Added test cases with missing alerts for Request and NextRequest.

2026-04-25 16:55:19 +02:00 · 2025-03-31 13:50:56 +02:00
parent eac14b9837
commit 81cba7fa2f
3 changed files with 26 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts
@@ -0,0 +1,5 @@
+export async function POST(req: Request) {
+  const { url } = await req.json(); // $ MISSING: Source[js/request-forgery]
+  const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery]
+  return new Response(res.body, { headers: res.headers });
+}
--- a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts
@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+export async function POST(req: NextRequest) {
+  const { url } = await req.json(); // $ MISSING: Source[js/request-forgery]
+  const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery]
+  const data = await res.text();
+  return new NextResponse(data, { headers: res.headers });
+}
--- a/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json
+++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "next-edge-proxy-app",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start"
+  },
+  "dependencies": {
+    "next": "15.1.7"
+  }
+}