hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix example in JavaScript query

Browse Source
This commit is contained in:
Edoardo Pirovano
2021-12-29 12:01:09 +00:00
parent 882caf4011
commit a616059761
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering.js
View File

@@ -4,8 +4,8 @@ var app = require("express")(),
app.get("/user-files", function(req, res) {
var file = req.param("file");
if (file.indexOf("..") !== -1) {
// BAD
// forbid paths outside the /public directory
// BAD: we forbid relative paths that contain ..
// as these could leave the public directory
res.status(400).send("Bad request");
} else {
var absolute = path.resolve("/public/" + file);

6
javascript/ql/src/Security/CWE-843/examples/TypeConfusionThroughParameterTampering_fixed.js
View File

@@ -3,9 +3,9 @@ var app = require("express")(),
app.get("/user-files", function(req, res) {
var file = req.param("file");
if (typeof path !== 'string' || file.indexOf("..") !== -1) {
// BAD
// forbid paths outside the /public directory
if (typeof file !== 'string' || file.indexOf("..") !== -1) {
// BAD: we forbid relative paths that contain ..
// as these could leave the public directory
res.status(400).send("Bad request");
} else {
var absolute = path.resolve("/public/" + file);