hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

add failing test for call the Function with a spread argument

Browse Source
This commit is contained in:
erik-krogh
2022-09-07 22:54:21 +02:00
parent 144a0455d8
commit e829387cdb
3 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -157,6 +157,16 @@ nodes
| tst.js:26:26:26:40 | location.search | | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:29:9:29:82 | source |
| tst.js:29:18:29:41 | documen ... .search |
| tst.js:29:18:29:41 | documen ... .search |
| tst.js:29:18:29:82 | documen ... , "$1") |
| tst.js:31:18:31:23 | source |
| tst.js:31:18:31:23 | source |
| tst.js:33:14:33:19 | source |
| tst.js:33:14:33:19 | source |
| tst.js:35:28:35:33 | source |
| tst.js:35:28:35:33 | source |
edges edges
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
@@ -262,6 +272,15 @@ edges
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
#select #select
| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:18:24:18:31 | req.body | User-provided value | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:18:24:18:31 | req.body | User-provided value |
| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:19:36:19:43 | req.body | User-provided value | | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:19:36:19:43 | req.body | User-provided value |
@@ -314,3 +333,6 @@ edges
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:51 | documen ... on.hash | User-provided value | | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:51 | documen ... on.hash | User-provided value |
| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | $@ flows to here and is interpreted as code. | tst.js:23:11:23:32 | documen ... on.hash | User-provided value | | tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | $@ flows to here and is interpreted as code. | tst.js:23:11:23:32 | documen ... on.hash | User-provided value |
| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | $@ flows to here and is interpreted as code. | tst.js:26:26:26:40 | location.search | User-provided value | | tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | $@ flows to here and is interpreted as code. | tst.js:26:26:26:40 | location.search | User-provided value |
| tst.js:31:18:31:23 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:31:18:31:23 | source | $@ flows to here and is interpreted as code. | tst.js:29:18:29:41 | documen ... .search | User-provided value |
| tst.js:33:14:33:19 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:33:14:33:19 | source | $@ flows to here and is interpreted as code. | tst.js:29:18:29:41 | documen ... .search | User-provided value |
| tst.js:35:28:35:33 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:35:28:35:33 | source | $@ flows to here and is interpreted as code. | tst.js:29:18:29:41 | documen ... .search | User-provided value |

19
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -161,6 +161,16 @@ nodes
| tst.js:26:26:26:40 | location.search | | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:29:9:29:82 | source |
| tst.js:29:18:29:41 | documen ... .search |
| tst.js:29:18:29:41 | documen ... .search |
| tst.js:29:18:29:82 | documen ... , "$1") |
| tst.js:31:18:31:23 | source |
| tst.js:31:18:31:23 | source |
| tst.js:33:14:33:19 | source |
| tst.js:33:14:33:19 | source |
| tst.js:35:28:35:33 | source |
| tst.js:35:28:35:33 | source |
edges edges
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
@@ -270,5 +280,14 @@ edges
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
#select #select
| eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value | | eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |

12
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js
View File

@@ -24,3 +24,15 @@ eval(atob(document.location.hash.substring(1)));
// NOT OK // NOT OK
$('<a>').attr("onclick", location.search.substring(1)); $('<a>').attr("onclick", location.search.substring(1));
(function test() {
var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1");
new Function(source); // NOT OK
Function(source); // NOT OK
new Function("a", "b", source); // NOT OK
new Function(...["a", "b"], source); // NOT OK - but not flagged [INCONSISTENCY]
})();