hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Restrict RemotePropertyInjection query to avoid double-reporting.

Browse Source 
This query now only flags user-controlled property and header writes, method calls are handled by the new unsafe/unvalidated method call queries.
This commit is contained in:
Max Schaefer
2018-11-27 12:36:17 +00:00
parent 2889e07eb8
commit f1c538a97b
5 changed files with 62 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected
View File

@@ -3,7 +3,6 @@ nodes
| tst.js:8:13:8:52 | myCoolL ... rolled) |
| tst.js:8:28:8:51 | req.que ... trolled |
| tst.js:9:8:9:11 | prop |
| tst.js:11:16:11:19 | prop |
| tst.js:13:15:13:18 | prop |
| tst.js:14:31:14:34 | prop |
| tst.js:16:10:16:13 | prop |
@@ -12,7 +11,6 @@ nodes
| tstNonExpr.js:8:17:8:23 | userVal |
edges
| tst.js:8:6:8:52 | prop | tst.js:9:8:9:11 | prop |
| tst.js:8:6:8:52 | prop | tst.js:11:16:11:19 | prop |
| tst.js:8:6:8:52 | prop | tst.js:13:15:13:18 | prop |
| tst.js:8:6:8:52 | prop | tst.js:14:31:14:34 | prop |
| tst.js:8:6:8:52 | prop | tst.js:16:10:16:13 | prop |
@@ -22,7 +20,6 @@ edges
| tstNonExpr.js:5:17:5:23 | req.url | tstNonExpr.js:5:7:5:23 | userVal |
#select
| tst.js:9:8:9:11 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:9:8:9:11 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
| tst.js:11:16:11:19 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:11:16:11:19 | prop | A $@ is used as a method name to be called. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
| tst.js:13:15:13:18 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:13:15:13:18 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
| tst.js:14:31:14:34 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:14:31:14:34 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
| tst.js:16:10:16:13 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:16:10:16:13 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |

12
javascript/ql/test/query-tests/Security/CWE-400/tst.js
View File

@@ -5,14 +5,14 @@ var myObj = {}
app.get('/user/:id', function(req, res) {
myCoolLocalFct(req.query.userControlled);
var prop = myCoolLocalFct(req.query.userControlled);
var prop = myCoolLocalFct(req.query.userControlled);
myObj[prop] = 23; // NOT OK
myObj.prop = 23; // OK
var x = myObj[prop]; // NOT OK
x(23);
delete myObj[prop]; // NOT OK
var x = myObj[prop]; // NOT OK, but flagged by different query
x(23);
delete myObj[prop]; // NOT OK
Object.defineProperty(myObj, prop, {value: 24}); // NOT OK
var headers = {};
var headers = {};
headers[prop] = 42; // NOT OK
res.set(headers);
myCoolLocalFct[req.query.x](); // OK - flagged by method name injection
@@ -21,5 +21,5 @@ app.get('/user/:id', function(req, res) {
function myCoolLocalFct(x) {
var result = x;
return result.substring(0, result.length);
}