b5198bdaca
commit 7aa59ca233
9 changed files with 117 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.expected
@@ -0,0 +1,4 @@
+| package.json:6:17:6:40 | "http:/ ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:7:17:7:39 | "ftp:// ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:12:17:12:40 | "http:/ ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:13:17:13:39 | "ftp:// ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
--- a/javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.qlref
@@ -0,0 +1 @@
+Security/CWE-300/InsecureDependencyResolution.ql
--- a/javascript/ql/test/query-tests/Security/CWE-300/foo.js
+++ b/javascript/ql/test/query-tests/Security/CWE-300/foo.js
@@ -0,0 +1 @@
+console.log("foo");
--- a/javascript/ql/test/query-tests/Security/CWE-300/package.json
+++ b/javascript/ql/test/query-tests/Security/CWE-300/package.json
@@ -0,0 +1,15 @@
+{
+    "name": "insecure-dep-downloader",
+    "dependencies": {
+        "foo": "*",
+        "good1": "https://example.org/foo",
+        "bad1": "http://example.org/foo",
+        "bad2": "ftp://example.org/foo"
+    },
+    "devDependencies": {
+        "bar": "*",
+        "good2": "https://example.org/foo",
+        "bad3": "http://example.org/foo",
+        "bad4": "ftp://example.org/foo"
+    }
+}
				`@@ -0,0 +1 @@`
				`Security/CWE-300/InsecureDependencyResolution.ql`