hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into rc/1.20-merge-master

Browse Source 
Conflict in `javascript/extractor/src/com/semmle/js/extractor/Main.java` resolved
in favour of `master`.
This commit is contained in:
Max Schaefer
2019-03-21 14:45:39 +00:00
parent fb499b02d5 313134cb8c
commit 8c460ae385
163 changed files with 2763 additions and 424 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected
View File

@@ -9,3 +9,4 @@
| tst.js:45:6:45:11 | x = 23 | This definition of x is useless, since its value is never read. |
| tst.js:51:6:51:11 | x = 23 | This definition of x is useless, since its value is never read. |
| tst.js:132:7:132:13 | {x} = o | This definition of x is useless, since its value is never read. |
| tst.js:162:6:162:14 | [x] = [0] | This definition of x is useless, since its value is never read. |

9
javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js
View File

@@ -157,3 +157,12 @@ function v() {
(function() {
for (var a = (x, -1) in v = a, o);
});
(function() {
let [x] = [0], // OK, but flagged due to destructuring limitations
y = 0;
x = 42;
y = 87;
x;
y;
});

2
javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/DeadStoreOfProperty.expected
View File

@@ -12,3 +12,5 @@
| tst.js:76:5:76:34 | o.pure1 ... te = 42 | This write to property 'pure16_simpleAliasWrite' is useless, since $@ always overrides it. | tst.js:77:5:77:36 | o16.pur ... te = 42 | another property write |
| tst.js:95:5:95:17 | o.pure18 = 42 | This write to property 'pure18' is useless, since $@ always overrides it. | tst.js:96:5:96:17 | o.pure18 = 42 | another property write |
| tst.js:96:5:96:17 | o.pure18 = 42 | This write to property 'pure18' is useless, since $@ always overrides it. | tst.js:97:5:97:17 | o.pure18 = 42 | another property write |
| tst.js:114:2:114:14 | o.setter = 42 | This write to property 'setter' is useless, since $@ always overrides it. | tst.js:115:2:115:14 | o.setter = 87 | another property write |
| tst.js:118:2:118:104 | Object. ... lue()}) | This write to property 'prop' is useless, since $@ always overrides it. | tst.js:119:2:119:12 | o.prop = 42 | another property write |

36
javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js
View File

@@ -82,17 +82,47 @@
}
// DOM
o.clientTop = 42;
o.clientTop = 42; // OK
o.clientTop = 42;
o.defaulted1 = null;
o.defaulted1 = null; // OK
o.defaulted1 = 42;
o.defaulted2 = -1;
o.defaulted2 = -1; // OK
o.defaulted2 = 42;
var o = {};
o.pure18 = 42; // NOT OK
o.pure18 = 42; // NOT OK
o.pure18 = 42;
var o = {};
Object.defineProperty(o, "setter", { // OK
set: function (value) { }
});
o.setter = "";
var o = { set setter(value) { } }; // OK
o.setter = "";
var o = {
set accessor(value) { }, // OK
get accessor() { }
};
var o = { set setter(value) { } };
o.setter = 42; // probably OK, but still flagged - it seems fishy
o.setter = 87;
var o = {};
Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // NOT OK
o.prop = 42;
var o = {};
Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK, default value
o.prop = 42;
var o = {};
Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) // OK
o.prop = 42;
});

1
javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected
View File

@@ -8,4 +8,5 @@
| tst.js:49:3:49:26 | new Err ... ou so") | This expression has no effect. |
| tst.js:50:3:50:49 | new Syn ... o me?") | This expression has no effect. |
| tst.js:51:3:51:36 | new Err ... age(e)) | This expression has no effect. |
| tst.js:62:2:62:20 | o.trivialNonGetter1 | This expression has no effect. |
| uselessfn.js:1:1:1:15 | (functi ... .");\\n}) | This expression has no effect. |

22
javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js
View File

@@ -51,3 +51,25 @@ try {
new Error(computeSnarkyMessage(e)); // NOT OK
new UnknownError(); // OK
}
function g() {
var o = {};
Object.defineProperty(o, "trivialGetter1", { get: function(){} });
o.trivialGetter1; // OK
Object.defineProperty(o, "trivialNonGetter1", "foo");
o.trivialNonGetter1; // NOT OK
var getterDef1 = { get: function(){} };
Object.defineProperty(o, "nonTrivialGetter1", getterDef1);
o.nonTrivialGetter1; // OK
var getterDef2 = { };
unknownPrepareGetter(getterDef2);
Object.defineProperty(o, "nonTrivialNonGetter1", getterDef2);
o.nonTrivialNonGetter1; // OK
Object.defineProperty(o, "nonTrivialGetter2", unknownGetterDef());
o.nonTrivialGetter2; // OK
};

8
javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/yield_in_non_generator.js Normal file
View File

@@ -0,0 +1,8 @@
function outer() {
function inner() {
yield 1;
}
inner().next()
}
// semmle-extractor-options: --experimental

7
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/AdmZipBad.js Normal file
View File

@@ -0,0 +1,7 @@
const fs = require('fs');
var AdmZip = require('adm-zip');
var zip = new AdmZip("archive.zip");
var zipEntries = zip.getEntries();
zipEntries.forEach(function(zipEntry) {
fs.createWriteStream(zipEntry.entryName);
});

18
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/TarSlipBad.js Normal file
View File

@@ -0,0 +1,18 @@
const fs = require('fs');
const tar = require('tar-stream');
const extract = tar.extract();
extract.on('entry', (header, stream, next) => {
const out = fs.createWriteStream(header.name);
stream.pipe(out);
stream.on('end', () => {
next();
})
stream.resume();
})
extract.on('finish', () => {
console.log('finished');
});
fs.createReadStream('./bad.tar').pipe(extract);

10
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected
View File

@@ -1,4 +1,6 @@
nodes
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
| TarSlipBad.js:6:36:6:46 | header.name |
| ZipSlipBad2.js:5:9:5:46 | fileName |
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad2.js:5:37:5:46 | entry.path |
@@ -6,12 +8,20 @@ nodes
| ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path |
| ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
edges
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
#select
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | item path |
| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | TarSlipBad.js:6:36:6:46 | header.name | item path |
| ZipSlipBad2.js:6:22:6:29 | fileName | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:6:22:6:29 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad2.js:5:37:5:46 | entry.path | item path |
| ZipSlipBad.js:8:37:8:44 | fileName | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:8:37:8:44 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.js:7:22:7:31 | entry.path | item path |
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | item path |

9
javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js Normal file
View File

@@ -0,0 +1,9 @@
const fs = require('fs');
const unzipper = require('unzipper');
fs.createReadStream('path/to/archive.zip')
.pipe(unzipper.Parse())
.on('entry', function (entry) {
var fileName = entry.path;
entry.pipe(fs.createWriteStream(fileName));
});

8
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -51,6 +51,10 @@ nodes
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:45 | documen ... ring(1) |
edges
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
@@ -86,6 +90,9 @@ edges
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
#select
| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:29 | location | User-provided value |
| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:30 | location | User-provided value |
@@ -112,3 +119,4 @@ edges
| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:26 | document.location | tst.js:14:10:14:74 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:26 | document.location | User-provided value |
| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:17:21:17:37 | document.location | User-provided value |
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:46 | document.location | User-provided value |
| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:27 | document.location | tst.js:23:6:23:46 | atob(do ... ing(1)) | $@ flows to here and is interpreted as code. | tst.js:23:11:23:27 | document.location | User-provided value |

3
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js
View File

@@ -18,3 +18,6 @@ WebAssembly.compile(document.location.hash);
// NOT OK
WebAssembly.compileStreaming(document.location.hash);
// NOT OK
eval(atob(document.location.hash.substring(1)));