hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 20:58:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

use the TaintedObject library in js/template-object-injection

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-02-03 12:26:37 +01:00
parent c6a22844e2
commit a5bde53bfe
3 changed files with 65 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected
View File

@@ -4,34 +4,52 @@ nodes
| tst.js:5:25:5:32 | req.body |
| tst.js:5:25:5:46 | req.bod ... rameter |
| tst.js:6:9:6:49 | queryParameter |
| tst.js:6:9:6:49 | queryParameter |
| tst.js:6:26:6:49 | req.que ... rameter |
| tst.js:6:26:6:49 | req.que ... rameter |
| tst.js:6:26:6:49 | req.que ... rameter |
| tst.js:8:28:8:40 | bodyParameter |
| tst.js:8:28:8:40 | bodyParameter |
| tst.js:9:28:9:41 | queryParameter |
| tst.js:9:28:9:41 | queryParameter |
| tst.js:12:32:12:44 | bodyParameter |
| tst.js:12:32:12:44 | bodyParameter |
| tst.js:14:28:14:41 | queryParameter |
| tst.js:14:28:14:46 | queryParameter + "" |
| tst.js:14:28:14:46 | queryParameter + "" |
| tst.js:18:19:18:32 | queryParameter |
| tst.js:18:19:18:32 | queryParameter |
| tst.js:21:24:21:26 | obj |
| tst.js:21:24:21:26 | obj |
| tst.js:22:28:22:30 | obj |
| tst.js:22:28:22:30 | obj |
| tst.js:24:11:24:24 | str |
| tst.js:24:17:24:19 | obj |
| tst.js:24:17:24:24 | obj + "" |
| tst.js:27:28:27:42 | JSON.parse(str) |
| tst.js:27:28:27:42 | JSON.parse(str) |
| tst.js:27:39:27:41 | str |
edges
| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
| tst.js:5:9:5:46 | bodyParameter | tst.js:12:32:12:44 | bodyParameter |
| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
| tst.js:5:25:5:46 | req.bod ... rameter | tst.js:5:9:5:46 | bodyParameter |
| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
| tst.js:6:9:6:49 | queryParameter | tst.js:14:28:14:41 | queryParameter |
| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
| tst.js:14:28:14:41 | queryParameter | tst.js:14:28:14:46 | queryParameter + "" |
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
| tst.js:21:24:21:26 | obj | tst.js:24:17:24:19 | obj |
| tst.js:24:11:24:24 | str | tst.js:27:39:27:41 | str |
| tst.js:24:17:24:19 | obj | tst.js:24:17:24:24 | obj + "" |
| tst.js:24:17:24:24 | obj + "" | tst.js:24:11:24:24 | str |
| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
#select
| tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
| tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
| tst.js:12:32:12:44 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:12:32:12:44 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
| tst.js:14:28:14:46 | queryParameter + "" | tst.js:6:26:6:49 | req.que ... rameter | tst.js:14:28:14:46 | queryParameter + "" | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
| tst.js:22:28:22:30 | obj | tst.js:6:26:6:49 | req.que ... rameter | tst.js:22:28:22:30 | obj | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
| tst.js:27:28:27:42 | JSON.parse(str) | tst.js:6:26:6:49 | req.que ... rameter | tst.js:27:28:27:42 | JSON.parse(str) | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |

17
javascript/ql/test/experimental/Security/CWE-073/tst.js
View File

@@ -9,9 +9,20 @@ app.post('/path', function(req, res) {
res.render('template', queryParameter); // NOT OK
if (typeof bodyParameter === "string") {
res.render('template', bodyParameter); // OK - but still flagged [INCONSISTENCY]
res.render('template', bodyParameter); // OK
}
res.render('template', queryParameter + ""); // OK - but still flagged [INCONSISTENCY]
res.render('template', queryParameter + ""); // OK
res.render('template', {profile: bodyParameter}); // OK
});
indirect(res, queryParameter);
});
function indirect(res, obj) {
res.render("template", obj); // NOT OK
const str = obj + "";
res.render("template", str); // OK
res.render("template", JSON.parse(str)); // NOT OK
}