CWE 830 test where both branches in a ternary are unsafe

2026-04-30 19:26:02 +02:00 · 2022-02-22 09:01:46 +01:00
parent 2934aa1a3a
commit d80cd1aeb5
3 changed files with 13 additions and 5 deletions
--- a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
+++ b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
@@ -69,8 +69,7 @@ module StaticCreation {
    }

    override string getProblem() {
-      result =
-        "Script loaded from content delivery network with no integrity check."
+      result = "Script loaded from content delivery network with no integrity check."
    }
  }

@@ -78,7 +77,9 @@ module StaticCreation {
  class IframeElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::IframeElement {
    IframeElementWithUntrustedContent() { isUntrustedSourceUrl(super.getSourcePath()) }

-    override string getProblem() { result = "HTML iframe element loaded using unencrypted connection." }
+    override string getProblem() {
+      result = "HTML iframe element loaded using unencrypted connection."
+    }
  }
 }

--- a/javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.html
+++ b/javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.html
@@ -13,6 +13,11 @@
              scrpt2.src = 'http://www.cdn.local/ga.js';
              scrpt2.integrity = 'sha256-h0UuK3mE9taiYlB5u9vT9A0s/XDgkfVd+F4VhN/sky=';

+              // NOT OK (http + ternary)
+              var scrpt3 = document.createElement('script');
+              scrpt3.type = 'text/javascript';
+              scrpt3.src = ('https:' == document.location.protocol ? 'http://unsafe' : 'http://also-unsafe') + '.cdn.local/ga.js';
+
              // NOT OK (http URL)
              var ifrm = document.createElement('iframe');
              ifrm.src = 'http://www.example.com/';
@@ -27,6 +32,7 @@
              }
              var ifrm3 = document.createElement('iframe');
              ifrm3.src = getUrl('v123');
+
            })();
          </script>
    </head>
--- a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected
@@ -1,5 +1,6 @@
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | HTML iframe element loaded using unencrypted connection. |
-| DynamicCreationOfUntrustedSourceUse.html:29:27:29:40 | getUrl('v123') | HTML iframe element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:19:28:19:129 | ('https ... /ga.js' | HTML script element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:23:26:23:50 | 'http:/ ... e.com/' | HTML iframe element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:34:27:34:40 | getUrl('v123') | HTML iframe element loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | <script>...</> | HTML script element loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:9:9:9:58 | <iframe>...</> | HTML iframe element loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:21:9:21:155 | <script>...</> | Script loaded from content delivery network with no integrity check. |