hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-30 20:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Address PR review comments

Browse Source 
- Fix misplaced semicolons in test files (was inside comment, moved before it)
- Update QLdoc comments to reference new browser source kind names
- Update docs to list browser source kinds and fix outdated 'only remote' note

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Asger F
2026-03-13 14:58:04 +01:00
parent 5db30c9947
commit 821cc0e875
4 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
View File

@@ -85,16 +85,16 @@ class ClientSideRemoteFlowKind extends string {
*/
predicate isUrl() { this = "browser-url" }
/** Holds if this is the `query` or `fragment` kind. */
/** Holds if this is the `browser-url-query` or `browser-url-fragment` kind. */
predicate isQueryOrFragment() { this.isQuery() or this.isFragment() }
/** Holds if this is the `path`, `query`, or `fragment` kind. */
/** Holds if this is the `browser-url-path`, `browser-url-query`, or `browser-url-fragment` kind. */
predicate isPathOrQueryOrFragment() { this.isPath() or this.isQuery() or this.isFragment() }
/** Holds if this is the `path` or `url` kind. */
/** Holds if this is the `browser-url-path` or `browser-url` kind. */
predicate isPathOrUrl() { this.isPath() or this.isUrl() }
/** Holds if this is the `name` kind, describing sources derived from the window name, such as `window.name`. */
/** Holds if this is the `browser-window-name` kind, describing sources derived from the window name, such as `window.name`. */
predicate isWindowName() { this = "browser-window-name" }
/**

2
javascript/ql/test/query-tests/Security/CWE-918/clientSide.js
View File

@@ -24,5 +24,5 @@ export function MyComponent() {
request(window.location.href + '?q=123');
const custom = require('testlib').getBrowserSource(); // $ Source[js/client-side-request-forgery]
request(custom) // $ Alert[js/client-side-request-forgery];
request(custom); // $ Alert[js/client-side-request-forgery]
}

2
javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
View File

@@ -148,4 +148,4 @@ var server2 = http.createServer(function (req, res) {
});
const custom = require('testlib').getServerSource(); // $ Source[js/request-forgery]
request(custom) // $ Alert[js/request-forgery];
request(custom); // $ Alert[js/request-forgery]