Add .qhelp and apply some review changes

2026-04-25 16:55:19 +02:00 · 2023-10-02 18:05:39 +02:00
parent 142ab01b48
commit 816eebbb51
13 changed files with 189 additions and 116 deletions
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -0,0 +1,34 @@
+nodes
+| tst.js:8:9:8:59 | user_origin |
+| tst.js:8:23:8:46 | url.par ... , true) |
+| tst.js:8:23:8:52 | url.par ... ).query |
+| tst.js:8:23:8:59 | url.par ... .origin |
+| tst.js:8:33:8:39 | req.url |
+| tst.js:8:33:8:39 | req.url |
+| tst.js:8:42:8:45 | true |
+| tst.js:8:42:8:45 | true |
+| tst.js:11:25:11:28 | true |
+| tst.js:11:25:11:28 | true |
+| tst.js:11:25:11:28 | true |
+| tst.js:21:25:21:28 | null |
+| tst.js:21:25:21:28 | null |
+| tst.js:21:25:21:28 | null |
+| tst.js:26:25:26:35 | user_origin |
+| tst.js:26:25:26:35 | user_origin |
+edges
+| tst.js:8:9:8:59 | user_origin | tst.js:26:25:26:35 | user_origin |
+| tst.js:8:9:8:59 | user_origin | tst.js:26:25:26:35 | user_origin |
+| tst.js:8:23:8:46 | url.par ... , true) | tst.js:8:23:8:52 | url.par ... ).query |
+| tst.js:8:23:8:52 | url.par ... ).query | tst.js:8:23:8:59 | url.par ... .origin |
+| tst.js:8:23:8:59 | url.par ... .origin | tst.js:8:9:8:59 | user_origin |
+| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
+| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
+| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
+| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
+| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true |
+| tst.js:21:25:21:28 | null | tst.js:21:25:21:28 | null |
+#select
+| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | tst.js:11:25:11:28 | true | too permissive or user controlled value |
+| tst.js:21:25:21:28 | null | tst.js:21:25:21:28 | null | tst.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | tst.js:21:25:21:28 | null | too permissive or user controlled value |
+| tst.js:26:25:26:35 | user_origin | tst.js:8:33:8:39 | req.url | tst.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | tst.js:8:33:8:39 | req.url | too permissive or user controlled value |
+| tst.js:26:25:26:35 | user_origin | tst.js:8:42:8:45 | true | tst.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | tst.js:8:42:8:45 | true | too permissive or user controlled value |
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref
@@ -0,0 +1 @@
+./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql
--- a/javascript/ql/test/experimental/Security/CWE-942/tst.js
+++ b/javascript/ql/test/experimental/Security/CWE-942/tst.js
@@ -6,28 +6,23 @@ var server = https.createServer(function () { });

 server.on('request', function (req, res) {
    let user_origin = url.parse(req.url, true).query.origin;
-    // BAD: attacker can choose the value of origin
+    // BAD: CORS too permissive
    const server_1 = new ApolloServer({
        cors: { origin: true }
    });

-    // BAD: CORS too permissive 
-    const server_2 = new ApolloServer({
-        cors: { origin: true }
-    });
-
    // GOOD: restrictive CORS 
-    const server_3 = new ApolloServer({
+    const server_2 = new ApolloServer({
        cors: false
    });

    // BAD: CORS too permissive 
-    const server_4 = new ApolloServer({
+    const server_3 = new ApolloServer({
        cors: { origin: null }
    });

    // BAD: CORS is controlled by user
-    const server_5 = new ApolloServer({
+    const server_4 = new ApolloServer({
        cors: { origin: user_origin }
    });
 });
--- a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -1,39 +0,0 @@
-nodes
-| tst.js:8:9:8:59 | user_origin |
-| tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:23:8:52 | url.par ... ).query |
-| tst.js:8:23:8:59 | url.par ... .origin |
-| tst.js:8:33:8:39 | req.url |
-| tst.js:8:33:8:39 | req.url |
-| tst.js:8:42:8:45 | true |
-| tst.js:8:42:8:45 | true |
-| tst.js:11:25:11:28 | true |
-| tst.js:11:25:11:28 | true |
-| tst.js:11:25:11:28 | true |
-| tst.js:16:25:16:28 | true |
-| tst.js:16:25:16:28 | true |
-| tst.js:16:25:16:28 | true |
-| tst.js:26:25:26:28 | null |
-| tst.js:26:25:26:28 | null |
-| tst.js:26:25:26:28 | null |
-| tst.js:31:25:31:35 | user_origin |
-| tst.js:31:25:31:35 | user_origin |
-edges
-| tst.js:8:9:8:59 | user_origin | tst.js:31:25:31:35 | user_origin |
-| tst.js:8:9:8:59 | user_origin | tst.js:31:25:31:35 | user_origin |
-| tst.js:8:23:8:46 | url.par ... , true) | tst.js:8:23:8:52 | url.par ... ).query |
-| tst.js:8:23:8:52 | url.par ... ).query | tst.js:8:23:8:59 | url.par ... .origin |
-| tst.js:8:23:8:59 | url.par ... .origin | tst.js:8:9:8:59 | user_origin |
-| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true |
-| tst.js:16:25:16:28 | true | tst.js:16:25:16:28 | true |
-| tst.js:26:25:26:28 | null | tst.js:26:25:26:28 | null |
-#select
-| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | $@ misconfiguration due to a $@. | tst.js:11:25:11:28 | true | CORS Origin | tst.js:11:25:11:28 | true | too permissive or user controlled value |
-| tst.js:16:25:16:28 | true | tst.js:16:25:16:28 | true | tst.js:16:25:16:28 | true | $@ misconfiguration due to a $@. | tst.js:16:25:16:28 | true | CORS Origin | tst.js:16:25:16:28 | true | too permissive or user controlled value |
-| tst.js:26:25:26:28 | null | tst.js:26:25:26:28 | null | tst.js:26:25:26:28 | null | $@ misconfiguration due to a $@. | tst.js:26:25:26:28 | null | CORS Origin | tst.js:26:25:26:28 | null | too permissive or user controlled value |
-| tst.js:31:25:31:35 | user_origin | tst.js:8:33:8:39 | req.url | tst.js:31:25:31:35 | user_origin | $@ misconfiguration due to a $@. | tst.js:31:25:31:35 | user_origin | CORS Origin | tst.js:8:33:8:39 | req.url | too permissive or user controlled value |
-| tst.js:31:25:31:35 | user_origin | tst.js:8:42:8:45 | true | tst.js:31:25:31:35 | user_origin | $@ misconfiguration due to a $@. | tst.js:31:25:31:35 | user_origin | CORS Origin | tst.js:8:42:8:45 | true | too permissive or user controlled value |
--- a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref
@@ -1 +0,0 @@
-Security/CWE-942/CorsPermissiveConfiguration.ql
				`@@ -0,0 +1 @@`
				`./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql`
				`@@ -1 +0,0 @@`
				`Security/CWE-942/CorsPermissiveConfiguration.ql`