hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into exportObj

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-05-23 14:18:31 +02:00
parent 9050f9999c 487425670e
commit ba844aa0ab
738 changed files with 39983 additions and 11121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml vendored Normal file
View File

@@ -0,0 +1,8 @@
on: issue_comment
jobs:
echo-chamber:
runs-on: ubuntu-latest
steps:
- run: |
echo '${{ github.event.comment.body }}'

1
javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected Normal file
View File

@@ -0,0 +1 @@
| .github/workflows/comment_issue.yml:7:12:8:47 | \| | Potential injection from the github.event.comment.body context, which may be controlled by an external user. |

1
javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-094/ExpressionInjection.ql

1
javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/empty.js Normal file
View File

@@ -0,0 +1 @@
console.log('test')

53
javascript/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected Normal file
View File

@@ -0,0 +1,53 @@
nodes
| insecure-temporary-file.js:7:9:11:5 | tmpLocation |
| insecure-temporary-file.js:7:23:11:5 | path.jo ... )\\n ) |
| insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() |
| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() |
| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() |
| insecure-temporary-file.js:13:22:13:32 | tmpLocation |
| insecure-temporary-file.js:13:22:13:32 | tmpLocation |
| insecure-temporary-file.js:15:9:15:34 | tmpPath |
| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" |
| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" |
| insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:17:32:17:38 | tmpPath |
| insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:23:32:23:38 | tmpPath |
| insecure-temporary-file.js:25:11:25:92 | tmpPath2 |
| insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) |
| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() |
| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() |
| insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
| insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
| insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
| insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
edges
| insecure-temporary-file.js:7:9:11:5 | tmpLocation | insecure-temporary-file.js:13:22:13:32 | tmpLocation |
| insecure-temporary-file.js:7:9:11:5 | tmpLocation | insecure-temporary-file.js:13:22:13:32 | tmpLocation |
| insecure-temporary-file.js:7:23:11:5 | path.jo ... )\\n ) | insecure-temporary-file.js:7:9:11:5 | tmpLocation |
| insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() | insecure-temporary-file.js:7:23:11:5 | path.jo ... )\\n ) |
| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() |
| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() |
| insecure-temporary-file.js:15:9:15:34 | tmpPath | insecure-temporary-file.js:17:32:17:38 | tmpPath |
| insecure-temporary-file.js:15:9:15:34 | tmpPath | insecure-temporary-file.js:23:32:23:38 | tmpPath |
| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:15:9:15:34 | tmpPath |
| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:15:9:15:34 | tmpPath |
| insecure-temporary-file.js:17:32:17:38 | tmpPath | insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:17:32:17:38 | tmpPath | insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:23:32:23:38 | tmpPath | insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:23:32:23:38 | tmpPath | insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
| insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) | insecure-temporary-file.js:25:11:25:92 | tmpPath2 |
| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) |
| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) |
#select
| insecure-temporary-file.js:13:22:13:32 | tmpLocation | insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | insecure-temporary-file.js:13:22:13:32 | tmpLocation | Insecure creation of file in $@. | insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | the os temp dir |
| insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") | Insecure creation of file in $@. | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | the os temp dir |
| insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") | Insecure creation of file in $@. | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | the os temp dir |
| insecure-temporary-file.js:26:22:26:29 | tmpPath2 | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:26:22:26:29 | tmpPath2 | Insecure creation of file in $@. | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | the os temp dir |
| insecure-temporary-file.js:28:17:28:24 | tmpPath2 | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:28:17:28:24 | tmpPath2 | Insecure creation of file in $@. | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | the os temp dir |

1
javascript/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-377/InsecureTemporaryFile.ql

30
javascript/ql/test/query-tests/Security/CWE-377/insecure-temporary-file.js Normal file
View File

@@ -0,0 +1,30 @@
const os = require('os');
const uuid = require('node-uuid');
const fs = require('fs');
const path = require('path');
(function main() {
var tmpLocation = path.join(
os.tmpdir ? os.tmpdir() : os.tmpDir(),
'something',
uuid.v4().slice(0, 8)
);
fs.writeFileSync(tmpLocation, content); // NOT OK
var tmpPath = "/tmp/something";
fs.writeFileSync(path.join("./foo/", tmpPath), content); // OK
fs.writeFileSync(path.join(tmpPath, "./foo/"), content); // NOT OK
fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: 0o600}); // OK
fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: mode}); // OK - assumed unknown mode is secure
fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: 0o666}); // NOT OK - explicitly insecure
const tmpPath2 = path.join(os.tmpdir(), `tmp_${Math.floor(Math.random() * 1000000)}.md`);
fs.writeFileSync(tmpPath2, content); // NOT OK
fs.openSync(tmpPath2, 'w'); // NOT OK
fs.openSync(tmpPath2, 'w', 0o600); // OK
})

12
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
View File

@@ -100,6 +100,12 @@ nodes
| lib.js:119:13:119:24 | obj[path[0]] |
| lib.js:119:17:119:20 | path |
| lib.js:119:17:119:23 | path[0] |
| sublib/sub.js:1:37:1:40 | path |
| sublib/sub.js:1:37:1:40 | path |
| sublib/sub.js:2:3:2:14 | obj[path[0]] |
| sublib/sub.js:2:3:2:14 | obj[path[0]] |
| sublib/sub.js:2:7:2:10 | path |
| sublib/sub.js:2:7:2:13 | path[0] |
| tst.js:5:9:5:38 | taint |
| tst.js:5:17:5:38 | String( ... y.data) |
| tst.js:5:24:5:37 | req.query.data |
@@ -241,6 +247,11 @@ edges
| lib.js:119:17:119:20 | path | lib.js:119:17:119:23 | path[0] |
| lib.js:119:17:119:23 | path[0] | lib.js:119:13:119:24 | obj[path[0]] |
| lib.js:119:17:119:23 | path[0] | lib.js:119:13:119:24 | obj[path[0]] |
| sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:7:2:10 | path |
| sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:7:2:10 | path |
| sublib/sub.js:2:7:2:10 | path | sublib/sub.js:2:7:2:13 | path[0] |
| sublib/sub.js:2:7:2:13 | path[0] | sublib/sub.js:2:3:2:14 | obj[path[0]] |
| sublib/sub.js:2:7:2:13 | path[0] | sublib/sub.js:2:3:2:14 | obj[path[0]] |
| tst.js:5:9:5:38 | taint | tst.js:8:12:8:16 | taint |
| tst.js:5:9:5:38 | taint | tst.js:9:12:9:16 | taint |
| tst.js:5:9:5:38 | taint | tst.js:12:25:12:29 | taint |
@@ -296,6 +307,7 @@ edges
| lib.js:87:10:87:14 | proto | lib.js:83:14:83:25 | arguments[1] | lib.js:87:10:87:14 | proto | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:83:14:83:25 | arguments[1] | library input |
| lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:24 | arguments[1] | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:24 | arguments[1] | library input |
| lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input |
| sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input |
| tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
| tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
| tst.js:14:5:14:32 | unsafeG ... taint) | tst.js:5:24:5:37 | req.query.data | tst.js:14:5:14:32 | unsafeG ... taint) | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |

4
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/package.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "sublib",
"main": "./sub"
}

3
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js Normal file
View File

@@ -0,0 +1,3 @@
module.exports.set = function (obj, path, value) {
obj[path[0]][path[1]] = value; // NOT OK
}

1
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub/empty.js Normal file
View File

@@ -0,0 +1 @@
console.log("foo");