mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
JS: Port UntrustedDataToExternalAPI
This commit is contained in:
Asger F
@@ -10,15 +10,44 @@
|
||||
import javascript
|
||||
import ExternalAPIUsedWithUntrustedDataCustomizations::ExternalApiUsedWithUntrustedData
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for untrusted data flowing to an external API.
|
||||
*/
|
||||
module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) {
|
||||
// Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own.
|
||||
// The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where
|
||||
// the whole location object escapes.
|
||||
node = DOM::locationRef().getAPropertyRead()
|
||||
}
|
||||
|
||||
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
|
||||
// Also report values that escape while inside a property
|
||||
isSink(node) and contents = DataFlow::ContentSet::anyProperty()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking for untrusted data flowing to an external API.
|
||||
*/
|
||||
module ExternalAPIUsedWithUntrustedDataFlow =
|
||||
TaintTracking::Global<ExternalAPIUsedWithUntrustedDataConfig>;
|
||||
|
||||
/** Flow label for objects from which a tainted value is reachable. */
|
||||
private class ObjectWrapperFlowLabel extends DataFlow::FlowLabel {
|
||||
deprecated private class ObjectWrapperFlowLabel extends DataFlow::FlowLabel {
|
||||
ObjectWrapperFlowLabel() { this = "object-wrapper" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for untrusted data flowing to an external API.
|
||||
* DEPRECATED. Use the `ExternalAPIUsedWithUntrustedDataFlow` module instead.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
deprecated class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ExternalAPIUsedWithUntrustedData" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
@@ -59,10 +88,10 @@ class ExternalApiDataNode extends DataFlow::Node instanceof Sink { }
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
UntrustedExternalApiDataNode() { any(Configuration c).hasFlow(_, this) }
|
||||
UntrustedExternalApiDataNode() { ExternalAPIUsedWithUntrustedDataFlow::flow(_, this) }
|
||||
|
||||
/** Gets a source of untrusted data which is passed to this external API data node. */
|
||||
DataFlow::Node getAnUntrustedSource() { any(Configuration c).hasFlow(result, this) }
|
||||
DataFlow::Node getAnUntrustedSource() { ExternalAPIUsedWithUntrustedDataFlow::flow(result, this) }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -72,7 +101,7 @@ private newtype TExternalApi =
|
||||
/** An external API sink with `name`. */
|
||||
MkExternalApiNode(string name) {
|
||||
exists(Sink sink |
|
||||
any(Configuration c).hasFlow(_, sink) and
|
||||
ExternalAPIUsedWithUntrustedDataFlow::flow(_, sink) and
|
||||
name = sink.getApiName()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -11,10 +11,12 @@
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedDataQuery
|
||||
import DataFlow::PathGraph
|
||||
import ExternalAPIUsedWithUntrustedDataFlow::PathGraph
|
||||
|
||||
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where config.hasFlowPath(source, sink)
|
||||
from
|
||||
ExternalAPIUsedWithUntrustedDataFlow::PathNode source,
|
||||
ExternalAPIUsedWithUntrustedDataFlow::PathNode sink
|
||||
where ExternalAPIUsedWithUntrustedDataFlow::flowPath(source, sink)
|
||||
select sink, source, sink,
|
||||
"Call to " + sink.getNode().(Sink).getApiName() + " with untrusted data from $@.", source,
|
||||
source.toString()
|
||||
|
||||
@@ -1,98 +1,60 @@
|
||||
nodes
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:15:16:15:24 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:21:12:27:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:22:12:26:9 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:23:16:25:13 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:20:24:42 | [JSON.p ... usted)] |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:20:24:42 | [JSON.p ... usted)] |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:21:24:41 | JSON.pa ... rusted) |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:32:24:40 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted |
|
||||
edges
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:15:16:15:24 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:24:32:24:40 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] [1] | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:15:16:15:24 | untrusted | tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:21:12:27:5 | {\\n ... }\\n } | tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:21:12:27:5 | {\\n ... }\\n } | tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() |
|
||||
| tst-UntrustedDataToExternalAPI.js:22:12:26:9 | {\\n ... } | tst-UntrustedDataToExternalAPI.js:21:12:27:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:23:16:25:13 | {\\n ... } | tst-UntrustedDataToExternalAPI.js:22:12:26:9 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:20:24:42 | [JSON.p ... usted)] | tst-UntrustedDataToExternalAPI.js:23:16:25:13 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:20:24:42 | [JSON.p ... usted)] | tst-UntrustedDataToExternalAPI.js:23:16:25:13 | {\\n ... } |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:21:24:41 | JSON.pa ... rusted) | tst-UntrustedDataToExternalAPI.js:24:20:24:42 | [JSON.p ... usted)] |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:21:24:41 | JSON.pa ... rusted) | tst-UntrustedDataToExternalAPI.js:24:20:24:42 | [JSON.p ... usted)] |
|
||||
| tst-UntrustedDataToExternalAPI.js:24:32:24:40 | untrusted | tst-UntrustedDataToExternalAPI.js:24:21:24:41 | JSON.pa ... rusted) |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] [1] |
|
||||
| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } [y, z] | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } [z] | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } [y, z] |
|
||||
| tst-UntrustedDataToExternalAPI.js:15:16:15:24 | untrusted | tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } [z] |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [x] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [x] | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [y] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [y] | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [z] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [z] | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [x] |
|
||||
| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [y] |
|
||||
| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [z] |
|
||||
nodes
|
||||
| tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | semmle.label | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | semmle.label | ['x', u ... d, 'y'] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] [1] | semmle.label | ['x', u ... d, 'y'] [1] |
|
||||
| tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | semmle.label | {\\n ... }\\n } |
|
||||
| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } [y, z] | semmle.label | {\\n ... }\\n } [y, z] |
|
||||
| tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } [z] | semmle.label | {\\n ... } [z] |
|
||||
| tst-UntrustedDataToExternalAPI.js:15:16:15:24 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | semmle.label | {} |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [x] | semmle.label | [post update] {\\n x ... usted\\n} [x] |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [y] | semmle.label | [post update] {\\n x ... usted\\n} [y] |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | [post update] {\\n x ... usted\\n} [z] | semmle.label | [post update] {\\n x ... usted\\n} [z] |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | semmle.label | {\\n x ... usted\\n} |
|
||||
| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | semmle.label | untrusted |
|
||||
| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | semmle.label | untrusted |
|
||||
subpaths
|
||||
#select
|
||||
| tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | Call to external-lib() [param 0 'x'] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
@@ -102,7 +64,6 @@ edges
|
||||
| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | Call to external-lib() [param 1] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | Call to external-lib() [param 0 'x'] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:30:13:30:30 | getDeepUntrusted() | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | Call to external-lib.get.[callback].[param 'res'].send() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | Call to external-lib.get.[callback].[param 'req'].app.locals.something.foo() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
| tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | Call to lodash.merge() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name |
|
||||
|
||||
Reference in New Issue
Block a user