mirror of
https://github.com/github/codeql.git
synced 2026-04-26 01:05:15 +02:00
Merge pull request #18472 from asgerf/js/test-suite
JS: Port three tests to use the new post processing-based inline test expectations
This commit is contained in:
Asger F
@@ -1,28 +1,29 @@
|
||||
| tst-IncompleteHostnameRegExp.js:3:3:3:28 | ^http:\\/\\/test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:3:2:3:29 | /^http: ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:5:3:5:28 | ^http:\\/\\/test.example.net | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:5:2:5:29 | /^http: ... le.net/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:6:3:6:42 | ^http:\\/\\/test.(example-a\|example-b).com | This regular expression has an unescaped '.' before '(example-a\|example-b).com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:6:2:6:43 | /^http: ... b).com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:7:3:7:30 | ^http:\\/\\/(.+).example.com\\/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:7:2:7:31 | /^http: ... .com\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:7:3:7:30 | ^http:\\/\\/(.+).example.com\\/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example.com' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:7:2:7:31 | /^http: ... .com\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:10:3:10:36 | ^http:\\/\\/test.example.com\\/(?:.*) | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:10:2:10:37 | /^http: ... (?:.*)/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:11:14:11:37 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:11:13:11:38 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:12:15:12:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:12:14:12:39 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:15:23:15:46 | ^http://test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:15:13:15:50 | id(id(i ... com"))) | here |
|
||||
| tst-IncompleteHostnameRegExp.js:19:18:19:34 | ^test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:20:13:20:26 | `${hostname}$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:22:28:22:44 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:23:13:23:27 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:28:24:28:40 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:26:21:26:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:30:31:30:47 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:32:21:32:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:37:3:37:53 | ^(https?:)?\\/\\/((service\|www).)?example.com(?=$\|\\/) | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:37:2:37:54 | /^(http ... =$\|\\/)/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:38:3:38:43 | ^(http\|https):\\/\\/www.example.com\\/p\\/f\\/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:38:2:38:44 | /^(http ... p\\/f\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:39:5:39:30 | http:\\/\\/sub.example.com\\/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:39:2:39:33 | /^(http ... om\\/)/g | here |
|
||||
| tst-IncompleteHostnameRegExp.js:40:3:40:29 | ^https?:\\/\\/api.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:40:2:40:30 | /^https ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:41:42:41:48 | ^https?://.+\\.example\\.com/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:41:13:41:71 | '^http: ... \\.com/' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:43:3:43:32 | ^https:\\/\\/[a-z]*.example.com$ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:43:2:43:33 | /^https ... e.com$/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:44:32:44:45 | .+.example.net | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:9:44:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:44:47:44:62 | .+.example-a.com | This regular expression has an unescaped '.' before 'example-a.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:9:44:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:44:64:44:79 | .+.example-b.com | This regular expression has an unescaped '.' before 'example-b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:9:44:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:48:42:48:47 | ^https?://.+.example\\.com/ | This regular expression has an unescaped '.' before 'example\\.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:48:13:48:69 | '^http: ... \\.com/' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:48:42:48:47 | ^https?://.+.example\\.com/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:48:13:48:69 | '^http: ... \\.com/' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:53:14:53:35 | test.example.com$ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:53:13:53:36 | 'test.' ... e.com$' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:55:14:55:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:55:13:55:39 | '^http: ... le.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:59:2:59:32 | /^(foo. ... ever)$/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:61:18:61:41 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:61:17:61:42 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:6:3:6:28 | ^http:\\/\\/test.example.net | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:6:2:6:29 | /^http: ... le.net/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:7:3:7:42 | ^http:\\/\\/test.(example-a\|example-b).com | This regular expression has an unescaped '.' before '(example-a\|example-b).com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:7:2:7:43 | /^http: ... b).com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:8:3:8:30 | ^http:\\/\\/(.+).example.com\\/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:8:2:8:31 | /^http: ... .com\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:8:3:8:30 | ^http:\\/\\/(.+).example.com\\/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example.com' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:8:2:8:31 | /^http: ... .com\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:10:3:10:39 | ^http:\\/\\/(?:.+)\\.test\\.example.com\\/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example.com' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:10:2:10:40 | /^http: ... .com\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:11:3:11:36 | ^http:\\/\\/test.example.com\\/(?:.*) | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:11:2:11:37 | /^http: ... (?:.*)/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:12:14:12:37 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:12:13:12:38 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:13:15:13:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:13:14:13:39 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:16:23:16:46 | ^http://test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:16:13:16:50 | id(id(i ... com"))) | here |
|
||||
| tst-IncompleteHostnameRegExp.js:20:18:20:34 | ^test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:21:13:21:26 | `${hostname}$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:23:28:23:44 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:24:13:24:27 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:29:24:29:40 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:27:21:27:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:31:31:31:47 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:33:21:33:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:38:3:38:53 | ^(https?:)?\\/\\/((service\|www).)?example.com(?=$\|\\/) | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:38:2:38:54 | /^(http ... =$\|\\/)/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:39:3:39:43 | ^(http\|https):\\/\\/www.example.com\\/p\\/f\\/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:39:2:39:44 | /^(http ... p\\/f\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:40:5:40:30 | http:\\/\\/sub.example.com\\/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:40:2:40:33 | /^(http ... om\\/)/g | here |
|
||||
| tst-IncompleteHostnameRegExp.js:41:3:41:29 | ^https?:\\/\\/api.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:41:2:41:30 | /^https ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:42:42:42:48 | ^https?://.+\\.example\\.com/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:42:13:42:71 | '^http: ... \\.com/' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:44:3:44:32 | ^https:\\/\\/[a-z]*.example.com$ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:2:44:33 | /^https ... e.com$/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:45:32:45:45 | .+.example.net | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:45:9:45:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:45:47:45:62 | .+.example-a.com | This regular expression has an unescaped '.' before 'example-a.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:45:9:45:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:45:64:45:79 | .+.example-b.com | This regular expression has an unescaped '.' before 'example-b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:45:9:45:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:49:42:49:47 | ^https?://.+.example\\.com/ | This regular expression has an unescaped '.' before 'example\\.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:49:13:49:69 | '^http: ... \\.com/' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:49:42:49:47 | ^https?://.+.example\\.com/ | This regular expression has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:49:13:49:69 | '^http: ... \\.com/' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:54:14:54:35 | test.example.com$ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:54:13:54:36 | 'test.' ... e.com$' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:56:14:56:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:56:13:56:39 | '^http: ... le.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:60:5:60:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:60:2:60:32 | /^(foo. ... ever)$/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:62:18:62:41 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:62:17:62:42 | "^http: ... le.com" | here |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Security/CWE-020/IncompleteHostnameRegExp.ql
|
||||
query: Security/CWE-020/IncompleteHostnameRegExp.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,62 +1,63 @@
|
||||
(function() {
|
||||
/^http:\/\/example.com/; // OK
|
||||
/^http:\/\/test.example.com/; // NOT OK
|
||||
/^http:\/\/test\\.example.com/; // OK
|
||||
/^http:\/\/test.example.net/; // NOT OK
|
||||
/^http:\/\/test.(example-a|example-b).com/; // NOT OK
|
||||
/^http:\/\/(.+).example.com\//; // NOT OK
|
||||
/^http:\/\/(\\.+)\\.example.com/; // OK
|
||||
/^http:\/\/(?:.+)\\.test\\.example.com\//; // NOT OK
|
||||
/^http:\/\/test.example.com\/(?:.*)/; // OK
|
||||
new RegExp("^http://test.example.com"); // NOT OK
|
||||
if (s.match("^http://test.example.com")) {} // NOT OK
|
||||
/^http:\/\/example.com/;
|
||||
/^http:\/\/test.example.com/; // $ Alert
|
||||
/^http:\/\/test\.example.com/; // OK - escaped dot
|
||||
/^http:\/\/test\\.example.com/; // OK - contains actual backslash, so not really a hostname
|
||||
/^http:\/\/test.example.net/; // $ Alert
|
||||
/^http:\/\/test.(example-a|example-b).com/; // $ Alert
|
||||
/^http:\/\/(.+).example.com\//; // $ Alert
|
||||
/^http:\/\/(\.+)\.example.com/;
|
||||
/^http:\/\/(?:.+)\.test\.example.com\//; // $ Alert
|
||||
/^http:\/\/test.example.com\/(?:.*)/; // $ Alert
|
||||
new RegExp("^http://test.example.com"); // $ Alert
|
||||
if (s.match("^http://test.example.com")) {} // $ Alert
|
||||
|
||||
function id(e) { return e; }
|
||||
new RegExp(id(id(id("^http://test.example.com")))); // NOT OK
|
||||
new RegExp(id(id(id("^http://test.example.com")))); // $ Alert
|
||||
|
||||
new RegExp(`test.example.com$`); // NOT OK
|
||||
new RegExp(`test.example.com$`); // $ MISSING: Alert
|
||||
|
||||
let hostname = '^test.example.com'; // NOT OK
|
||||
let hostname = '^test.example.com'; // $ Alert
|
||||
new RegExp(`${hostname}$`);
|
||||
|
||||
let domain = { hostname: 'test.example.com$' }; // NOT OK
|
||||
let domain = { hostname: 'test.example.com$' }; // $ Alert
|
||||
new RegExp(domain.hostname);
|
||||
|
||||
function convert1(domain) {
|
||||
return new RegExp(domain.hostname);
|
||||
}
|
||||
convert1({ hostname: 'test.example.com$' }); // NOT OK
|
||||
convert1({ hostname: 'test.example.com$' }); // $ Alert
|
||||
|
||||
let domains = [ { hostname: 'test.example.com$' } ]; // NOT OK
|
||||
let domains = [ { hostname: 'test.example.com$' } ]; // $ Alert
|
||||
function convert2(domain) {
|
||||
return new RegExp(domain.hostname);
|
||||
}
|
||||
domains.map(d => convert2(d));
|
||||
|
||||
/^(.+\.(?:example-a|example-b)\.com)\//; // NOT OK
|
||||
/^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; // NOT OK
|
||||
/^(http|https):\/\/www.example.com\/p\/f\//; // NOT OK
|
||||
/^(http:\/\/sub.example.com\/)/g; // NOT OK
|
||||
/^https?:\/\/api.example.com/; // NOT OK
|
||||
new RegExp('^http://localhost:8000|' + '^https?://.+\\.example\\.com/'); // NOT OK
|
||||
new RegExp('^http[s]?:\/\/?sub1\\.sub2\\.example\\.com\/f\/(.+)'); // NOT OK
|
||||
/^https:\/\/[a-z]*.example.com$/; // NOT OK
|
||||
RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // NOT OK
|
||||
/^(.+\.(?:example-a|example-b)\.com)\//; // $ MISSING: Alert
|
||||
/^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; // $ Alert
|
||||
/^(http|https):\/\/www.example.com\/p\/f\//; // $ Alert
|
||||
/^(http:\/\/sub.example.com\/)/g; // $ Alert
|
||||
/^https?:\/\/api.example.com/; // $ Alert
|
||||
new RegExp('^http://localhost:8000|' + '^https?://.+\\.example\\.com/'); // $ Alert
|
||||
new RegExp('^http[s]?:\/\/?sub1\\.sub2\\.example\\.com\/f\/(.+)');
|
||||
/^https:\/\/[a-z]*.example.com$/; // $ Alert
|
||||
RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // $ Alert
|
||||
|
||||
/^(example.dev|example.com)/; // OK
|
||||
|
||||
new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // NOT OK
|
||||
new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // $ Alert
|
||||
|
||||
var primary = 'example.com$';
|
||||
new RegExp('test.' + primary); // NOT OK, but not detected
|
||||
new RegExp('test.' + primary); // $ MISSING: Alert
|
||||
|
||||
new RegExp('test.' + 'example.com$'); // NOT OK
|
||||
new RegExp('test.' + 'example.com$'); // $ Alert
|
||||
|
||||
new RegExp('^http://test\.example.com'); // NOT OK
|
||||
new RegExp('^http://test\.example.com'); // $ Alert
|
||||
|
||||
/^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional
|
||||
/^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional
|
||||
/^(foo.example\.com|whatever)$/; // kinda OK - one disjunction doesn't even look like a hostname
|
||||
/^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname)
|
||||
|
||||
if (s.matchAll("^http://test.example.com")) {} // NOT OK
|
||||
if (s.matchAll("^http://test.example.com")) {} // $ Alert
|
||||
});
|
||||
|
||||
@@ -11,5 +11,5 @@
|
||||
| IncompleteUrlSchemeCheck.js:87:7:87:40 | /^(java ... scheme) | This check does not consider vbscript:. |
|
||||
| IncompleteUrlSchemeCheck.js:94:10:94:15 | scheme | This check does not consider vbscript:. |
|
||||
| IncompleteUrlSchemeCheck.js:104:6:104:39 | /^(java ... scheme) | This check does not consider vbscript:. |
|
||||
| IncompleteUrlSchemeCheck.js:110:12:112:29 | url // ... :/, "") | This check does not consider vbscript:. |
|
||||
| IncompleteUrlSchemeCheck.js:110:12:112:29 | url\\n ... :/, "") | This check does not consider vbscript:. |
|
||||
| IncompleteUrlSchemeCheck.js:124:11:124:34 | url.rep ... :/, "") | This check does not consider vbscript:. |
|
||||
|
||||
@@ -2,7 +2,7 @@ import * as dummy from 'dummy';
|
||||
|
||||
function sanitizeUrl(url) {
|
||||
let u = decodeURI(url).trim().toLowerCase();
|
||||
if (u.startsWith("javascript:")) // NOT OK
|
||||
if (u.startsWith("javascript:")) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
@@ -13,28 +13,28 @@ let badProtocolsGood = ['javascript:', 'data:', 'vbscript:'];
|
||||
|
||||
function test2(url) {
|
||||
let protocol = new URL(url).protocol;
|
||||
if (badProtocols.includes(protocol)) // NOT OK
|
||||
if (badProtocols.includes(protocol)) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test3(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if (badProtocolNoColon.includes(scheme)) // NOT OK
|
||||
if (badProtocolNoColon.includes(scheme)) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test4(url) {
|
||||
let scheme = url.split(':')[0];
|
||||
if (badProtocolNoColon.includes(scheme)) // NOT OK
|
||||
if (badProtocolNoColon.includes(scheme)) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test5(url) {
|
||||
let scheme = url.split(':')[0];
|
||||
if (scheme === "javascript") // NOT OK
|
||||
if (scheme === "javascript") // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
@@ -48,35 +48,35 @@ function test6(url) {
|
||||
|
||||
function test7(url) {
|
||||
let scheme = url.split(/:/)[0];
|
||||
if (scheme === "javascript") // NOT OK
|
||||
if (scheme === "javascript") // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test8(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if ("javascript|data".split("|").indexOf(scheme) !== -1) // NOT OK
|
||||
if ("javascript|data".split("|").indexOf(scheme) !== -1) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test9(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if ("javascript" === scheme || "data" === scheme) // NOT OK
|
||||
if ("javascript" === scheme || "data" === scheme) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test10(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if (/^(javascript|data)$/.exec(scheme) !== null) // NOT OK
|
||||
if (/^(javascript|data)$/.exec(scheme) !== null) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function test11(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if (/^(javascript|data)$/.exec(scheme) === null) // NOT OK
|
||||
if (/^(javascript|data)$/.exec(scheme) === null) // $ Alert
|
||||
return url;
|
||||
return "about:blank";
|
||||
}
|
||||
@@ -84,15 +84,15 @@ function test11(url) {
|
||||
|
||||
function test12(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if (!/^(javascript|data)$/.exec(scheme)) // NOT OK
|
||||
if (!/^(javascript|data)$/.exec(scheme)) // $ Alert
|
||||
return url;
|
||||
return "about:blank";
|
||||
}
|
||||
|
||||
function test13(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
switch (scheme) {
|
||||
case "javascript": // NOT OK
|
||||
switch (scheme) { // $ Alert
|
||||
case "javascript":
|
||||
case "data":
|
||||
return "about:blank";
|
||||
default:
|
||||
@@ -101,15 +101,15 @@ function test13(url) {
|
||||
}
|
||||
function test14(url) {
|
||||
let scheme = goog.uri.utils.getScheme(url);
|
||||
if (/^(javascript|data)$/.exec(scheme)) // NOT OK
|
||||
if (/^(javascript|data)$/.exec(scheme)) // $ Alert
|
||||
return "about:blank";
|
||||
return url;
|
||||
}
|
||||
|
||||
function chain1(url) {
|
||||
return url // NOT OK
|
||||
return url
|
||||
.replace(/javascript:/, "")
|
||||
.replace(/data:/, "");
|
||||
.replace(/data:/, ""); // $ Alert
|
||||
}
|
||||
|
||||
function chain2(url) {
|
||||
@@ -121,10 +121,10 @@ function chain2(url) {
|
||||
|
||||
function chain3(url) {
|
||||
url = url.replace(/javascript:/, "")
|
||||
url = url.replace(/data:/, ""); // NOT OK
|
||||
url = url.replace(/data:/, ""); // $ Alert
|
||||
return url;
|
||||
}
|
||||
|
||||
function chain4(url) {
|
||||
return url.replace(/(javascript|data):/, ""); // NOT OK - but not flagged [INCONSISTENCY]
|
||||
}
|
||||
return url.replace(/(javascript|data):/, ""); // $ MISSING: Alert
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Security/CWE-020/IncompleteUrlSchemeCheck.ql
|
||||
query: Security/CWE-020/IncompleteUrlSchemeCheck.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Security/CWE-020/IncompleteUrlSubstringSanitization.ql
|
||||
query: Security/CWE-020/IncompleteUrlSubstringSanitization.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,76 +1,76 @@
|
||||
(function(x){
|
||||
x.indexOf("internal") !== -1; // NOT OK, but not flagged
|
||||
x.indexOf("localhost") !== -1; // NOT OK, but not flagged
|
||||
x.indexOf("secure.com") !== -1; // NOT OK
|
||||
x.indexOf("secure.net") !== -1; // NOT OK
|
||||
x.indexOf(".secure.com") !== -1; // NOT OK
|
||||
x.indexOf("sub.secure.") !== -1; // NOT OK, but not flagged
|
||||
x.indexOf(".sub.secure.") !== -1; // NOT OK, but not flagged
|
||||
x.indexOf("internal") !== -1; // $ MISSING: Alert
|
||||
x.indexOf("localhost") !== -1; // $ MISSING: Alert
|
||||
x.indexOf("secure.com") !== -1; // $ Alert
|
||||
x.indexOf("secure.net") !== -1; // $ Alert
|
||||
x.indexOf(".secure.com") !== -1; // $ Alert
|
||||
x.indexOf("sub.secure.") !== -1; // $ MISSING: Alert
|
||||
x.indexOf(".sub.secure.") !== -1; // $ MISSING: Alert
|
||||
|
||||
x.indexOf("secure.com") === -1; // NOT OK
|
||||
x.indexOf("secure.com") === 0; // NOT OK
|
||||
x.indexOf("secure.com") >= 0; // NOT OK
|
||||
x.indexOf("secure.com") === -1; // $ Alert
|
||||
x.indexOf("secure.com") === 0; // $ Alert
|
||||
x.indexOf("secure.com") >= 0; // $ Alert
|
||||
|
||||
x.startsWith("https://secure.com"); // NOT OK
|
||||
x.endsWith("secure.com"); // NOT OK
|
||||
x.endsWith(".secure.com"); // OK
|
||||
x.startsWith("secure.com/"); // OK
|
||||
x.indexOf("secure.com/") === 0; // OK
|
||||
x.startsWith("https://secure.com"); // $ Alert
|
||||
x.endsWith("secure.com"); // $ Alert
|
||||
x.endsWith(".secure.com");
|
||||
x.startsWith("secure.com/");
|
||||
x.indexOf("secure.com/") === 0;
|
||||
|
||||
x.includes("secure.com"); // NOT OK
|
||||
x.includes("secure.com"); // $ Alert
|
||||
|
||||
x.indexOf("#") !== -1; // OK
|
||||
x.indexOf(":") !== -1; // OK
|
||||
x.indexOf(":/") !== -1; // OK
|
||||
x.indexOf("://") !== -1; // OK
|
||||
x.indexOf("//") !== -1; // OK
|
||||
x.indexOf(":443") !== -1; // OK
|
||||
x.indexOf("/some/path/") !== -1; // OK
|
||||
x.indexOf("some/path") !== -1; // OK
|
||||
x.indexOf("/index.html") !== -1; // OK
|
||||
x.indexOf(":template:") !== -1; // OK
|
||||
x.indexOf("https://secure.com") !== -1; // NOT OK
|
||||
x.indexOf("https://secure.com:443") !== -1; // NOT OK
|
||||
x.indexOf("https://secure.com/") !== -1; // NOT OK
|
||||
x.indexOf("#") !== -1;
|
||||
x.indexOf(":") !== -1;
|
||||
x.indexOf(":/") !== -1;
|
||||
x.indexOf("://") !== -1;
|
||||
x.indexOf("//") !== -1;
|
||||
x.indexOf(":443") !== -1;
|
||||
x.indexOf("/some/path/") !== -1;
|
||||
x.indexOf("some/path") !== -1;
|
||||
x.indexOf("/index.html") !== -1;
|
||||
x.indexOf(":template:") !== -1;
|
||||
x.indexOf("https://secure.com") !== -1; // $ Alert
|
||||
x.indexOf("https://secure.com:443") !== -1; // $ Alert
|
||||
x.indexOf("https://secure.com/") !== -1; // $ Alert
|
||||
|
||||
x.indexOf(".cn") !== -1; // NOT OK, but not flagged
|
||||
x.indexOf(".jpg") !== -1; // OK
|
||||
x.indexOf("index.html") !== -1; // OK
|
||||
x.indexOf("index.js") !== -1; // OK
|
||||
x.indexOf("index.php") !== -1; // OK
|
||||
x.indexOf("index.css") !== -1; // OK
|
||||
x.indexOf(".cn") !== -1; // $ MISSING: Alert
|
||||
x.indexOf(".jpg") !== -1;
|
||||
x.indexOf("index.html") !== -1;
|
||||
x.indexOf("index.js") !== -1;
|
||||
x.indexOf("index.php") !== -1;
|
||||
x.indexOf("index.css") !== -1;
|
||||
|
||||
x.indexOf("secure=true") !== -1; // OK (query param)
|
||||
x.indexOf("&auth=") !== -1; // OK (query param)
|
||||
|
||||
x.indexOf(getCurrentDomain()) !== -1; // NOT OK, but not flagged
|
||||
x.indexOf(location.origin) !== -1; // NOT OK, but not flagged
|
||||
x.indexOf(getCurrentDomain()) !== -1; // $ MISSING: Alert
|
||||
x.indexOf(location.origin) !== -1; // $ MISSING: Alert
|
||||
|
||||
x.indexOf("tar.gz") + offset; // OK
|
||||
x.indexOf("tar.gz") - offset; // OK
|
||||
x.indexOf("tar.gz") + offset;
|
||||
x.indexOf("tar.gz") - offset;
|
||||
|
||||
x.indexOf("https://example.internal") !== -1; // NOT OK
|
||||
x.indexOf("https://") !== -1; // OK
|
||||
x.indexOf("https://example.internal") !== -1; // $ Alert
|
||||
x.indexOf("https://") !== -1;
|
||||
|
||||
x.startsWith("https://example.internal"); // NOT OK
|
||||
x.indexOf('https://example.internal.org') !== 0; // NOT OK
|
||||
x.indexOf('https://example.internal.org') === 0; // NOT OK
|
||||
x.endsWith("internal.com"); // NOT OK
|
||||
x.startsWith("https://example.internal:80"); // OK
|
||||
x.startsWith("https://example.internal"); // $ Alert
|
||||
x.indexOf('https://example.internal.org') !== 0; // $ Alert
|
||||
x.indexOf('https://example.internal.org') === 0; // $ Alert
|
||||
x.endsWith("internal.com"); // $ Alert
|
||||
x.startsWith("https://example.internal:80");
|
||||
|
||||
x.indexOf("secure.com") !== -1; // NOT OK
|
||||
x.indexOf("secure.com") === -1; // OK
|
||||
!(x.indexOf("secure.com") !== -1); // OK
|
||||
!x.includes("secure.com"); // OK
|
||||
x.indexOf("secure.com") !== -1; // $ Alert
|
||||
x.indexOf("secure.com") === -1; // $ Alert
|
||||
!(x.indexOf("secure.com") !== -1); // $ Alert
|
||||
!x.includes("secure.com"); // $ Alert
|
||||
|
||||
if(!x.includes("secure.com")) { // NOT OK
|
||||
if(!x.includes("secure.com")) { // $ Alert
|
||||
|
||||
} else {
|
||||
doSomeThingWithTrustedURL(x);
|
||||
}
|
||||
|
||||
|
||||
x.startsWith("https://secure.com/foo/bar"); // OK - a forward slash after the domain makes prefix checks safe.
|
||||
x.indexOf("https://secure.com/foo/bar") >= 0 // NOT OK - the url can be anywhere in the string.
|
||||
x.indexOf("https://secure.com") >= 0 // NOT OK
|
||||
x.indexOf("https://secure.com/foo/bar-baz") >= 0 // NOT OK - the url can be anywhere in the string.
|
||||
x.indexOf("https://secure.com/foo/bar") >= 0 // $ Alert - the url can be anywhere in the string.
|
||||
x.indexOf("https://secure.com") >= 0 // $ Alert
|
||||
x.indexOf("https://secure.com/foo/bar-baz") >= 0 // $ Alert - the url can be anywhere in the string.
|
||||
});
|
||||
|
||||
@@ -583,6 +583,9 @@ private string expectationPattern() {
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets the string `#select` or `problems`, which are equivalent result sets for a `problem` or `path-problem` query. */
|
||||
private string mainResultSet() { result = ["#select", "problems"] }
|
||||
|
||||
/**
|
||||
* Provides logic for creating a `@kind test-postprocess` query that checks
|
||||
* inline test expectations using `$ Alert` markers.
|
||||
@@ -650,8 +653,8 @@ module TestPostProcessing {
|
||||
*/
|
||||
private string getSourceTag(int row) {
|
||||
getQueryKind() = "path-problem" and
|
||||
exists(string loc | queryResults("#select", row, 2, loc) |
|
||||
if queryResults("#select", row, 0, loc) then result = "Alert" else result = "Source"
|
||||
exists(string loc | queryResults(mainResultSet(), row, 2, loc) |
|
||||
if queryResults(mainResultSet(), row, 0, loc) then result = "Alert" else result = "Source"
|
||||
)
|
||||
}
|
||||
|
||||
@@ -663,8 +666,8 @@ module TestPostProcessing {
|
||||
*/
|
||||
private string getSinkTag(int row) {
|
||||
getQueryKind() = "path-problem" and
|
||||
exists(string loc | queryResults("#select", row, 4, loc) |
|
||||
if queryResults("#select", row, 0, loc) then result = "Alert" else result = "Sink"
|
||||
exists(string loc | queryResults(mainResultSet(), row, 4, loc) |
|
||||
if queryResults(mainResultSet(), row, 0, loc) then result = "Alert" else result = "Sink"
|
||||
)
|
||||
}
|
||||
|
||||
@@ -717,8 +720,8 @@ module TestPostProcessing {
|
||||
) {
|
||||
getQueryKind() = "path-problem" and
|
||||
exists(string loc |
|
||||
queryResults("#select", row, 2, loc) and
|
||||
queryResults("#select", row, 3, element) and
|
||||
queryResults(mainResultSet(), row, 2, loc) and
|
||||
queryResults(mainResultSet(), row, 3, element) and
|
||||
tag = getSourceTag(row) and
|
||||
value = "" and
|
||||
Input2::getRelativeUrl(location) = loc
|
||||
@@ -757,8 +760,8 @@ module TestPostProcessing {
|
||||
) {
|
||||
getQueryKind() = "path-problem" and
|
||||
exists(string loc |
|
||||
queryResults("#select", row, 4, loc) and
|
||||
queryResults("#select", row, 5, element) and
|
||||
queryResults(mainResultSet(), row, 4, loc) and
|
||||
queryResults(mainResultSet(), row, 5, element) and
|
||||
tag = getSinkTag(row) and
|
||||
Input2::getRelativeUrl(location) = loc
|
||||
)
|
||||
@@ -767,8 +770,8 @@ module TestPostProcessing {
|
||||
private predicate hasAlert(int row, Input::Location location, string element, string tag) {
|
||||
getQueryKind() = ["problem", "path-problem"] and
|
||||
exists(string loc |
|
||||
queryResults("#select", row, 0, loc) and
|
||||
queryResults("#select", row, 2, element) and
|
||||
queryResults(mainResultSet(), row, 0, loc) and
|
||||
queryResults(mainResultSet(), row, 2, element) and
|
||||
tag = "Alert" and
|
||||
Input2::getRelativeUrl(location) = loc and
|
||||
not hasPathProblemSource(row, location, _, _, _) and
|
||||
|
||||
Reference in New Issue
Block a user