Use more sensible validator in example.

2026-04-26 17:25:19 +02:00 · 2023-08-18 14:43:57 +01:00
parent 7823ff968c
commit 87364137df
7 changed files with 25 additions and 25 deletions
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirect.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirect.js
@@ -1,6 +1,6 @@
 const app = require("express")();

-app.get('/redirect', function(req, res) {
+app.get("/redirect", function (req, res) {
  // BAD: a request parameter is incorporated without validation into a URL redirect
-  res.redirect(req.params["target"]);
+  res.redirect(req.query["target"]);
 });
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood.js
@@ -2,9 +2,9 @@ const app = require("express")();

 const VALID_REDIRECT = "http://cwe.mitre.org/data/definitions/601.html";

-app.get('/redirect', function(req, res) {
+app.get("/redirect", function (req, res) {
  // GOOD: the request parameter is validated against a known fixed string
-  let target = req.params["target"]
+  let target = req.query["target"];
  if (VALID_REDIRECT === target) {
    res.redirect(target);
  } else {
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
@@ -1,15 +1,15 @@
 const app = require("express")();

-function isLocalUrl(url) {
-  return url.startsWith("/") && !url.startsWith("//") && !url.startsWith("/\\");
+function isRelativePath(path) {
+  return !/^(\w+:)?[/\\]{2}/.test(path);
 }

-app.get('/redirect', function(req, res) {
+app.get("/redirect", function (req, res) {
  // GOOD: check that we don't redirect to a different host
-  let target = req.params["target"];
-  if (isLocalUrl(target)) {
+  let target = req.query["target"];
+  if (isRelativePath(target)) {
    res.redirect(target);
  } else {
    res.redirect("/");
  }
-});
+});