hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make NodeJSLib use moduleMember for ES6-compatibility

Browse Source
This commit is contained in:
Asger F
2018-08-06 10:47:49 +01:00
parent e32dc08cd0
commit b00938e9b3
4 changed files with 48 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath-es6.js Normal file
View File

@@ -0,0 +1,11 @@
import { readFileSync } from 'fs';
import { createServer } from 'http';
import { parse } from 'url';
import { join } from 'path';
var server = createServer(function(req, res) {
let path = parse(req.url, true).query.path;
// BAD: This could read any file on the file system
res.write(readFileSync(join("public", path)));
});

1
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
View File

@@ -1,3 +1,4 @@
| TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value |
| TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
| TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
| TaintedPath.js:19:33:19:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |