hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port RequestForgery

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:33:25 +02:00
parent d7b4e0c206
commit b2216627be
3 changed files with 108 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
View File

@@ -12,23 +12,48 @@ import UrlConcatenation
import RequestForgeryCustomizations::RequestForgery
/**
* A taint tracking configuration for request forgery.
* A taint tracking configuration for server-side request forgery.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "RequestForgery" }
module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.(Source).isServerSide() }
override predicate isSource(DataFlow::Node source) { source.(Source).isServerSide() }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
}
predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
isAdditionalRequestForgeryStep(pred, succ)
}
}
/**
* Taint tracking for server-side request forgery.
*/
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
/**
* DEPRECATED. Use the `RequestForgeryFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "RequestForgery" }
override predicate isSource(DataFlow::Node source) { RequestForgeryConfig::isSource(source) }
override predicate isSink(DataFlow::Node sink) { RequestForgeryConfig::isSink(sink) }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node)
or
node instanceof Sanitizer
}
override predicate isSanitizerOut(DataFlow::Node node) {
RequestForgeryConfig::isBarrierOut(node)
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
RequestForgeryConfig::isAdditionalFlowStep(pred, succ)
}
}

6
javascript/ql/src/Security/CWE-918/RequestForgery.ql
View File

@@ -12,11 +12,11 @@
import javascript
import semmle.javascript.security.dataflow.RequestForgeryQuery
import DataFlow::PathGraph
import RequestForgeryFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink, DataFlow::Node request
where
cfg.hasFlowPath(source, sink) and
RequestForgeryFlow::flowPath(source, sink) and
request = sink.getNode().(Sink).getARequest()
select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(),
sink.getNode().(Sink).getKind(), source, "user-provided value"

226
javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
View File

@@ -1,202 +1,112 @@
nodes
| serverSide.js:14:9:14:52 | tainted |
| serverSide.js:14:19:14:42 | url.par ... , true) |
| serverSide.js:14:19:14:48 | url.par ... ).query |
| serverSide.js:14:19:14:52 | url.par ... ery.url |
| serverSide.js:14:29:14:35 | req.url |
| serverSide.js:14:29:14:35 | req.url |
| serverSide.js:18:13:18:19 | tainted |
| serverSide.js:18:13:18:19 | tainted |
| serverSide.js:20:17:20:23 | tainted |
| serverSide.js:20:17:20:23 | tainted |
| serverSide.js:23:19:23:25 | tainted |
| serverSide.js:23:19:23:25 | tainted |
| serverSide.js:26:13:26:31 | "http://" + tainted |
| serverSide.js:26:13:26:31 | "http://" + tainted |
| serverSide.js:26:25:26:31 | tainted |
| serverSide.js:28:13:28:42 | "http:/ ... tainted |
| serverSide.js:28:13:28:42 | "http:/ ... tainted |
| serverSide.js:28:36:28:42 | tainted |
| serverSide.js:30:13:30:43 | "http:/ ... tainted |
| serverSide.js:30:13:30:43 | "http:/ ... tainted |
| serverSide.js:30:37:30:43 | tainted |
| serverSide.js:34:34:34:40 | tainted |
| serverSide.js:34:34:34:40 | tainted |
| serverSide.js:36:16:36:31 | new Uri(tainted) |
| serverSide.js:36:16:36:31 | new Uri(tainted) |
| serverSide.js:36:24:36:30 | tainted |
| serverSide.js:37:22:37:37 | new Uri(tainted) |
| serverSide.js:37:22:37:37 | new Uri(tainted) |
| serverSide.js:37:30:37:36 | tainted |
| serverSide.js:41:13:41:51 | `http:/ ... inted}` |
| serverSide.js:41:13:41:51 | `http:/ ... inted}` |
| serverSide.js:41:43:41:49 | tainted |
| serverSide.js:43:13:43:54 | `http:/ ... inted}` |
| serverSide.js:43:13:43:54 | `http:/ ... inted}` |
| serverSide.js:43:46:43:52 | tainted |
| serverSide.js:45:13:45:56 | 'http:/ ... tainted |
| serverSide.js:45:13:45:56 | 'http:/ ... tainted |
| serverSide.js:45:50:45:56 | tainted |
| serverSide.js:58:9:58:52 | tainted |
| serverSide.js:58:19:58:42 | url.par ... , true) |
| serverSide.js:58:19:58:48 | url.par ... ).query |
| serverSide.js:58:19:58:52 | url.par ... ery.url |
| serverSide.js:58:29:58:35 | req.url |
| serverSide.js:58:29:58:35 | req.url |
| serverSide.js:61:29:61:35 | tainted |
| serverSide.js:61:29:61:35 | tainted |
| serverSide.js:64:30:64:36 | tainted |
| serverSide.js:64:30:64:36 | tainted |
| serverSide.js:68:30:68:36 | tainted |
| serverSide.js:68:30:68:36 | tainted |
| serverSide.js:74:9:74:52 | tainted |
| serverSide.js:74:19:74:42 | url.par ... , true) |
| serverSide.js:74:19:74:48 | url.par ... ).query |
| serverSide.js:74:19:74:52 | url.par ... ery.url |
| serverSide.js:74:29:74:35 | req.url |
| serverSide.js:74:29:74:35 | req.url |
| serverSide.js:76:19:76:25 | tainted |
| serverSide.js:76:19:76:25 | tainted |
| serverSide.js:83:38:83:43 | param1 |
| serverSide.js:83:38:83:43 | param1 |
| serverSide.js:84:19:84:24 | param1 |
| serverSide.js:84:19:84:24 | param1 |
| serverSide.js:90:19:90:28 | ctx.params |
| serverSide.js:90:19:90:28 | ctx.params |
| serverSide.js:90:19:90:32 | ctx.params.foo |
| serverSide.js:90:19:90:32 | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params |
| serverSide.js:92:19:92:28 | ctx.params |
| serverSide.js:92:19:92:32 | ctx.params.foo |
| serverSide.js:92:19:92:32 | ctx.params.foo |
| serverSide.js:98:9:98:52 | tainted |
| serverSide.js:98:19:98:42 | url.par ... , true) |
| serverSide.js:98:19:98:48 | url.par ... ).query |
| serverSide.js:98:19:98:52 | url.par ... ery.url |
| serverSide.js:98:29:98:35 | req.url |
| serverSide.js:98:29:98:35 | req.url |
| serverSide.js:100:19:100:25 | tainted |
| serverSide.js:100:19:100:25 | tainted |
| serverSide.js:108:11:108:27 | url |
| serverSide.js:108:17:108:27 | request.url |
| serverSide.js:108:17:108:27 | request.url |
| serverSide.js:109:27:109:29 | url |
| serverSide.js:109:27:109:29 | url |
| serverSide.js:115:11:115:42 | url |
| serverSide.js:115:17:115:42 | new URL ... , base) |
| serverSide.js:115:25:115:35 | request.url |
| serverSide.js:115:25:115:35 | request.url |
| serverSide.js:117:27:117:29 | url |
| serverSide.js:117:27:117:29 | url |
| serverSide.js:123:9:123:52 | tainted |
| serverSide.js:123:19:123:42 | url.par ... , true) |
| serverSide.js:123:19:123:48 | url.par ... ).query |
| serverSide.js:123:19:123:52 | url.par ... ery.url |
| serverSide.js:123:29:123:35 | req.url |
| serverSide.js:123:29:123:35 | req.url |
| serverSide.js:127:14:127:20 | tainted |
| serverSide.js:127:14:127:20 | tainted |
| serverSide.js:130:9:130:45 | myUrl |
| serverSide.js:130:17:130:45 | `${some ... inted}` |
| serverSide.js:130:37:130:43 | tainted |
| serverSide.js:131:15:131:19 | myUrl |
| serverSide.js:131:15:131:19 | myUrl |
edges
| serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:20:17:20:23 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:20:17:20:23 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:23:19:23:25 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:23:19:23:25 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:26:25:26:31 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:28:36:28:42 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:30:37:30:43 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:34:34:34:40 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:34:34:34:40 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:36:24:36:30 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:37:30:37:36 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:41:43:41:49 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:43:46:43:52 | tainted |
| serverSide.js:14:9:14:52 | tainted | serverSide.js:45:50:45:56 | tainted |
| serverSide.js:14:19:14:42 | url.par ... , true) | serverSide.js:14:19:14:48 | url.par ... ).query |
| serverSide.js:14:19:14:48 | url.par ... ).query | serverSide.js:14:19:14:52 | url.par ... ery.url |
| serverSide.js:14:19:14:52 | url.par ... ery.url | serverSide.js:14:9:14:52 | tainted |
| serverSide.js:14:29:14:35 | req.url | serverSide.js:14:19:14:42 | url.par ... , true) |
| serverSide.js:14:19:14:42 | url.par ... , true) | serverSide.js:14:9:14:52 | tainted |
| serverSide.js:14:29:14:35 | req.url | serverSide.js:14:19:14:42 | url.par ... , true) |
| serverSide.js:26:25:26:31 | tainted | serverSide.js:26:13:26:31 | "http://" + tainted |
| serverSide.js:26:25:26:31 | tainted | serverSide.js:26:13:26:31 | "http://" + tainted |
| serverSide.js:28:36:28:42 | tainted | serverSide.js:28:13:28:42 | "http:/ ... tainted |
| serverSide.js:28:36:28:42 | tainted | serverSide.js:28:13:28:42 | "http:/ ... tainted |
| serverSide.js:30:37:30:43 | tainted | serverSide.js:30:13:30:43 | "http:/ ... tainted |
| serverSide.js:30:37:30:43 | tainted | serverSide.js:30:13:30:43 | "http:/ ... tainted |
| serverSide.js:36:24:36:30 | tainted | serverSide.js:36:16:36:31 | new Uri(tainted) |
| serverSide.js:36:24:36:30 | tainted | serverSide.js:36:16:36:31 | new Uri(tainted) |
| serverSide.js:37:30:37:36 | tainted | serverSide.js:37:22:37:37 | new Uri(tainted) |
| serverSide.js:37:30:37:36 | tainted | serverSide.js:37:22:37:37 | new Uri(tainted) |
| serverSide.js:41:43:41:49 | tainted | serverSide.js:41:13:41:51 | `http:/ ... inted}` |
| serverSide.js:41:43:41:49 | tainted | serverSide.js:41:13:41:51 | `http:/ ... inted}` |
| serverSide.js:43:46:43:52 | tainted | serverSide.js:43:13:43:54 | `http:/ ... inted}` |
| serverSide.js:43:46:43:52 | tainted | serverSide.js:43:13:43:54 | `http:/ ... inted}` |
| serverSide.js:45:50:45:56 | tainted | serverSide.js:45:13:45:56 | 'http:/ ... tainted |
| serverSide.js:45:50:45:56 | tainted | serverSide.js:45:13:45:56 | 'http:/ ... tainted |
| serverSide.js:58:9:58:52 | tainted | serverSide.js:61:29:61:35 | tainted |
| serverSide.js:58:9:58:52 | tainted | serverSide.js:61:29:61:35 | tainted |
| serverSide.js:58:9:58:52 | tainted | serverSide.js:64:30:64:36 | tainted |
| serverSide.js:58:9:58:52 | tainted | serverSide.js:64:30:64:36 | tainted |
| serverSide.js:58:9:58:52 | tainted | serverSide.js:68:30:68:36 | tainted |
| serverSide.js:58:9:58:52 | tainted | serverSide.js:68:30:68:36 | tainted |
| serverSide.js:58:19:58:42 | url.par ... , true) | serverSide.js:58:19:58:48 | url.par ... ).query |
| serverSide.js:58:19:58:48 | url.par ... ).query | serverSide.js:58:19:58:52 | url.par ... ery.url |
| serverSide.js:58:19:58:52 | url.par ... ery.url | serverSide.js:58:9:58:52 | tainted |
| serverSide.js:58:29:58:35 | req.url | serverSide.js:58:19:58:42 | url.par ... , true) |
| serverSide.js:58:19:58:42 | url.par ... , true) | serverSide.js:58:9:58:52 | tainted |
| serverSide.js:58:29:58:35 | req.url | serverSide.js:58:19:58:42 | url.par ... , true) |
| serverSide.js:61:29:61:35 | tainted | serverSide.js:64:30:64:36 | tainted |
| serverSide.js:61:29:61:35 | tainted | serverSide.js:68:30:68:36 | tainted |
| serverSide.js:74:9:74:52 | tainted | serverSide.js:76:19:76:25 | tainted |
| serverSide.js:74:9:74:52 | tainted | serverSide.js:76:19:76:25 | tainted |
| serverSide.js:74:19:74:42 | url.par ... , true) | serverSide.js:74:19:74:48 | url.par ... ).query |
| serverSide.js:74:19:74:48 | url.par ... ).query | serverSide.js:74:19:74:52 | url.par ... ery.url |
| serverSide.js:74:19:74:52 | url.par ... ery.url | serverSide.js:74:9:74:52 | tainted |
| serverSide.js:74:29:74:35 | req.url | serverSide.js:74:19:74:42 | url.par ... , true) |
| serverSide.js:74:19:74:42 | url.par ... , true) | serverSide.js:74:9:74:52 | tainted |
| serverSide.js:74:29:74:35 | req.url | serverSide.js:74:19:74:42 | url.par ... , true) |
| serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 |
| serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 |
| serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 |
| serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 |
| serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo |
| serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo |
| serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo |
| serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo |
| serverSide.js:98:9:98:52 | tainted | serverSide.js:100:19:100:25 | tainted |
| serverSide.js:98:9:98:52 | tainted | serverSide.js:100:19:100:25 | tainted |
| serverSide.js:98:19:98:42 | url.par ... , true) | serverSide.js:98:19:98:48 | url.par ... ).query |
| serverSide.js:98:19:98:48 | url.par ... ).query | serverSide.js:98:19:98:52 | url.par ... ery.url |
| serverSide.js:98:19:98:52 | url.par ... ery.url | serverSide.js:98:9:98:52 | tainted |
| serverSide.js:98:29:98:35 | req.url | serverSide.js:98:19:98:42 | url.par ... , true) |
| serverSide.js:98:19:98:42 | url.par ... , true) | serverSide.js:98:9:98:52 | tainted |
| serverSide.js:98:29:98:35 | req.url | serverSide.js:98:19:98:42 | url.par ... , true) |
| serverSide.js:108:11:108:27 | url | serverSide.js:109:27:109:29 | url |
| serverSide.js:108:11:108:27 | url | serverSide.js:109:27:109:29 | url |
| serverSide.js:108:17:108:27 | request.url | serverSide.js:108:11:108:27 | url |
| serverSide.js:108:17:108:27 | request.url | serverSide.js:108:11:108:27 | url |
| serverSide.js:115:11:115:42 | url | serverSide.js:117:27:117:29 | url |
| serverSide.js:115:11:115:42 | url | serverSide.js:117:27:117:29 | url |
| serverSide.js:115:17:115:42 | new URL ... , base) | serverSide.js:115:11:115:42 | url |
| serverSide.js:115:25:115:35 | request.url | serverSide.js:115:17:115:42 | new URL ... , base) |
| serverSide.js:115:25:115:35 | request.url | serverSide.js:115:17:115:42 | new URL ... , base) |
| serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
| serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
| serverSide.js:123:9:123:52 | tainted | serverSide.js:130:37:130:43 | tainted |
| serverSide.js:123:19:123:42 | url.par ... , true) | serverSide.js:123:19:123:48 | url.par ... ).query |
| serverSide.js:123:19:123:48 | url.par ... ).query | serverSide.js:123:19:123:52 | url.par ... ery.url |
| serverSide.js:123:19:123:52 | url.par ... ery.url | serverSide.js:123:9:123:52 | tainted |
| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) |
| serverSide.js:123:19:123:42 | url.par ... , true) | serverSide.js:123:9:123:52 | tainted |
| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) |
| serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
| serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
| serverSide.js:130:17:130:45 | `${some ... inted}` | serverSide.js:130:9:130:45 | myUrl |
| serverSide.js:130:37:130:43 | tainted | serverSide.js:130:17:130:45 | `${some ... inted}` |
| serverSide.js:130:37:130:43 | tainted | serverSide.js:130:9:130:45 | myUrl |
nodes
| serverSide.js:14:9:14:52 | tainted | semmle.label | tainted |
| serverSide.js:14:19:14:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:14:29:14:35 | req.url | semmle.label | req.url |
| serverSide.js:18:13:18:19 | tainted | semmle.label | tainted |
| serverSide.js:20:17:20:23 | tainted | semmle.label | tainted |
| serverSide.js:23:19:23:25 | tainted | semmle.label | tainted |
| serverSide.js:26:13:26:31 | "http://" + tainted | semmle.label | "http://" + tainted |
| serverSide.js:26:25:26:31 | tainted | semmle.label | tainted |
| serverSide.js:28:13:28:42 | "http:/ ... tainted | semmle.label | "http:/ ... tainted |
| serverSide.js:28:36:28:42 | tainted | semmle.label | tainted |
| serverSide.js:30:13:30:43 | "http:/ ... tainted | semmle.label | "http:/ ... tainted |
| serverSide.js:30:37:30:43 | tainted | semmle.label | tainted |
| serverSide.js:34:34:34:40 | tainted | semmle.label | tainted |
| serverSide.js:36:16:36:31 | new Uri(tainted) | semmle.label | new Uri(tainted) |
| serverSide.js:36:24:36:30 | tainted | semmle.label | tainted |
| serverSide.js:37:22:37:37 | new Uri(tainted) | semmle.label | new Uri(tainted) |
| serverSide.js:37:30:37:36 | tainted | semmle.label | tainted |
| serverSide.js:41:13:41:51 | `http:/ ... inted}` | semmle.label | `http:/ ... inted}` |
| serverSide.js:41:43:41:49 | tainted | semmle.label | tainted |
| serverSide.js:43:13:43:54 | `http:/ ... inted}` | semmle.label | `http:/ ... inted}` |
| serverSide.js:43:46:43:52 | tainted | semmle.label | tainted |
| serverSide.js:45:13:45:56 | 'http:/ ... tainted | semmle.label | 'http:/ ... tainted |
| serverSide.js:45:50:45:56 | tainted | semmle.label | tainted |
| serverSide.js:58:9:58:52 | tainted | semmle.label | tainted |
| serverSide.js:58:19:58:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:58:29:58:35 | req.url | semmle.label | req.url |
| serverSide.js:61:29:61:35 | tainted | semmle.label | tainted |
| serverSide.js:61:29:61:35 | tainted | semmle.label | tainted |
| serverSide.js:64:30:64:36 | tainted | semmle.label | tainted |
| serverSide.js:68:30:68:36 | tainted | semmle.label | tainted |
| serverSide.js:74:9:74:52 | tainted | semmle.label | tainted |
| serverSide.js:74:19:74:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:74:29:74:35 | req.url | semmle.label | req.url |
| serverSide.js:76:19:76:25 | tainted | semmle.label | tainted |
| serverSide.js:83:38:83:43 | param1 | semmle.label | param1 |
| serverSide.js:84:19:84:24 | param1 | semmle.label | param1 |
| serverSide.js:90:19:90:28 | ctx.params | semmle.label | ctx.params |
| serverSide.js:90:19:90:32 | ctx.params.foo | semmle.label | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params | semmle.label | ctx.params |
| serverSide.js:92:19:92:32 | ctx.params.foo | semmle.label | ctx.params.foo |
| serverSide.js:98:9:98:52 | tainted | semmle.label | tainted |
| serverSide.js:98:19:98:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:98:29:98:35 | req.url | semmle.label | req.url |
| serverSide.js:100:19:100:25 | tainted | semmle.label | tainted |
| serverSide.js:108:11:108:27 | url | semmle.label | url |
| serverSide.js:108:17:108:27 | request.url | semmle.label | request.url |
| serverSide.js:109:27:109:29 | url | semmle.label | url |
| serverSide.js:115:11:115:42 | url | semmle.label | url |
| serverSide.js:115:17:115:42 | new URL ... , base) | semmle.label | new URL ... , base) |
| serverSide.js:115:25:115:35 | request.url | semmle.label | request.url |
| serverSide.js:117:27:117:29 | url | semmle.label | url |
| serverSide.js:123:9:123:52 | tainted | semmle.label | tainted |
| serverSide.js:123:19:123:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:123:29:123:35 | req.url | semmle.label | req.url |
| serverSide.js:127:14:127:20 | tainted | semmle.label | tainted |
| serverSide.js:130:9:130:45 | myUrl | semmle.label | myUrl |
| serverSide.js:130:37:130:43 | tainted | semmle.label | tainted |
| serverSide.js:131:15:131:19 | myUrl | semmle.label | myUrl |
subpaths
#select
| serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |