hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #891 from xiemaisi/js/simplify-sensitive-actions

Browse Source 
Approved by esben-semmle
This commit is contained in:
semmle-qlci
2019-02-08 14:12:47 +00:00
committed by GitHub
parent 90eccbdf76 aebc5bc6c3
commit 937049e060
13 changed files with 160 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected
View File

@@ -1,11 +1,11 @@
nodes
| CleartextStorage2.js:5:7:5:52 | a |
| CleartextStorage2.js:5:11:5:52 | url.par ... untName |
| CleartextStorage2.js:7:19:7:36 | 'AccountName=' + a |
| CleartextStorage2.js:7:36:7:36 | a |
| CleartextStorage.js:5:7:5:34 | a |
| CleartextStorage.js:5:11:5:34 | req.par ... tName") |
| CleartextStorage.js:7:29:7:29 | a |
| CleartextStorage2.js:5:7:5:58 | pw |
| CleartextStorage2.js:5:12:5:58 | url.par ... assword |
| CleartextStorage2.js:7:19:7:34 | 'password=' + pw |
| CleartextStorage2.js:7:33:7:34 | pw |
| CleartextStorage.js:5:7:5:40 | pw |
| CleartextStorage.js:5:12:5:40 | req.par ... sword") |
| CleartextStorage.js:7:26:7:27 | pw |
| tst-angularjs.js:3:32:3:45 | data1.password |
| tst-angularjs.js:4:33:4:46 | data2.password |
| tst-angularjs.js:5:27:5:40 | data3.password |
@@ -15,14 +15,14 @@ nodes
| tst-webstorage.js:3:20:3:32 | data.password |
| tst-webstorage.js:4:29:4:41 | data.password |
edges
| CleartextStorage2.js:5:7:5:52 | a | CleartextStorage2.js:7:36:7:36 | a |
| CleartextStorage2.js:5:11:5:52 | url.par ... untName | CleartextStorage2.js:5:7:5:52 | a |
| CleartextStorage2.js:7:36:7:36 | a | CleartextStorage2.js:7:19:7:36 | 'AccountName=' + a |
| CleartextStorage.js:5:7:5:34 | a | CleartextStorage.js:7:29:7:29 | a |
| CleartextStorage.js:5:11:5:34 | req.par ... tName") | CleartextStorage.js:5:7:5:34 | a |
| CleartextStorage2.js:5:7:5:58 | pw | CleartextStorage2.js:7:33:7:34 | pw |
| CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:5:7:5:58 | pw |
| CleartextStorage2.js:7:33:7:34 | pw | CleartextStorage2.js:7:19:7:34 | 'password=' + pw |
| CleartextStorage.js:5:7:5:40 | pw | CleartextStorage.js:7:26:7:27 | pw |
| CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:5:7:5:40 | pw |
#select
| CleartextStorage2.js:7:19:7:36 | 'AccountName=' + a | CleartextStorage2.js:5:11:5:52 | url.par ... untName | CleartextStorage2.js:7:19:7:36 | 'AccountName=' + a | Sensitive data returned by $@ is stored here. | CleartextStorage2.js:5:11:5:52 | url.par ... untName | an access to AccountName |
| CleartextStorage.js:7:29:7:29 | a | CleartextStorage.js:5:11:5:34 | req.par ... tName") | CleartextStorage.js:7:29:7:29 | a | Sensitive data returned by $@ is stored here. | CleartextStorage.js:5:11:5:34 | req.par ... tName") | a call to param |
| CleartextStorage2.js:7:19:7:34 | 'password=' + pw | CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | Sensitive data returned by $@ is stored here. | CleartextStorage2.js:5:12:5:58 | url.par ... assword | an access to current_password |
| CleartextStorage.js:7:26:7:27 | pw | CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:7:26:7:27 | pw | Sensitive data returned by $@ is stored here. | CleartextStorage.js:5:12:5:40 | req.par ... sword") | a call to param |
| tst-angularjs.js:3:32:3:45 | data1.password | tst-angularjs.js:3:32:3:45 | data1.password | tst-angularjs.js:3:32:3:45 | data1.password | Sensitive data returned by $@ is stored here. | tst-angularjs.js:3:32:3:45 | data1.password | an access to password |
| tst-angularjs.js:4:33:4:46 | data2.password | tst-angularjs.js:4:33:4:46 | data2.password | tst-angularjs.js:4:33:4:46 | data2.password | Sensitive data returned by $@ is stored here. | tst-angularjs.js:4:33:4:46 | data2.password | an access to password |
| tst-angularjs.js:5:27:5:40 | data3.password | tst-angularjs.js:5:27:5:40 | data3.password | tst-angularjs.js:5:27:5:40 | data3.password | Sensitive data returned by $@ is stored here. | tst-angularjs.js:5:27:5:40 | data3.password | an access to password |

6
javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.js
View File

@@ -1,8 +1,8 @@
var express = require('express');
var app = express();
app.get('/', function (req, res) {
let a = req.param("AccountName");
app.get('/remember-password', function (req, res) {
let pw = req.param("current_password");
// BAD: Setting a cookie value with cleartext sensitive data.
res.cookie("AccountName", a);
res.cookie("password", pw);
});

4
javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js
View File

@@ -2,9 +2,9 @@ var https = require('https');
var url = require('url');
var server = https.createServer(function(req, res) {
let a = url.parse(req.url, true).query.AccountName;
let pw = url.parse(req.url, true).query.current_password;
res.writeHead(200, {
'Set-Cookie': 'AccountName=' + a,
'Set-Cookie': 'password=' + pw,
'Content-Type': 'text/plain'
});
});

6
javascript/ql/test/query-tests/Security/CWE-312/CleartextStorageGood.js
View File

@@ -8,8 +8,8 @@ function encrypt(text){
}
var app = express();
app.get('/', function (req, res) {
let accountName = req.param("AccountName");
app.get('/remember-password', function (req, res) {
let pw = req.param("current_password");
// GOOD: Encoding the value before setting it.
res.cookie("AccountName", encrypt(accountName));
res.cookie("password", encrypt(pw));
});

4
javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
View File

@@ -15,8 +15,10 @@
| (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
| (parameter 0 (member redirect (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
| (parameter 0 (member redirect (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | StoredXss |
| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | StoredXss |
| (parameter 0 (member regexpInj (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
@@ -31,7 +33,9 @@
| (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
| (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
| (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
| (parameter 0 (member xxe (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
| (parameter 0 (member xxe (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |