hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add test for unsafe-code-construction query

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-05-05 19:34:44 +02:00
parent 198a464346
commit d790f3ccbb
4 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected Normal file
View File

@@ -0,0 +1,21 @@
nodes
| lib/index.js:1:35:1:38 | data |
| lib/index.js:1:35:1:38 | data |
| lib/index.js:2:21:2:24 | data |
| lib/index.js:2:21:2:24 | data |
| lib/index.js:5:35:5:38 | name |
| lib/index.js:5:35:5:38 | name |
| lib/index.js:6:26:6:29 | name |
| lib/index.js:6:26:6:29 | name |
edges
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
#select
| lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
| lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |

1
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-094/UnsafeCodeConstruction.ql

11
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js Normal file
View File

@@ -0,0 +1,11 @@
export function unsafeDeserialize(data) {
return eval("(" + data + ")"); // NOT OK
}
export function unsafeGetter(obj, name) {
return eval("obj." + name); // NOT OK
}
export function safeAssignment(obj, value) {
eval("obj.foo = " + JSON.stringify(value)); // OK
}

5
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "my-lib",
"version": "0.0.7",
"main": "index.js"
}