hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into js/shared-dataflow-merge-main

Browse Source
This commit is contained in:
Asger F
2024-08-02 13:18:38 +02:00
parent 5c222f7b05 be945f14f6
commit df64388d79
1505 changed files with 135513 additions and 35699 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmet.expected Normal file
View File

@@ -0,0 +1,2 @@
| InsecureHelmetBad.js:6:9:9:2 | helmet( ... uard\\n}) | Helmet security middleware, configured with security setting $@ set to 'false', which disables enforcing that feature. | InsecureHelmetBad.js:7:5:7:32 | content ... : false | contentSecurityPolicy |
| InsecureHelmetBad.js:6:9:9:2 | helmet( ... uard\\n}) | Helmet security middleware, configured with security setting $@ set to 'false', which disables enforcing that feature. | InsecureHelmetBad.js:8:5:8:21 | frameguard: false | frameguard |

1
javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmet.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-693/InsecureHelmet.ql

17
javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetBad.js Normal file
View File

@@ -0,0 +1,17 @@
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet({
contentSecurityPolicy: false, // BAD: switch off default CSP
frameguard: false // BAD: switch off default frameguard
}));
app.get("/", (req, res) => {
res.send("Hello, world!");
});
app.listen(3000, () => {
console.log("App is listening on port 3000");
});

14
javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetGood.js Normal file
View File

@@ -0,0 +1,14 @@
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet()); // GOOD: use the defaults
app.get("/", (req, res) => {
res.send("Hello, world!");
});
app.listen(3000, () => {
console.log("App is listening on port 3000");
});

1
javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedDomain.expected Normal file
View File

@@ -0,0 +1 @@
| polyfill-nocheck.html:4:9:4:98 | <script>...</> | Content loaded from untrusted domain with no integrity check. |

1
javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedDomain.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-830/FunctionalityFromUntrustedDomain.ql

9
javascript/ql/test/query-tests/Security/CWE-830/polyfill-check.html Normal file
View File

@@ -0,0 +1,9 @@
<html>
<head>
<title>Polyfill demo - Cloudflare hosted with pinned version and integrity checking</title>
<script src="https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0" integrity="sha384-3d4jRKquKl90C9aFG+eH4lPJmtbPHgACWHrp+VomFOxF8lzx2jxqeYkhpRg18UWC" crossorigin="anonymous"></script>
</head>
<body>
...
</body>
</html>

9
javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html Normal file
View File

@@ -0,0 +1,9 @@
<html>
<head>
<title>Polyfill.io demo</title>
<script src="https://cdn.polyfill.io/v2/polyfill.min.js" crossorigin="anonymous"></script>
</head>
<body>
...
</body>
</html>