hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added new test cases for regexp injection with enviromental variable threat model enabled

Browse Source
This commit is contained in:
Napalys Klicius
2025-07-31 12:25:31 +02:00
parent 8583257574
commit d28a6e6352
4 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.expected Normal file
View File

@@ -0,0 +1,34 @@
#select
| RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | RegExpInjection.js:6:18:6:28 | process.env | RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:6:18:6:28 | process.env | environment variable |
| RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | RegExpInjection.js:8:18:8:28 | process.env | RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | This regular expression is constructed from a $@. | RegExpInjection.js:8:18:8:28 | process.env | environment variable |
| RegExpInjection.js:11:14:11:19 | envVar | RegExpInjection.js:10:16:10:26 | process.env | RegExpInjection.js:11:14:11:19 | envVar | This regular expression is constructed from a $@. | RegExpInjection.js:10:16:10:26 | process.env | environment variable |
| RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | RegExpInjection.js:14:18:14:29 | process.argv | RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:14:18:14:29 | process.argv | command-line argument |
| RegExpInjection.js:17:14:17:17 | argv | RegExpInjection.js:16:14:16:25 | process.argv | RegExpInjection.js:17:14:17:17 | argv | This regular expression is constructed from a $@. | RegExpInjection.js:16:14:16:25 | process.argv | command-line argument |
| RegExpInjection.js:21:14:21:22 | userInput | RegExpInjection.js:20:19:20:36 | req.param("input") | RegExpInjection.js:21:14:21:22 | userInput | This regular expression is constructed from a $@. | RegExpInjection.js:20:19:20:36 | req.param("input") | user-provided value |
edges
| RegExpInjection.js:6:18:6:28 | process.env | RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | provenance | |
| RegExpInjection.js:8:18:8:28 | process.env | RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | provenance | |
| RegExpInjection.js:10:7:10:35 | envVar | RegExpInjection.js:11:14:11:19 | envVar | provenance | |
| RegExpInjection.js:10:16:10:26 | process.env | RegExpInjection.js:10:7:10:35 | envVar | provenance | |
| RegExpInjection.js:14:18:14:29 | process.argv | RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | provenance | |
| RegExpInjection.js:16:7:16:28 | argv | RegExpInjection.js:17:14:17:17 | argv | provenance | |
| RegExpInjection.js:16:14:16:25 | process.argv | RegExpInjection.js:16:7:16:28 | argv | provenance | |
| RegExpInjection.js:20:7:20:36 | userInput | RegExpInjection.js:21:14:21:22 | userInput | provenance | |
| RegExpInjection.js:20:19:20:36 | req.param("input") | RegExpInjection.js:20:7:20:36 | userInput | provenance | |
nodes
| RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` |
| RegExpInjection.js:6:18:6:28 | process.env | semmle.label | process.env |
| RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | semmle.label | `^${pro ... }/bin$` |
| RegExpInjection.js:8:18:8:28 | process.env | semmle.label | process.env |
| RegExpInjection.js:10:7:10:35 | envVar | semmle.label | envVar |
| RegExpInjection.js:10:16:10:26 | process.env | semmle.label | process.env |
| RegExpInjection.js:11:14:11:19 | envVar | semmle.label | envVar |
| RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` |
| RegExpInjection.js:14:18:14:29 | process.argv | semmle.label | process.argv |
| RegExpInjection.js:16:7:16:28 | argv | semmle.label | argv |
| RegExpInjection.js:16:14:16:25 | process.argv | semmle.label | process.argv |
| RegExpInjection.js:17:14:17:17 | argv | semmle.label | argv |
| RegExpInjection.js:20:7:20:36 | userInput | semmle.label | userInput |
| RegExpInjection.js:20:19:20:36 | req.param("input") | semmle.label | req.param("input") |
| RegExpInjection.js:21:14:21:22 | userInput | semmle.label | userInput |
subpaths

6
javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.ext.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["environment", true, 0]

22
javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.js Normal file
View File

@@ -0,0 +1,22 @@
var express = require('express');
var app = express();
app.get('/test-environment', function(req, res) {
// Environment variables should be detected when "environment" threat model is enabled
new RegExp(`^${process.env.HOME}/Foo/bar.app$`); // $ Alert[js/regex-injection]
new RegExp(`^${process.env.PATH}/bin$`); // $ Alert[js/regex-injection]
var envVar = process.env.NODE_ENV; // $ Source[js/regex-injection]
new RegExp(envVar); // $ Alert[js/regex-injection]
// Command line arguments should still be detected
new RegExp(`^${process.argv[1]}/Foo/bar.app$`); // $ Alert[js/regex-injection]
var argv = process.argv[2]; // $ Source[js/regex-injection]
new RegExp(argv); // $ Alert[js/regex-injection]
// Regular user input should still be detected
var userInput = req.param("input"); // $ Source[js/regex-injection]
new RegExp(userInput); // $ Alert[js/regex-injection]
});

2
javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.qlref Normal file
View File

@@ -0,0 +1,2 @@
query: Security/CWE-730/RegExpInjection.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql