hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

modified query and added tests

Browse Source
This commit is contained in:
Naman Jain
2022-02-02 19:39:08 +05:30
parent 7bb11b837c
commit aea7054938
6 changed files with 70 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll
View File

@@ -58,5 +58,12 @@ class Configuration extends TaintTracking::Configuration {
// avoid overlapping results with unsafe dynamic method access query
not PropertyInjection::hasUnsafeMethods(read.getBase().getALocalSource())
)
or
exists(DataFlow::SourceNode base, DataFlow::CallNode get | get = base.getAMethodCall("get") |
src = get.getArgument(0) and
dst = get
) and
srclabel.isTaint() and
dstlabel instanceof MaybeNonFunction
}
}

4
javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js
View File

@@ -11,7 +11,9 @@ actions.put("pause", function pause(data) {
app.get('/perform/:action/:payload', function(req, res) {
if (actions.has(req.params.action)) {
let action = actions.get(req.params.action);
if (typeof actions.get(req.params.action) === 'function'){
let action = actions.get(req.params.action);
}
// GOOD: `action` is either the `play` or the `pause` function from above
res.end(action(req.params.payload));
} else {

15
javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall2.js Normal file
View File

@@ -0,0 +1,15 @@
var express = require('express');
var app = express();
var actions = new Map();
actions.put("play", function play(data) {
// ...
});
actions.put("pause", function pause(data) {
// ...
});
app.get('/perform/:action/:payload', function(req, res) {
let action = actions.get(req.params.action);
res.end(action.get(req.params.payload)); // NOT OK
});

17
javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js Normal file
View File

@@ -0,0 +1,17 @@
var express = require('express');
var app = express();
var actions = new Map();
actions.put("play", function play(data) {
// ...
});
actions.put("pause", function pause(data) {
// ...
});
app.get('/perform/:action/:payload', function(req, res) {
if (actions.has(req.params.action)){
let action = actions.get(req.params.action);
res.end(action.get(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
}
});

13
javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood.js
View File

@@ -2,17 +2,20 @@ var express = require('express');
var app = express();
var actions = new Map();
actions.put("play", function (data) {
actions.put("play", function play(data) {
// ...
});
actions.put("pause", function(data) {
actions.put("pause", function pause(data) {
// ...
});
app.get('/perform/:action/:payload', function(req, res) {
app.get('/perform/:action/:payload', function (req, res) {
if (actions.has(req.params.action)) {
let action = actions.get(req.params.action);
res.end(action(req.params.payload));
if (typeof actions.get(req.params.action) === 'function') {
let action = actions.get(req.params.action);
// GOOD: `action` is either the `play` or the `pause` function from above
res.end(action(req.params.payload));
}
} else {
res.end("Unsupported action.");
}

20
javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js Normal file
View File

@@ -0,0 +1,20 @@
var express = require('express');
var app = express();
var actions = new Map();
actions.put("play", function play(data) {
// ...
});
actions.put("pause", function pause(data) {
// ...
});
app.get('/perform/:action/:payload', function (req, res) {
if (typeof actions.get(req.params.action) === 'function') {
let action = actions.get(req.params.action);
// GOOD: `action` is either the `play` or the `pause` function from above
res.end(action(req.params.payload));
} else {
res.end("Unsupported action.");
}
});