mirror of
https://github.com/github/codeql.git
synced 2026-05-05 05:35:13 +02:00
Merge pull request #941 from esben-semmle/js/vue-support-2
JS: Vue security improvements
This commit is contained in:
Max Schaefer
@@ -15,3 +15,4 @@
|
||||
| tst.js:77:20:83:2 | Vue.ext ... \\n }\\n}) |
|
||||
| tst.js:85:1:87:2 | new Vue ... e; }\\n}) |
|
||||
| tst.js:94:2:96:3 | new Vue ... f,\\n\\t}) |
|
||||
| tst.js:99:2:104:3 | new Vue ... \\t\\t}\\n\\t}) |
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
| tst.js:102:20:102:29 | this.dataA | tst.js:100:18:100:19 | 42 | tst.js:102:20:102:29 | this.dataA |
|
||||
| tst.js:102:20:102:29 | this.dataA | tst.js:102:20:102:23 | this | tst.js:102:20:102:29 | this.dataA |
|
||||
@@ -0,0 +1,5 @@
|
||||
import javascript
|
||||
|
||||
from Vue::InstanceHeapStep step, DataFlow::Node pred, DataFlow::Node succ
|
||||
where step.step(pred, succ)
|
||||
select step, pred, succ
|
||||
@@ -20,3 +20,4 @@
|
||||
| tst.js:77:20:83:2 | Vue.ext ... \\n }\\n}) | deadExtended | tst.js:80:21:80:22 | 42 |
|
||||
| tst.js:85:1:87:2 | new Vue ... e; }\\n}) | created | tst.js:86:38:86:41 | true |
|
||||
| tst.js:94:2:96:3 | new Vue ... f,\\n\\t}) | dataA | tst.js:89:22:89:23 | 42 |
|
||||
| tst.js:99:2:104:3 | new Vue ... \\t\\t}\\n\\t}) | dataA | tst.js:100:18:100:19 | 42 |
|
||||
|
||||
@@ -23,3 +23,5 @@
|
||||
| tst.js:77:20:83:2 | Vue.ext ... \\n }\\n}) | data | tst.js:78:9:82:3 | functio ... };\\n } |
|
||||
| tst.js:85:1:87:2 | new Vue ... e; }\\n}) | created | tst.js:86:11:86:44 | functio ... true; } |
|
||||
| tst.js:94:2:96:3 | new Vue ... f,\\n\\t}) | data | tst.js:95:9:95:9 | f |
|
||||
| tst.js:99:2:104:3 | new Vue ... \\t\\t}\\n\\t}) | data | tst.js:100:9:100:21 | { dataA: 42 } |
|
||||
| tst.js:99:2:104:3 | new Vue ... \\t\\t}\\n\\t}) | methods | tst.js:101:12:103:3 | {\\n\\t\\t\\tm: ... ; }\\n\\t\\t} |
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
| single-component-file-1.vue:1:1:3:11 | <template>...</> |
|
||||
| single-component-file-1.vue:2:5:10:8 | <p>...</> |
|
||||
| single-component-file-1.vue:4:1:8:9 | <script>...</> |
|
||||
| single-component-file-1.vue:9:1:10:8 | <style>...</> |
|
||||
| single-file-component-2.vue:1:1:3:11 | <template>...</> |
|
||||
| single-file-component-2.vue:2:5:11:8 | <p>...</> |
|
||||
| single-file-component-2.vue:4:1:9:9 | <script>...</> |
|
||||
| single-file-component-2.vue:10:1:11:8 | <style>...</> |
|
||||
| single-file-component-3.vue:1:1:3:11 | <template>...</> |
|
||||
| single-file-component-3.vue:2:5:7:8 | <p>...</> |
|
||||
| single-file-component-3.vue:4:1:5:9 | <script>...</> |
|
||||
| single-file-component-3.vue:6:1:7:8 | <style>...</> |
|
||||
@@ -0,0 +1,3 @@
|
||||
import javascript
|
||||
|
||||
select any(Vue::Template::Element e)
|
||||
@@ -0,0 +1,2 @@
|
||||
| single-component-file-1.vue:6:40:6:41 | 42 | single-component-file-1.vue:6:40:6:41 | 42 | single-component-file-1.vue:2:8:2:21 | v-html=dataA |
|
||||
| single-file-component-3-script.js:4:37:4:38 | 42 | single-file-component-3-script.js:4:37:4:38 | 42 | single-file-component-3.vue:2:8:2:21 | v-html=dataA |
|
||||
@@ -0,0 +1,6 @@
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.DomBasedXss
|
||||
|
||||
from DomBasedXss::VHtmlSourceWrite w, DataFlow::Node pred, DataFlow::Node succ
|
||||
where w.step(pred, succ)
|
||||
select w, pred, succ
|
||||
@@ -1,2 +1,5 @@
|
||||
| single-component-file-1.vue:2:8:2:21 | v-html=dataA |
|
||||
| single-file-component-2.vue:2:8:2:21 | v-html=dataA |
|
||||
| single-file-component-3.vue:2:8:2:21 | v-html=dataA |
|
||||
| tst.js:5:13:5:13 | a |
|
||||
| tst.js:38:12:38:17 | danger |
|
||||
|
||||
@@ -95,3 +95,11 @@ new Vue({
|
||||
data: f,
|
||||
});
|
||||
});
|
||||
(function() {
|
||||
new Vue({
|
||||
data: { dataA: 42 },
|
||||
methods: {
|
||||
m: function() { this.dataA; }
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user