hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: update a js/code-injection test

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2019-09-11 09:45:54 +02:00
parent e41080fb40
commit f3de75ae07
3 changed files with 111 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -27,8 +27,6 @@ nodes
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c |
| eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") |
| express.js:9:34:9:79 | "return ... + "];" |
@@ -73,7 +71,6 @@ edges
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
@@ -113,7 +110,6 @@ edges
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value |
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
| eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |
| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |

102
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected Normal file
View File

@@ -0,0 +1,102 @@
nodes
| angularjs.js:10:22:10:29 | location |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c |
| eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") |
| express.js:9:34:9:79 | "return ... + "];" |
| express.js:9:54:9:72 | req.param("wobble") |
| express.js:12:8:12:53 | "return ... + "];" |
| express.js:12:28:12:46 | req.param("wobble") |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
| react-native.js:8:32:8:38 | tainted |
| react-native.js:10:23:10:29 | tainted |
| tst.js:2:6:2:22 | document.location |
| tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location |
| tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:26:26:26:33 | location |
| tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:53 | locatio ... ring(1) |
edges
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
| express.js:9:34:9:72 | "return ... obble") | express.js:9:34:9:79 | "return ... + "];" |
| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:72 | "return ... obble") |
| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" |
| express.js:12:8:12:46 | "return ... obble") | express.js:12:8:12:53 | "return ... + "];" |
| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:46 | "return ... obble") |
| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
#select
| eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.ql Normal file
View File

@@ -0,0 +1,9 @@
import javascript
import semmle.javascript.heuristics.AdditionalSources
import semmle.javascript.security.dataflow.CodeInjection::CodeInjection
import DataFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
source.getNode(), "User-provided value"