hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

small changes based on review feedback

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2019-09-11 11:26:59 +01:00
parent 72bbd4ded1
commit bec522f0df
12 changed files with 133 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
javascript/ql/test/query-tests/Security/CWE-834/TaintedLength.expected
View File

@@ -1,57 +1,57 @@
nodes
| TaintedLengthBad.js:8:10:8:17 | req.body |
| TaintedLengthBad.js:10:12:10:19 | req.body |
| TaintedLengthBad.js:12:22:12:29 | req.body |
| TaintedLengthBad.js:14:16:14:23 | req.body |
| TaintedLengthBad.js:8:13:8:20 | req.body |
| TaintedLengthBad.js:10:15:10:22 | req.body |
| TaintedLengthBad.js:12:25:12:32 | req.body |
| TaintedLengthBad.js:14:19:14:26 | req.body |
| TaintedLengthBad.js:17:18:17:20 | val |
| TaintedLengthBad.js:21:22:21:24 | val |
| TaintedLengthBad.js:26:20:26:22 | val |
| TaintedLengthBad.js:30:13:30:15 | val |
| TaintedLengthBad.js:37:30:37:32 | val |
| TaintedLengthBad.js:40:12:40:14 | val |
| TaintedLengthBad.js:49:24:49:26 | val |
| TaintedLengthBad.js:54:22:54:24 | val |
| TaintedLengthBad.js:22:25:22:27 | val |
| TaintedLengthBad.js:27:20:27:22 | val |
| TaintedLengthBad.js:32:16:32:18 | val |
| TaintedLengthBad.js:38:30:38:32 | val |
| TaintedLengthBad.js:41:15:41:17 | val |
| TaintedLengthBad.js:50:24:50:26 | val |
| TaintedLengthBad.js:55:25:55:27 | val |
| TaintedLengthExitBad.js:8:9:8:16 | req.body |
| TaintedLengthExitBad.js:10:9:10:16 | req.body |
| TaintedLengthExitBad.js:12:10:12:17 | req.body |
| TaintedLengthExitBad.js:14:14:14:21 | req.body |
| TaintedLengthExitBad.js:17:17:17:19 | val |
| TaintedLengthExitBad.js:20:22:20:24 | val |
| TaintedLengthExitBad.js:30:17:30:19 | val |
| TaintedLengthExitBad.js:33:22:33:24 | val |
| TaintedLengthExitBad.js:46:18:46:20 | val |
| TaintedLengthExitBad.js:49:22:49:24 | val |
| TaintedLengthExitBad.js:59:22:59:24 | val |
| TaintedLengthExitBad.js:60:8:60:10 | val |
| TaintedLengthLodash.js:9:10:9:17 | req.body |
| TaintedLengthExitBad.js:31:17:31:19 | val |
| TaintedLengthExitBad.js:34:22:34:24 | val |
| TaintedLengthExitBad.js:47:18:47:20 | val |
| TaintedLengthExitBad.js:50:22:50:24 | val |
| TaintedLengthExitBad.js:60:22:60:24 | val |
| TaintedLengthExitBad.js:61:8:61:10 | val |
| TaintedLengthLodash.js:9:13:9:20 | req.body |
| TaintedLengthLodash.js:14:18:14:20 | val |
| TaintedLengthLodash.js:15:10:15:12 | val |
| TaintedLengthLodash.js:16:13:16:15 | val |
edges
| TaintedLengthBad.js:8:10:8:17 | req.body | TaintedLengthBad.js:17:18:17:20 | val |
| TaintedLengthBad.js:10:12:10:19 | req.body | TaintedLengthBad.js:26:20:26:22 | val |
| TaintedLengthBad.js:12:22:12:29 | req.body | TaintedLengthBad.js:37:30:37:32 | val |
| TaintedLengthBad.js:14:16:14:23 | req.body | TaintedLengthBad.js:49:24:49:26 | val |
| TaintedLengthBad.js:17:18:17:20 | val | TaintedLengthBad.js:21:22:21:24 | val |
| TaintedLengthBad.js:26:20:26:22 | val | TaintedLengthBad.js:30:13:30:15 | val |
| TaintedLengthBad.js:37:30:37:32 | val | TaintedLengthBad.js:40:12:40:14 | val |
| TaintedLengthBad.js:49:24:49:26 | val | TaintedLengthBad.js:54:22:54:24 | val |
| TaintedLengthBad.js:8:13:8:20 | req.body | TaintedLengthBad.js:17:18:17:20 | val |
| TaintedLengthBad.js:10:15:10:22 | req.body | TaintedLengthBad.js:27:20:27:22 | val |
| TaintedLengthBad.js:12:25:12:32 | req.body | TaintedLengthBad.js:38:30:38:32 | val |
| TaintedLengthBad.js:14:19:14:26 | req.body | TaintedLengthBad.js:50:24:50:26 | val |
| TaintedLengthBad.js:17:18:17:20 | val | TaintedLengthBad.js:22:25:22:27 | val |
| TaintedLengthBad.js:27:20:27:22 | val | TaintedLengthBad.js:32:16:32:18 | val |
| TaintedLengthBad.js:38:30:38:32 | val | TaintedLengthBad.js:41:15:41:17 | val |
| TaintedLengthBad.js:50:24:50:26 | val | TaintedLengthBad.js:55:25:55:27 | val |
| TaintedLengthExitBad.js:8:9:8:16 | req.body | TaintedLengthExitBad.js:17:17:17:19 | val |
| TaintedLengthExitBad.js:10:9:10:16 | req.body | TaintedLengthExitBad.js:30:17:30:19 | val |
| TaintedLengthExitBad.js:12:10:12:17 | req.body | TaintedLengthExitBad.js:46:18:46:20 | val |
| TaintedLengthExitBad.js:14:14:14:21 | req.body | TaintedLengthExitBad.js:59:22:59:24 | val |
| TaintedLengthExitBad.js:10:9:10:16 | req.body | TaintedLengthExitBad.js:31:17:31:19 | val |
| TaintedLengthExitBad.js:12:10:12:17 | req.body | TaintedLengthExitBad.js:47:18:47:20 | val |
| TaintedLengthExitBad.js:14:14:14:21 | req.body | TaintedLengthExitBad.js:60:22:60:24 | val |
| TaintedLengthExitBad.js:17:17:17:19 | val | TaintedLengthExitBad.js:20:22:20:24 | val |
| TaintedLengthExitBad.js:30:17:30:19 | val | TaintedLengthExitBad.js:33:22:33:24 | val |
| TaintedLengthExitBad.js:46:18:46:20 | val | TaintedLengthExitBad.js:49:22:49:24 | val |
| TaintedLengthExitBad.js:59:22:59:24 | val | TaintedLengthExitBad.js:60:8:60:10 | val |
| TaintedLengthLodash.js:9:10:9:17 | req.body | TaintedLengthLodash.js:14:18:14:20 | val |
| TaintedLengthLodash.js:14:18:14:20 | val | TaintedLengthLodash.js:15:10:15:12 | val |
| TaintedLengthExitBad.js:31:17:31:19 | val | TaintedLengthExitBad.js:34:22:34:24 | val |
| TaintedLengthExitBad.js:47:18:47:20 | val | TaintedLengthExitBad.js:50:22:50:24 | val |
| TaintedLengthExitBad.js:60:22:60:24 | val | TaintedLengthExitBad.js:61:8:61:10 | val |
| TaintedLengthLodash.js:9:13:9:20 | req.body | TaintedLengthLodash.js:14:18:14:20 | val |
| TaintedLengthLodash.js:14:18:14:20 | val | TaintedLengthLodash.js:16:13:16:15 | val |
#select
| TaintedLengthBad.js:21:22:21:24 | val | TaintedLengthBad.js:8:10:8:17 | req.body | TaintedLengthBad.js:21:22:21:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:8:10:8:17 | req.body | here |
| TaintedLengthBad.js:30:13:30:15 | val | TaintedLengthBad.js:10:12:10:19 | req.body | TaintedLengthBad.js:30:13:30:15 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:10:12:10:19 | req.body | here |
| TaintedLengthBad.js:40:12:40:14 | val | TaintedLengthBad.js:12:22:12:29 | req.body | TaintedLengthBad.js:40:12:40:14 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:12:22:12:29 | req.body | here |
| TaintedLengthBad.js:54:22:54:24 | val | TaintedLengthBad.js:14:16:14:23 | req.body | TaintedLengthBad.js:54:22:54:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:14:16:14:23 | req.body | here |
| TaintedLengthBad.js:22:25:22:27 | val | TaintedLengthBad.js:8:13:8:20 | req.body | TaintedLengthBad.js:22:25:22:27 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:8:13:8:20 | req.body | here |
| TaintedLengthBad.js:32:16:32:18 | val | TaintedLengthBad.js:10:15:10:22 | req.body | TaintedLengthBad.js:32:16:32:18 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:10:15:10:22 | req.body | here |
| TaintedLengthBad.js:41:15:41:17 | val | TaintedLengthBad.js:12:25:12:32 | req.body | TaintedLengthBad.js:41:15:41:17 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:12:25:12:32 | req.body | here |
| TaintedLengthBad.js:55:25:55:27 | val | TaintedLengthBad.js:14:19:14:26 | req.body | TaintedLengthBad.js:55:25:55:27 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthBad.js:14:19:14:26 | req.body | here |
| TaintedLengthExitBad.js:20:22:20:24 | val | TaintedLengthExitBad.js:8:9:8:16 | req.body | TaintedLengthExitBad.js:20:22:20:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:8:9:8:16 | req.body | here |
| TaintedLengthExitBad.js:33:22:33:24 | val | TaintedLengthExitBad.js:10:9:10:16 | req.body | TaintedLengthExitBad.js:33:22:33:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:10:9:10:16 | req.body | here |
| TaintedLengthExitBad.js:49:22:49:24 | val | TaintedLengthExitBad.js:12:10:12:17 | req.body | TaintedLengthExitBad.js:49:22:49:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:12:10:12:17 | req.body | here |
| TaintedLengthExitBad.js:60:8:60:10 | val | TaintedLengthExitBad.js:14:14:14:21 | req.body | TaintedLengthExitBad.js:60:8:60:10 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:14:14:14:21 | req.body | here |
| TaintedLengthLodash.js:15:10:15:12 | val | TaintedLengthLodash.js:9:10:9:17 | req.body | TaintedLengthLodash.js:15:10:15:12 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthLodash.js:9:10:9:17 | req.body | here |
| TaintedLengthExitBad.js:34:22:34:24 | val | TaintedLengthExitBad.js:10:9:10:16 | req.body | TaintedLengthExitBad.js:34:22:34:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:10:9:10:16 | req.body | here |
| TaintedLengthExitBad.js:50:22:50:24 | val | TaintedLengthExitBad.js:12:10:12:17 | req.body | TaintedLengthExitBad.js:50:22:50:24 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:12:10:12:17 | req.body | here |
| TaintedLengthExitBad.js:61:8:61:10 | val | TaintedLengthExitBad.js:14:14:14:21 | req.body | TaintedLengthExitBad.js:61:8:61:10 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthExitBad.js:14:14:14:21 | req.body | here |
| TaintedLengthLodash.js:16:13:16:15 | val | TaintedLengthLodash.js:9:13:9:20 | req.body | TaintedLengthLodash.js:16:13:16:15 | val | Iterating over user controlled object with an unbounded .length property $@. | TaintedLengthLodash.js:9:13:9:20 | req.body | here |

19
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthBad.js
View File

@@ -17,9 +17,7 @@ rootRoute.post(function(req, res) {
function problem(val) {
var ret = [];
// Potential DOS! .length property could have been set to an arbitrary
// value!
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // NOT OK!
ret.push(val[i]);
}
}
@@ -27,9 +25,8 @@ function problem(val) {
function whileLoop(val) {
var ret = [];
var i = 0;
// Potential DOS! .length property could have been set to an arbitrary
// value!
while (i < val.length) {
while (i < val.length) { // NOT OK!
ret.push(val[i]);
i++;
}
@@ -40,8 +37,7 @@ function useLengthIndirectly(val) {
var len = val.length;
// Same as above, but the .length access happens outside the loop.
for (var i = 0; i < len; i++) {
for (var i = 0; i < len; i++) { // NOT OK!
ret.push(val[i]);
}
}
@@ -52,8 +48,9 @@ function noNullPointer(val) {
const c = 0;
for (var i = 0; i < val.length; i++) {
ret.push(val[c].foo); // constantly accessing element 0, therefore not
// guaranteed null-pointer.
for (var i = 0; i < val.length; i++) { // NOT OK!
// constantly accessing element 0, therefore not guaranteed null-pointer.
ret.push(val[c].foo);
}
}

9
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthExitBad.js
View File

@@ -17,7 +17,7 @@ rootRoute.post(function (req, res) {
function breaks(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // NOT OK!
for (var k = 0; k < 2; k++) {
if (k == 3) {
// Does not prevent DOS, because this is inside an inner loop.
@@ -31,7 +31,7 @@ function breaks(val) {
function throws(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // NOT OK!
if (val[i] == null) {
try {
throw 2; // Is catched, and therefore the DOS is not prevented.
@@ -43,11 +43,10 @@ function throws(val) {
}
}
// the obvious null-pointer detection should not hit this one.
function returns(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // NOT OK!
if (val[i] == null) {
(function (i) {
return i+2; // Does not prevent DOS.
@@ -57,7 +56,7 @@ function returns(val) {
}
}
function lodashThrow(val) {
function lodashThrow(val) { // NOT OK!
_.map(val, function (e) {
if (!e) {
try {

8
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthExitGood.js
View File

@@ -17,7 +17,7 @@ rootRoute.post(function (req, res) {
function breaks(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
if (val[i] == null) {
break; // prevents DOS.
}
@@ -28,7 +28,7 @@ function breaks(val) {
function throws(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
if (val[i] == null) {
throw 2; // prevents DOS.
}
@@ -40,7 +40,7 @@ function throws(val) {
function returns(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
if (val[i] == null) {
return 2; // prevents DOS.
}
@@ -49,7 +49,7 @@ function returns(val) {
}
function lodashThrow(val) {
_.map(val, function (e) {
_.map(val, function (e) { // OK
if (!e) {
throw new Error(); // prevents DOS.
}

8
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthGood.js
View File

@@ -23,7 +23,7 @@ function sanitized(val) {
// At this point we know that val must be an Array, and an attacked is
// therefore not able to send a cheap request that spends a lot of time
// inside the loop.
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i] + 42);
}
}
@@ -35,7 +35,7 @@ function sanitized2(val) {
return [];
}
// Val can only be a primitive. Therefore no issue!
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i] + 42);
}
}
@@ -53,7 +53,7 @@ function sanitized3(val) {
// At this point we know that val must be an Array, and an attacked is
// therefore not able to send a cheap request that spends a lot of time
// inside the loop.
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i] + 42);
}
}
@@ -67,7 +67,7 @@ function sanitized4(val) {
// At this point we know that val must be an Array, and an attacked is
// therefore not able to send a cheap request that spends a lot of time
// inside the loop.
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i] + 42);
}
}

5
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthLodash.js
View File

@@ -7,11 +7,8 @@ var rootRoute = router.route('foobar');
rootRoute.post(function(req, res) {
problem(req.body);
useLengthIndirectly(req.body);
});
function problem(val) {
// can take an arbitrary amount of time with a tainted .length property
_.chunk(val, 2);
_.chunk(val, 2); // NOT OK!
}

2
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthObviousLengthCheck.js
View File

@@ -16,7 +16,7 @@ function problem(val) {
return [];
}
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i]);
}
}

10
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthObviousNullPointer.js
View File

@@ -21,7 +21,7 @@ rootRoute.post(function(req, res) {
function nullPointer(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i].foo + 42);
}
}
@@ -30,7 +30,7 @@ function nullPointer(val) {
function nullPointer2(val) {
var ret = [];
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
var element = val[i];
ret.push(element.foo + 42);
}
@@ -38,7 +38,7 @@ function nullPointer2(val) {
function nullPointer3(val) {
let arr = val.messaging
for (let i = 0; i < arr.length; i++) {
for (let i = 0; i < arr.length; i++) { // OK
let event = val.messaging[i]
let sender = event.sender.id
}
@@ -46,13 +46,13 @@ function nullPointer3(val) {
function lodashPointer(val) {
return _.map(val, function(e) {
return _.map(val, function(e) { // OK
return e.foo;
})
}
function lodashArrowFunc(val) {
return _.map(val, (e) => {
return _.map(val, (e) => { // OK
return e.foo;
});
}

4
javascript/ql/test/query-tests/Security/CWE-834/TaintedLengthObviousNullPointerInPreviousLoop.js
View File

@@ -14,11 +14,11 @@ function nullPointer(val) {
var ret = [];
// Has obvious null-pointer. And guards the next loop.
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i].foo);
}
for (var i = 0; i < val.length; i++) {
for (var i = 0; i < val.length; i++) { // OK
ret.push(val[i]);
}
}