Merge branch 'master'

2026-05-04 21:25:44 +02:00 · 2018-10-01 14:51:56 -07:00
parent 82d8b4e371 13ef492fc1
commit 9c487bc6d9
383 changed files with 11060 additions and 8219 deletions
--- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.expected
+++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.expected
@@ -0,0 +1,12 @@
+| IdentityReplacement.js:1:27:1:30 | /"/g | This replaces '"' with itself. |
+| tst.js:1:13:1:16 | "\\\\" | This replaces '\\' with itself. |
+| tst.js:2:13:2:18 | /(\\\\)/ | This replaces '\\' with itself. |
+| tst.js:3:13:3:17 | /["]/ | This replaces '"' with itself. |
+| tst.js:6:13:6:18 | /foo/g | This replaces 'foo' with itself. |
+| tst.js:9:13:9:17 | /^\\\\/ | This replaces '\\' with itself. |
+| tst.js:10:13:10:17 | /\\\\$/ | This replaces '\\' with itself. |
+| tst.js:11:13:11:18 | /\\b\\\\/ | This replaces '\\' with itself. |
+| tst.js:12:13:12:18 | /\\B\\\\/ | This replaces '\\' with itself. |
+| tst.js:13:13:13:22 | /\\\\(?!\\\\)/ | This replaces '\\' with itself. |
+| tst.js:14:13:14:23 | /(?<!\\\\)\\\\/ | This replaces '\\' with itself. |
+| tst.js:16:13:16:15 | /^/ | This replaces the empty string with itself. |
--- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js
+++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js
@@ -0,0 +1 @@
+var escaped = raw.replace(/"/g, '\"');
--- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.qlref
+++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.qlref
@@ -0,0 +1 @@
+RegExp/IdentityReplacement.ql
--- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacementGood.js
+++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacementGood.js
@@ -0,0 +1 @@
+var escaped = raw.replace(/"/g, '\\"');
--- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js
+++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js
@@ -0,0 +1,16 @@
+raw.replace("\\", "\\"); // NOT OK
+raw.replace(/(\\)/, "\\"); // NOT OK
+raw.replace(/["]/, "\""); // NOT OK
+raw.replace("\\", "\\\\"); // OK
+
+raw.replace(/foo/g, 'foo'); // NOT OK
+raw.replace(/foo/gi, 'foo'); // OK
+
+raw.replace(/^\\/, "\\"); // NOT OK
+raw.replace(/\\$/, "\\"); // NOT OK
+raw.replace(/\b\\/, "\\"); // NOT OK
+raw.replace(/\B\\/, "\\"); // NOT OK
+raw.replace(/\\(?!\\)/, "\\"); // NOT OK
+raw.replace(/(?<!\\)\\/, "\\"); // NOT OK
+
+raw.replace(/^/, ""); // NOT OK
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
@@ -25,4 +25,5 @@
 | tainted-array-steps.js:15:29:15:43 | parts.join('/') | This path depends on $@. | tainted-array-steps.js:9:24:9:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value |
+| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value |
 | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/tainted-sendFile.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/tainted-sendFile.js
@@ -5,4 +5,6 @@ var app = express();
 app.get('/some/path', function(req, res) {
  // BAD: sending a file based on un-sanitized query parameters
  res.sendFile(req.param("gimme"));
+  // BAD: same as above
+  res.sendfile(req.param("gimme"));
 });
--- a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddleware.expected
@@ -1,3 +1,5 @@
 | MissingCsrfMiddlewareBad.js:7:9:7:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | MissingCsrfMiddlewareBad.js:10:26:11:1 | functio ... es) {\\n} | here |
 | csurf_api_example.js:39:37:39:50 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_api_example.js:39:53:41:3 | functio ... e')\\n  } | here |
 | csurf_example.js:18:9:18:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | csurf_example.js:29:40:31:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:23:42:25:1 | functio ... sed')\\n} | here |
+| lusca_example.js:9:9:9:22 | cookieParser() | This cookie middleware is serving a request handler $@ without CSRF protection. | lusca_example.js:27:40:29:1 | functio ... sed')\\n} | here |
--- a/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
+++ b/javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js
@@ -0,0 +1,29 @@
+var express = require('express')
+var cookieParser = require('cookie-parser')
+var bodyParser = require('body-parser')
+
+var parseForm = bodyParser.urlencoded({ extended: false })
+var lusca = require('lusca');
+
+var app = express()
+app.use(cookieParser())
+
+app.post('/process', parseForm, lusca.csrf(), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:true}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca({csrf:{}}), function (req, res) { // OK
+  res.send('data is being processed')
+})
+
+app.post('/process', parseForm, lusca(), function (req, res) { // NOT OK - missing csrf option
+  res.send('data is being processed')
+})
+
+app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+  res.send('data is being processed')
+})