Add tests for stored XSS query

2026-01-30 06:42:57 +01:00 · 2020-11-11 00:05:14 -08:00
parent d517125507
commit efddef7fa2
6 changed files with 98 additions and 0 deletions
--- a/ql/test/query-tests/Security/CWE-079/StoredXss.expected
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -0,0 +1,11 @@
+edges
+| StoredXss.go:13:21:13:31 | call to Name : string | StoredXss.go:13:21:13:36 | ...+... |
+| stored.go:16:3:16:28 | ... := ...[0] : pointer type | stored.go:28:22:28:25 | name |
+nodes
+| StoredXss.go:13:21:13:31 | call to Name : string | semmle.label | call to Name : string |
+| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
+| stored.go:16:3:16:28 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| stored.go:28:22:28:25 | name | semmle.label | name |
+#select
+| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name : string | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
+| stored.go:28:22:28:25 | name | stored.go:16:3:16:28 | ... := ...[0] : pointer type | stored.go:28:22:28:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:16:3:16:28 | ... := ...[0] | stored value |
--- a/ql/test/query-tests/Security/CWE-079/StoredXss.go
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.go
@@ -0,0 +1,15 @@
+package main
+
+import (
+	"io"
+	"io/ioutil"
+	"net/http"
+)
+
+func ListFiles(w http.ResponseWriter, r *http.Request) {
+	files, _ := ioutil.ReadDir(".")
+
+	for _, file := range files {
+		io.WriteString(w, file.Name()+"\n")
+	}
+}
--- a/ql/test/query-tests/Security/CWE-079/StoredXss.qlref
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.qlref
@@ -0,0 +1 @@
+Security/CWE-079/StoredXss.ql
--- a/ql/test/query-tests/Security/CWE-079/StoredXssGood.go
+++ b/ql/test/query-tests/Security/CWE-079/StoredXssGood.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"html"
+	"io"
+	"io/ioutil"
+	"net/http"
+)
+
+func ListFiles1(w http.ResponseWriter, r *http.Request) {
+	files, _ := ioutil.ReadDir(".")
+
+	for _, file := range files {
+		io.WriteString(w, html.EscapeString(file.Name())+"\n")
+	}
+}
--- a/ql/test/query-tests/Security/CWE-079/stored.go
+++ b/ql/test/query-tests/Security/CWE-079/stored.go
@@ -0,0 +1,53 @@
+package main
+
+import (
+	"database/sql"
+	"io"
+	"log"
+	"net/http"
+)
+
+var db *sql.DB
+var q string
+
+func storedserve1() {
+	http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
+		r.ParseForm()
+		rows, _ := db.Query(q, 32)
+
+		for rows.Next() {
+			var (
+				id   int64
+				name string
+			)
+			if err := rows.Scan(&id, &name); err != nil {
+				log.Fatal(err)
+			}
+
+			// BAD: the stored XSS query assumes all query results are untrusted
+			io.WriteString(w, name)
+		}
+	})
+}
+
+func storedserve2() {
+	http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
+		r.ParseForm()
+		rows, _ := db.Query(q, 32)
+
+		for rows.Next() {
+			var (
+				id   int64
+				name string
+			)
+			if err := rows.Scan(&id, &name); err != nil {
+				log.Fatal(err)
+			}
+
+			// GOOD: name is checked against a constant value
+			if name == "Sam" {
+				io.WriteString(w, name)
+			}
+		}
+	})
+}
--- a/ql/test/query-tests/Security/CWE-079/tst.go
+++ b/ql/test/query-tests/Security/CWE-079/tst.go
@@ -69,3 +69,5 @@ func serve9(log io.Writer) {
 	})
 	http.ListenAndServe(":80", nil)
 }
+
+func main() {}