hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Use routing trees to detect deeply tainted req.body

Browse Source
This commit is contained in:
Asger Feldthaus
2021-10-28 09:57:06 +02:00
parent 7492293c5b
commit da8e67b7ee
3 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/lib/semmle/javascript/frameworks/Express.qll
View File

@@ -613,10 +613,9 @@ module Express {
override predicate isUserControlledObject() {
kind = "body" and
exists(ExpressLibraries::BodyParser bodyParser, RouteHandlerExpr expr |
expr.getBody() = request.getRouteHandler() and
bodyParser.producesUserControlledObjects() and
bodyParser.flowsToExpr(expr.getAMatchingAncestor())
exists(ExpressLibraries::BodyParser bodyParser |
Routing::getNode(request.getRouteHandler()).isGuardedBy(bodyParser) and
bodyParser.producesUserControlledObjects()
)
or
// If we can't find the middlewares for the route handler,

1
javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected
View File

@@ -1 +0,0 @@
| query-tests/Security/CWE-073/routes.js:2 | expected an alert, but found none | NOT OK | |

5
javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected
View File

@@ -1,4 +1,7 @@
nodes
| routes.js:2:23:2:30 | req.body |
| routes.js:2:23:2:30 | req.body |
| routes.js:2:23:2:30 | req.body |
| tst2.js:6:9:6:46 | bodyParameter |
| tst2.js:6:25:6:32 | req.body |
| tst2.js:6:25:6:32 | req.body |
@@ -55,6 +58,7 @@ nodes
| tst.js:29:28:29:42 | JSON.parse(str) |
| tst.js:29:39:29:41 | str |
edges
| routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body |
| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter |
| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter |
| tst2.js:6:25:6:32 | req.body | tst2.js:6:25:6:46 | req.bod ... rameter |
@@ -104,6 +108,7 @@ edges
| tst.js:29:39:29:41 | str | tst.js:29:28:29:42 | JSON.parse(str) |
| tst.js:29:39:29:41 | str | tst.js:29:28:29:42 | JSON.parse(str) |
#select
| routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body | Template object injection due to $@. | routes.js:2:23:2:30 | req.body | user-provided value |
| tst2.js:7:28:7:40 | bodyParameter | tst2.js:6:25:6:32 | req.body | tst2.js:7:28:7:40 | bodyParameter | Template object injection due to $@. | tst2.js:6:25:6:32 | req.body | user-provided value |
| tst2.js:27:28:27:40 | bodyParameter | tst2.js:26:25:26:32 | req.body | tst2.js:27:28:27:40 | bodyParameter | Template object injection due to $@. | tst2.js:26:25:26:32 | req.body | user-provided value |
| tst2.js:35:28:35:40 | bodyParameter | tst2.js:34:25:34:32 | req.body | tst2.js:35:28:35:40 | bodyParameter | Template object injection due to $@. | tst2.js:34:25:34:32 | req.body | user-provided value |