hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #623 from esben-semmle/js/incomplete-url-sanitization

Browse Source 
Approved by mc-semmle
This commit is contained in:
semmle-qlci
2018-12-06 20:46:37 +00:00
committed by GitHub
parent c2116f0d91 4f53411397
commit 9e73ed71b9
10 changed files with 244 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected Normal file
View File

@@ -0,0 +1,13 @@
| tst-IncompleteUrlSubstringSanitization.js:4:5:4:27 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:4:15:4:26 | "secure.com" | secure.com |
| tst-IncompleteUrlSubstringSanitization.js:5:5:5:27 | x.index ... e.net") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:5:15:5:26 | "secure.net" | secure.net |
| tst-IncompleteUrlSubstringSanitization.js:6:5:6:28 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:6:15:6:27 | ".secure.com" | .secure.com |
| tst-IncompleteUrlSubstringSanitization.js:10:5:10:27 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:10:15:10:26 | "secure.com" | secure.com |
| tst-IncompleteUrlSubstringSanitization.js:11:5:11:27 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:11:15:11:26 | "secure.com" | secure.com |
| tst-IncompleteUrlSubstringSanitization.js:12:5:12:27 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:12:15:12:26 | "secure.com" | secure.com |
| tst-IncompleteUrlSubstringSanitization.js:14:5:14:38 | x.start ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:14:18:14:37 | "https://secure.com" | https://secure.com |
| tst-IncompleteUrlSubstringSanitization.js:15:5:15:28 | x.endsW ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:15:16:15:27 | "secure.com" | secure.com |
| tst-IncompleteUrlSubstringSanitization.js:20:5:20:28 | x.inclu ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:20:16:20:27 | "secure.com" | secure.com |
| tst-IncompleteUrlSubstringSanitization.js:32:5:32:35 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:32:15:32:34 | "https://secure.com" | https://secure.com |
| tst-IncompleteUrlSubstringSanitization.js:33:5:33:39 | x.index ... m:443") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:33:15:33:38 | "https: ... om:443" | https://secure.com:443 |
| tst-IncompleteUrlSubstringSanitization.js:34:5:34:36 | x.index ... .com/") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:34:15:34:35 | "https: ... e.com/" | https://secure.com/ |
| tst-IncompleteUrlSubstringSanitization.js:52:5:52:41 | x.index ... ernal") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:52:15:52:40 | "https: ... ternal" | https://example.internal |

1
javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-020/IncompleteUrlSubstringSanitization.ql

54
javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteUrlSubstringSanitization.js Normal file
View File

@@ -0,0 +1,54 @@
(function(x){
x.indexOf("internal"); // NOT OK, but not flagged
x.indexOf("localhost"); // NOT OK, but not flagged
x.indexOf("secure.com"); // NOT OK
x.indexOf("secure.net"); // NOT OK
x.indexOf(".secure.com"); // NOT OK
x.indexOf("sub.secure."); // NOT OK, but not flagged
x.indexOf(".sub.secure."); // NOT OK, but not flagged
x.indexOf("secure.com") === -1; // NOT OK
x.indexOf("secure.com") === 0; // NOT OK
x.indexOf("secure.com") >= 0; // NOT OK
x.startsWith("https://secure.com"); // NOT OK
x.endsWith("secure.com"); // NOT OK
x.endsWith(".secure.com"); // OK
x.startsWith("secure.com/"); // OK
x.indexOf("secure.com/") === 0; // OK
x.includes("secure.com"); // NOT OK
x.indexOf("#"); // OK
x.indexOf(":"); // OK
x.indexOf(":/"); // OK
x.indexOf("://"); // OK
x.indexOf("//"); // OK
x.indexOf(":443"); // OK
x.indexOf("/some/path/"); // OK
x.indexOf("some/path"); // OK
x.indexOf("/index.html"); // OK
x.indexOf(":template:"); // OK
x.indexOf("https://secure.com"); // NOT OK
x.indexOf("https://secure.com:443"); // NOT OK
x.indexOf("https://secure.com/"); // NOT OK
x.indexOf(".cn"); // NOT OK, but not flagged
x.indexOf(".jpg"); // OK
x.indexOf("index.html"); // OK
x.indexOf("index.js"); // OK
x.indexOf("index.php"); // OK
x.indexOf("index.css"); // OK
x.indexOf("secure=true"); // OK (query param)
x.indexOf("&auth="); // OK (query param)
x.indexOf(getCurrentDomain()); // NOT OK, but not flagged
x.indexOf(location.origin); // NOT OK, but not flagged
x.indexOf("tar.gz") + offset // OK
x.indexOf("tar.gz") - offset // OK
x.indexOf("https://example.internal"); // NOT OK
x.indexOf("https://"); // OK
});