mirror of
https://github.com/github/codeql.git
synced 2026-04-29 02:35:15 +02:00
better support for browser based fetch API
This commit is contained in:
Erik Krogh Kristensen
@@ -1145,14 +1145,23 @@ module NodeJSLib {
|
||||
DataFlow::SourceNode moduleImport() {
|
||||
result = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])
|
||||
or
|
||||
result = DataFlow::globalVarRef("fetch")
|
||||
result = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an instance of the `Headers` class.
|
||||
*/
|
||||
private DataFlow::NewNode header() {
|
||||
result = moduleImport().getAConstructorInvocation("Headers")
|
||||
or
|
||||
result = DataFlow::globalVarRef("Headers").getAnInstantiation() // https://fetch.spec.whatwg.org/#headers-class
|
||||
}
|
||||
|
||||
/** An expression that is passed as `http.request({ auth: <expr> }, ...)`. */
|
||||
class FetchAuthorization extends CredentialsExpr {
|
||||
private class FetchAuthorization extends CredentialsExpr {
|
||||
FetchAuthorization() {
|
||||
exists(DataFlow::Node headers |
|
||||
headers = moduleImport().getAConstructorInvocation("Headers").getArgument(0)
|
||||
headers = header().getArgument(0)
|
||||
or
|
||||
headers = moduleImport().getACall().getOptionArgument(1, "headers")
|
||||
|
|
||||
@@ -1160,7 +1169,7 @@ module NodeJSLib {
|
||||
)
|
||||
or
|
||||
exists(DataFlow::MethodCallNode appendCall |
|
||||
appendCall = moduleImport().getAConstructorInvocation("Headers").getAMethodCall(["append", "set"]) and
|
||||
appendCall = header().getAMethodCall(["append", "set"]) and
|
||||
appendCall.getArgument(0).mayHaveStringValue("Authorization") and
|
||||
this = appendCall.getArgument(1).asExpr()
|
||||
)
|
||||
|
||||
@@ -185,6 +185,20 @@ nodes
|
||||
| HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:44:204:47 | AUTH |
|
||||
| HardcodedCredentials.js:214:11:214:25 | USER |
|
||||
| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' |
|
||||
| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' |
|
||||
| HardcodedCredentials.js:215:11:215:25 | PASS |
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' |
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' |
|
||||
| HardcodedCredentials.js:216:11:216:49 | AUTH |
|
||||
| HardcodedCredentials.js:216:18:216:49 | base64. ... PASS}`) |
|
||||
| HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
|
||||
| HardcodedCredentials.js:216:35:216:38 | USER |
|
||||
| HardcodedCredentials.js:216:43:216:46 | PASS |
|
||||
| HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:221:46:221:49 | AUTH |
|
||||
edges
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
|
||||
@@ -265,6 +279,19 @@ edges
|
||||
| HardcodedCredentials.js:195:46:195:49 | AUTH | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:44:204:47 | AUTH | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:44:204:47 | AUTH | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:214:11:214:25 | USER | HardcodedCredentials.js:216:35:216:38 | USER |
|
||||
| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:11:214:25 | USER |
|
||||
| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:11:214:25 | USER |
|
||||
| HardcodedCredentials.js:215:11:215:25 | PASS | HardcodedCredentials.js:216:43:216:46 | PASS |
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:11:215:25 | PASS |
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:11:215:25 | PASS |
|
||||
| HardcodedCredentials.js:216:11:216:49 | AUTH | HardcodedCredentials.js:221:46:221:49 | AUTH |
|
||||
| HardcodedCredentials.js:216:18:216:49 | base64. ... PASS}`) | HardcodedCredentials.js:216:11:216:49 | AUTH |
|
||||
| HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` | HardcodedCredentials.js:216:18:216:49 | base64. ... PASS}`) |
|
||||
| HardcodedCredentials.js:216:35:216:38 | USER | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
|
||||
| HardcodedCredentials.js:216:43:216:46 | PASS | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
|
||||
| HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
|
||||
#select
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
|
||||
@@ -327,3 +354,5 @@ edges
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
|
||||
|
||||
@@ -206,4 +206,21 @@
|
||||
method: 'get',
|
||||
headers: headers2
|
||||
});
|
||||
});
|
||||
|
||||
(function () {
|
||||
const base64 = require('base-64');
|
||||
|
||||
const USER = 'sdsdag';
|
||||
const PASS = 'sdsdag';
|
||||
const AUTH = base64.encode(`${USER}:${PASS}`);
|
||||
|
||||
// browser API
|
||||
var headers = new Headers();
|
||||
headers.append("Content-Type", 'application/json');
|
||||
headers.append("Authorization", `Basic ${AUTH}`);
|
||||
fetch(ENDPOINT, {
|
||||
method: 'get',
|
||||
headers: headers
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user