hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port IncompleteUrlSchemeCheck test

Browse Source
This commit is contained in:
Asger F
2025-01-10 14:11:36 +01:00
parent 563471dd52
commit 95e20a045b
3 changed files with 25 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.expected
View File

@@ -1,3 +1,4 @@
#select
| IncompleteUrlSchemeCheck.js:5:9:5:35 | u.start ... ript:") | This check does not consider data: and vbscript:. |
| IncompleteUrlSchemeCheck.js:16:9:16:39 | badProt ... otocol) | This check does not consider vbscript:. |
| IncompleteUrlSchemeCheck.js:23:9:23:43 | badProt ... scheme) | This check does not consider vbscript:. |
@@ -13,3 +14,8 @@
| IncompleteUrlSchemeCheck.js:104:6:104:39 | /^(java ... scheme) | This check does not consider vbscript:. |
| IncompleteUrlSchemeCheck.js:110:12:112:29 | url // ... :/, "") | This check does not consider vbscript:. |
| IncompleteUrlSchemeCheck.js:124:11:124:34 | url.rep ... :/, "") | This check does not consider vbscript:. |
testFailures
| IncompleteUrlSchemeCheck.js:94:10:94:15 | This check does not consider vbscript:. | Unexpected result: Alert |
| IncompleteUrlSchemeCheck.js:95:25:95:34 | // $ Alert | Missing result: Alert |
| IncompleteUrlSchemeCheck.js:110:12:112:29 | This check does not consider vbscript:. | Unexpected result: Alert |
| IncompleteUrlSchemeCheck.js:110:17:110:26 | // $ Alert | Missing result: Alert |

34
javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js
View File

@@ -2,7 +2,7 @@ import * as dummy from 'dummy';
function sanitizeUrl(url) {
let u = decodeURI(url).trim().toLowerCase();
if (u.startsWith("javascript:")) // NOT OK
if (u.startsWith("javascript:")) // $ Alert
return "about:blank";
return url;
}
@@ -13,28 +13,28 @@ let badProtocolsGood = ['javascript:', 'data:', 'vbscript:'];
function test2(url) {
let protocol = new URL(url).protocol;
if (badProtocols.includes(protocol)) // NOT OK
if (badProtocols.includes(protocol)) // $ Alert
return "about:blank";
return url;
}
function test3(url) {
let scheme = goog.uri.utils.getScheme(url);
if (badProtocolNoColon.includes(scheme)) // NOT OK
if (badProtocolNoColon.includes(scheme)) // $ Alert
return "about:blank";
return url;
}
function test4(url) {
let scheme = url.split(':')[0];
if (badProtocolNoColon.includes(scheme)) // NOT OK
if (badProtocolNoColon.includes(scheme)) // $ Alert
return "about:blank";
return url;
}
function test5(url) {
let scheme = url.split(':')[0];
if (scheme === "javascript") // NOT OK
if (scheme === "javascript") // $ Alert
return "about:blank";
return url;
}
@@ -48,35 +48,35 @@ function test6(url) {
function test7(url) {
let scheme = url.split(/:/)[0];
if (scheme === "javascript") // NOT OK
if (scheme === "javascript") // $ Alert
return "about:blank";
return url;
}
function test8(url) {
let scheme = goog.uri.utils.getScheme(url);
if ("javascript|data".split("|").indexOf(scheme) !== -1) // NOT OK
if ("javascript|data".split("|").indexOf(scheme) !== -1) // $ Alert
return "about:blank";
return url;
}
function test9(url) {
let scheme = goog.uri.utils.getScheme(url);
if ("javascript" === scheme || "data" === scheme) // NOT OK
if ("javascript" === scheme || "data" === scheme) // $ Alert
return "about:blank";
return url;
}
function test10(url) {
let scheme = goog.uri.utils.getScheme(url);
if (/^(javascript|data)$/.exec(scheme) !== null) // NOT OK
if (/^(javascript|data)$/.exec(scheme) !== null) // $ Alert
return "about:blank";
return url;
}
function test11(url) {
let scheme = goog.uri.utils.getScheme(url);
if (/^(javascript|data)$/.exec(scheme) === null) // NOT OK
if (/^(javascript|data)$/.exec(scheme) === null) // $ Alert
return url;
return "about:blank";
}
@@ -84,7 +84,7 @@ function test11(url) {
function test12(url) {
let scheme = goog.uri.utils.getScheme(url);
if (!/^(javascript|data)$/.exec(scheme)) // NOT OK
if (!/^(javascript|data)$/.exec(scheme)) // $ Alert
return url;
return "about:blank";
}
@@ -92,7 +92,7 @@ function test12(url) {
function test13(url) {
let scheme = goog.uri.utils.getScheme(url);
switch (scheme) {
case "javascript": // NOT OK
case "javascript": // $ Alert
case "data":
return "about:blank";
default:
@@ -101,13 +101,13 @@ function test13(url) {
}
function test14(url) {
let scheme = goog.uri.utils.getScheme(url);
if (/^(javascript|data)$/.exec(scheme)) // NOT OK
if (/^(javascript|data)$/.exec(scheme)) // $ Alert
return "about:blank";
return url;
}
function chain1(url) {
return url // NOT OK
return url // $ Alert
.replace(/javascript:/, "")
.replace(/data:/, "");
}
@@ -121,10 +121,10 @@ function chain2(url) {
function chain3(url) {
url = url.replace(/javascript:/, "")
url = url.replace(/data:/, ""); // NOT OK
url = url.replace(/data:/, ""); // $ Alert
return url;
}
function chain4(url) {
return url.replace(/(javascript|data):/, ""); // NOT OK - but not flagged [INCONSISTENCY]
}
return url.replace(/(javascript|data):/, ""); // $ MISSING: Alert
}

3
javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref
View File

@@ -1 +1,2 @@
Security/CWE-020/IncompleteUrlSchemeCheck.ql
query: Security/CWE-020/IncompleteUrlSchemeCheck.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql