hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

recognize more HttpResponseSink by restricting the hasNonHtmlHeader check

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-02-28 10:42:08 +01:00
parent b210009eec
commit c14a485ca7
5 changed files with 161 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
View File

@@ -3,6 +3,22 @@ nodes
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| ReflectedXss.js:8:33:8:45 | req.params.id |
| ReflectedXss.js:8:33:8:45 | req.params.id |
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id |
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id |
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id |
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id |
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id |
| etherpad.js:9:5:9:53 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp |
| etherpad.js:9:16:9:30 | req.query.jsonp |
@@ -75,6 +91,22 @@ edges
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
@@ -134,6 +166,10 @@ edges
| tst2.js:14:9:14:9 | p | tst2.js:14:7:14:24 | p |
#select
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |

71
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssContentTypes.js Normal file
View File

@@ -0,0 +1,71 @@
var express = require('express');
var app = express();
app.get('/user/:id', function (req, res) {
if (whatever) {
res.set('Content-Type', 'text/plain');
res.send("FOO: " + req.params.id); // OK - content type is plain text
} else {
res.set('Content-Type', 'text/html');
res.send("FOO: " + req.params.id); // NOT OK - content type is HTML.
}
});
app.get('/user/:id', function (req, res) {
if (whatever) {
res.writeHead(200, {'Content-Type': 'application/json'});
res.send("FOO: " + req.params.id); // OK - content type is JSON
} else {
res.writeHead(404);
res.send("FOO: " + req.params.id); // NOT OK - content type is not set.
}
});
app.get('/user/:id', function (req, res) {
res.writeHead(200, {'Content-Type': 'application/json'});
if (whatever) {
res.send("FOO: " + req.params.id); // OK - content type is JSON
} else {
res.send("FOO: " + req.params.id); // OK - content type is still JSON
}
res.send("FOO: " + req.params.id); // OK - content type is still JSON
});
app.get('/user/:id', function (req, res) {
if (err) {
res.statusCode = 404;
res.end("FOO: " + req.params.id); // NOT OK
} else {
res.setHeader('Content-Type', 'text/plain;charset=utf8');
res.end("FOO: " + req.params.id); // OK
}
});
function textContentType() {
result = "text/plain";
}
app.get('/user/:id', function (req, res) {
if (err) {
res.header({'Content-Type': textContentType()});
res.end("FOO: " + req.params.id); // OK
} else {
res.setHeader('Content-Type', 'text/plain;charset=utf8');
res.end("FOO: " + req.params.id); // OK
}
});
app.get('/user/:id', function (req, res) {
if (err) {
res.writeHead(200, {'Content-Type': 'application/json'});
res.send("FOO: " + req.params.id); // OK - content type is JSON
return;
}
doSomething();
somethingMOre();
while(Math.random()) {};
res.writeHead(404);
res.send("FOO: " + req.params.id); // NOT OK - content type is not set.
});