polish qhelp for CWE-830 and add test file

2026-05-03 12:45:27 +02:00 · 2022-02-16 10:27:45 +01:00
parent 44d86569ac
commit 9aec4437e2
2 changed files with 46 additions and 6 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-830/StaticCreationOfUntrustedSourceUse.html
+++ b/javascript/ql/test/query-tests/Security/CWE-830/StaticCreationOfUntrustedSourceUse.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    </head>
+    <body>
+        <script src="http://test.local/foo.js"></script>> <!-- NOT OK -->
+        <script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>>  <!-- OK (integrity digest present) -->
+        <script src="https://test.local/bar.js"></script>> <!-- OK (https) -->
+        <iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
+        <iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
+        <iframe src="//test.local/foo.html"></iframe> <!-- OK (protocol-relative url is allowed as a http url of 
+            the page is vulnerable in the first place) -->
+        <iframe src="http://::1/foo.html"></iframe> <!-- OK (localhost) -->
+        <iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK (localhost) -->
+        <iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK (localhost) -->
+
+        <!-- Some CDNs recommend using the integrity attribute — for those, we demand it even with https links -->
+        <!-- OK (digest present) -->
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" integrity="sha512-7oYXeK0OxTFxndh0erL8FsjGvrl2VMDor6fVqzlLGfwOQQqTbYsGPv4ZZ15QHfSk80doyaM0ZJdvkyDcVO7KFA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+        <!-- NOT OK (digest missing) -->
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    </body>
+</html>