mirror of
https://github.com/github/codeql.git
synced 2026-04-29 02:35:15 +02:00
Merge branch 'main' into property-stringify
This commit is contained in:
tyage
@@ -3695,10 +3695,22 @@ endpoints
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:12:63:28 | t => t.one(query) | Xss | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:12:63:28 | t => t.one(query) | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:12:63:28 | t => t.one(query) | Xss | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | sinkLabel | Sink | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:5:64:21 | t => t.one(query) | NosqlInjection | hasFlowFromSource | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:5:64:21 | t => t.one(query) | NosqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:5:64:21 | t => t.one(query) | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
|
||||
@@ -3695,10 +3695,22 @@ endpoints
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:12:63:28 | t => t.one(query) | Xss | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:12:63:28 | t => t.one(query) | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:12:63:28 | t => t.one(query) | Xss | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | NosqlInjection | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | sinkLabel | Sink | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | TaintedPath | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | Xss | sinkLabel | Unknown | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:5:64:21 | t => t.one(query) | NosqlInjection | hasFlowFromSource | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:5:64:21 | t => t.one(query) | NosqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:5:64:21 | t => t.one(query) | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
|
||||
@@ -907,10 +907,6 @@ endpoints
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:60:20:60:24 | query | SqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:60:20:60:24 | query | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:60:20:60:24 | query | SqlInjection | sinkLabel | Sink | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | SqlInjection | sinkLabel | Sink | string |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:16:64:20 | query | SqlInjection | hasFlowFromSource | true | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:16:64:20 | query | SqlInjection | isConstantExpression | false | boolean |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:16:64:20 | query | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
|
||||
@@ -7580,18 +7576,6 @@ tokenFeatures
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:60:20:60:24 | query | fileImports | express pg-promise |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:60:20:60:24 | query | receiverName | t |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:60:20:60:24 | query | stringConcatenatedWith | |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | CalleeFlexibleAccessPath | t.one |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | InputAccessPathFromCallee | |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | InputArgumentIndex | 0 |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | assignedToPropName | |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | calleeImports | |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | contextFunctionInterfaces | cnd(t) |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | contextSurroundingFunctionParameters | (req, res)\n(t) |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | enclosingFunctionBody | req res db pgp process DB_CONNECTION_STRING env DB_CONNECTION_STRING query SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=' req params category ' ORDER BY PRICE db any query db many query db manyOrNone query db map query db multi query db multiResult query db none query db one query db oneOrNone query db query query db result query db one text query db one text SELECT * FROM news where id = $1 values req params id db one text SELECT * FROM news where id = $1:raw values req params id db one text SELECT * FROM news where id = $1^ values req params id db one text SELECT * FROM news where id = $1:raw AND name = $2:raw AND foo = $3 values req params id req params name req params foo db one text SELECT * FROM news where id = ${id}:raw AND name = ${name} values id req params id name req params name db one text SELECT * FROM news where id = ${id}:value AND name LIKE '%${name}:value%' AND title LIKE "%${title}:value%" values id req params id name req params name title req params title db task t t one query db task cnd t t one query t t one query |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | enclosingFunctionName | get#functionalargument |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | fileImports | express pg-promise |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | receiverName | t |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:63:23:63:27 | query | stringConcatenatedWith | |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:16:64:20 | query | CalleeFlexibleAccessPath | t.one |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:16:64:20 | query | InputAccessPathFromCallee | |
|
||||
| autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:64:16:64:20 | query | InputArgumentIndex | 0 |
|
||||
|
||||
@@ -93,6 +93,9 @@ module Actions {
|
||||
|
||||
/** Gets the value of the `if` field in this job, if any. */
|
||||
JobIf getIf() { result.getJob() = this }
|
||||
|
||||
/** Gets the value of the `runs-on` field in this job. */
|
||||
JobRunson getRunsOn() { result.getJob() = this }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -108,6 +111,19 @@ module Actions {
|
||||
Job getJob() { result = job }
|
||||
}
|
||||
|
||||
/**
|
||||
* A `runs-on` within a job.
|
||||
* See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on.
|
||||
*/
|
||||
class JobRunson extends YamlNode, YamlScalar {
|
||||
Job job;
|
||||
|
||||
JobRunson() { job.lookup("runs-on") = this }
|
||||
|
||||
/** Gets the step this field belongs to. */
|
||||
Job getJob() { result = job }
|
||||
}
|
||||
|
||||
/**
|
||||
* A step within an Actions job.
|
||||
* See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps.
|
||||
|
||||
@@ -70,7 +70,7 @@ class JsxElement extends JsxNode {
|
||||
override string getAPrimaryQlClass() { result = "JsxElement" }
|
||||
|
||||
/**
|
||||
* Holds if this JSX element is a HTML element.
|
||||
* Holds if this JSX element is an HTML element.
|
||||
* That is, the name starts with a lowercase letter.
|
||||
*/
|
||||
predicate isHtmlElement() { getName().regexpMatch("[a-z].*") }
|
||||
|
||||
@@ -164,14 +164,27 @@ module ModelInput {
|
||||
class TypeModel extends Unit {
|
||||
/**
|
||||
* Gets a data-flow node that is a source of the type `package;type`.
|
||||
*
|
||||
* This must not depend on API graphs, but ensures that an API node is generated for
|
||||
* the source.
|
||||
*/
|
||||
DataFlow::Node getASource(string package, string type) { none() }
|
||||
|
||||
/**
|
||||
* Gets a data flow node that is a sink of the type `package;type`,
|
||||
* Gets a data-flow node that is a sink of the type `package;type`,
|
||||
* usually because it is an argument passed to a parameter of that type.
|
||||
*
|
||||
* This must not depend on API graphs, but ensures that an API node is generated for
|
||||
* the sink.
|
||||
*/
|
||||
DataFlow::Node getASink(string package, string type) { none() }
|
||||
|
||||
/**
|
||||
* Gets an API node that is a source or sink of the type `package;type`.
|
||||
*
|
||||
* Unlike `getASource` and `getASink`, this may depend on API graphs.
|
||||
*/
|
||||
API::Node getAnApiNode(string package, string type) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -434,6 +447,8 @@ private API::Node getNodeFromType(string package, string type) {
|
||||
or
|
||||
result = any(TypeModelDefEntry e).getNodeForType(package, type)
|
||||
or
|
||||
result = any(TypeModel t).getAnApiNode(package, type)
|
||||
or
|
||||
result = Specific::getExtraNodeFromType(package, type)
|
||||
}
|
||||
|
||||
@@ -529,7 +544,7 @@ private API::Node getNodeFromSubPath(API::Node base, AccessPath subPath) {
|
||||
}
|
||||
|
||||
/** Gets the node identified by the given `(package, type, path)` tuple. */
|
||||
API::Node getNodeFromPath(string package, string type, AccessPath path) {
|
||||
private API::Node getNodeFromPath(string package, string type, AccessPath path) {
|
||||
result = getNodeFromPath(package, type, path, path.getNumToken())
|
||||
}
|
||||
|
||||
@@ -552,7 +567,9 @@ private predicate typeStep(API::Node pred, API::Node succ) {
|
||||
*
|
||||
* Unlike `getNodeFromPath`, the `path` may end with one or more call-site filters.
|
||||
*/
|
||||
Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPath path, int n) {
|
||||
private Specific::InvokeNode getInvocationFromPath(
|
||||
string package, string type, AccessPath path, int n
|
||||
) {
|
||||
result = Specific::getAnInvocationOf(getNodeFromPath(package, type, path, n))
|
||||
or
|
||||
result = getInvocationFromPath(package, type, path, n - 1) and
|
||||
@@ -560,7 +577,7 @@ Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPa
|
||||
}
|
||||
|
||||
/** Gets an invocation identified by the given `(package, type, path)` tuple. */
|
||||
Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPath path) {
|
||||
private Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPath path) {
|
||||
result = getInvocationFromPath(package, type, path, path.getNumToken())
|
||||
}
|
||||
|
||||
@@ -568,7 +585,7 @@ Specific::InvokeNode getInvocationFromPath(string package, string type, AccessPa
|
||||
* Holds if `name` is a valid name for an access path token in the identifying access path.
|
||||
*/
|
||||
bindingset[name]
|
||||
predicate isValidTokenNameInIdentifyingAccessPath(string name) {
|
||||
private predicate isValidTokenNameInIdentifyingAccessPath(string name) {
|
||||
name = ["Argument", "Parameter", "ReturnValue", "WithArity", "TypeVar"]
|
||||
or
|
||||
Specific::isExtraValidTokenNameInIdentifyingAccessPath(name)
|
||||
@@ -579,7 +596,7 @@ predicate isValidTokenNameInIdentifyingAccessPath(string name) {
|
||||
* in an identifying access path.
|
||||
*/
|
||||
bindingset[name]
|
||||
predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
|
||||
private predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
|
||||
name = "ReturnValue"
|
||||
or
|
||||
Specific::isExtraValidNoArgumentTokenInIdentifyingAccessPath(name)
|
||||
@@ -590,7 +607,7 @@ predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
|
||||
* in an identifying access path.
|
||||
*/
|
||||
bindingset[name, argument]
|
||||
predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argument) {
|
||||
private predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argument) {
|
||||
name = ["Argument", "Parameter"] and
|
||||
argument.regexpMatch("(N-|-)?\\d+(\\.\\.((N-|-)?\\d+)?)?")
|
||||
or
|
||||
@@ -607,51 +624,61 @@ predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argume
|
||||
* Module providing access to the imported models in terms of API graph nodes.
|
||||
*/
|
||||
module ModelOutput {
|
||||
/**
|
||||
* Holds if a CSV source model contributed `source` with the given `kind`.
|
||||
*/
|
||||
API::Node getASourceNode(string kind) {
|
||||
exists(string package, string type, string path |
|
||||
sourceModel(package, type, path, kind) and
|
||||
result = getNodeFromPath(package, type, path)
|
||||
)
|
||||
cached
|
||||
private module Cached {
|
||||
/**
|
||||
* Holds if a CSV source model contributed `source` with the given `kind`.
|
||||
*/
|
||||
cached
|
||||
API::Node getASourceNode(string kind) {
|
||||
exists(string package, string type, string path |
|
||||
sourceModel(package, type, path, kind) and
|
||||
result = getNodeFromPath(package, type, path)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a CSV sink model contributed `sink` with the given `kind`.
|
||||
*/
|
||||
cached
|
||||
API::Node getASinkNode(string kind) {
|
||||
exists(string package, string type, string path |
|
||||
sinkModel(package, type, path, kind) and
|
||||
result = getNodeFromPath(package, type, path)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a relevant CSV summary exists for these parameters.
|
||||
*/
|
||||
cached
|
||||
predicate relevantSummaryModel(
|
||||
string package, string type, string path, string input, string output, string kind
|
||||
) {
|
||||
isRelevantPackage(package) and
|
||||
summaryModel(package, type, path, input, output, kind)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a `baseNode` is an invocation identified by the `package,type,path` part of a summary row.
|
||||
*/
|
||||
cached
|
||||
predicate resolvedSummaryBase(
|
||||
string package, string type, string path, Specific::InvokeNode baseNode
|
||||
) {
|
||||
summaryModel(package, type, path, _, _, _) and
|
||||
baseNode = getInvocationFromPath(package, type, path)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node` is seen as an instance of `(package,type)` due to a type definition
|
||||
* contributed by a CSV model.
|
||||
*/
|
||||
cached
|
||||
API::Node getATypeNode(string package, string type) { result = getNodeFromType(package, type) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a CSV sink model contributed `sink` with the given `kind`.
|
||||
*/
|
||||
API::Node getASinkNode(string kind) {
|
||||
exists(string package, string type, string path |
|
||||
sinkModel(package, type, path, kind) and
|
||||
result = getNodeFromPath(package, type, path)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a relevant CSV summary exists for these parameters.
|
||||
*/
|
||||
predicate relevantSummaryModel(
|
||||
string package, string type, string path, string input, string output, string kind
|
||||
) {
|
||||
isRelevantPackage(package) and
|
||||
summaryModel(package, type, path, input, output, kind)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a `baseNode` is an invocation identified by the `package,type,path` part of a summary row.
|
||||
*/
|
||||
predicate resolvedSummaryBase(
|
||||
string package, string type, string path, Specific::InvokeNode baseNode
|
||||
) {
|
||||
summaryModel(package, type, path, _, _, _) and
|
||||
baseNode = getInvocationFromPath(package, type, path)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node` is seen as an instance of `(package,type)` due to a type definition
|
||||
* contributed by a CSV model.
|
||||
*/
|
||||
API::Node getATypeNode(string package, string type) { result = getNodeFromType(package, type) }
|
||||
import Cached
|
||||
|
||||
/**
|
||||
* Gets an error message relating to an invalid CSV row in a model.
|
||||
|
||||
@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
|
||||
not regexp.fillsCaptureGroup("<script>", group) and
|
||||
msg =
|
||||
"This regular expression only parses --> (capture group " + group +
|
||||
") and not --!> as a HTML comment end tag."
|
||||
") and not --!> as an HTML comment end tag."
|
||||
)
|
||||
or
|
||||
regexp.matches("<!-- foo -->") and
|
||||
|
||||
@@ -80,7 +80,7 @@ module HtmlSanitization {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a HTML-relevant character that is replaced by `chain`.
|
||||
* Gets an HTML-relevant character that is replaced by `chain`.
|
||||
*/
|
||||
private string getALikelyReplacedCharacter(StringReplaceCallSequence chain) {
|
||||
result = "\"" and
|
||||
|
||||
@@ -35,7 +35,7 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm
|
||||
or
|
||||
result = t.getAMatchedString()
|
||||
or
|
||||
// A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
|
||||
// A substring matched by some character class. This is only used to match the "word" part of an HTML tag (e.g. "iframe" in "<iframe").
|
||||
exists(NfaUtils::CharacterClass cc |
|
||||
cc = NfaUtils::getCanonicalCharClass(t) and
|
||||
cc.matches(result) and
|
||||
@@ -101,12 +101,12 @@ private class RepetitionMatcher extends EmptyReplaceRegExpTerm {
|
||||
predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {
|
||||
prefix = getADangerousMatchedPrefix(t) and
|
||||
(
|
||||
kind = "path injection" and
|
||||
kind = "a path injection vulnerability" and
|
||||
prefix = ["/..", "../"] and
|
||||
// If the regex is matching explicit path components, it is unlikely that it's being used as a sanitizer.
|
||||
not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_-].*")
|
||||
or
|
||||
kind = "HTML element injection" and
|
||||
kind = "an HTML element injection vulnerability" and
|
||||
(
|
||||
// comments
|
||||
prefix = "<!--" and
|
||||
@@ -119,7 +119,7 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string
|
||||
)
|
||||
)
|
||||
or
|
||||
kind = "HTML attribute injection" and
|
||||
kind = "an HTML attribute injection vulnerability" and
|
||||
prefix =
|
||||
[
|
||||
// ordinary event handler prefix
|
||||
@@ -197,6 +197,6 @@ query predicate problems(
|
||||
) {
|
||||
exists(string kind |
|
||||
isResult(replace, dangerous, prefix, kind) and
|
||||
msg = "This string may still contain $@, which may cause a " + kind + " vulnerability."
|
||||
msg = "This string may still contain $@, which may cause " + kind + "."
|
||||
)
|
||||
}
|
||||
|
||||
@@ -213,6 +213,9 @@ module PasswordHeuristics {
|
||||
normalized
|
||||
.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth|fake|(my(token|password))|string|foo|bar|baz|qux|1234|3141|abcd).*")
|
||||
)
|
||||
or
|
||||
// repeats the same char more than 10 times
|
||||
password.regexpMatch(".*([a-zA-Z0-9])\\1{10,}.*")
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -26,7 +26,7 @@ module ImproperCodeSanitization {
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A call to a HTML sanitizer seen as a source for improper code sanitization
|
||||
* A call to an HTML sanitizer seen as a source for improper code sanitization
|
||||
*/
|
||||
class HtmlSanitizerCallAsSource extends Source {
|
||||
HtmlSanitizerCallAsSource() { this instanceof HtmlSanitizerCall }
|
||||
|
||||
@@ -32,7 +32,7 @@ module UnsafeJQueryPlugin {
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
|
||||
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
|
||||
*/
|
||||
class AmbiguousHtmlOrSelectorArgument extends DataFlow::Node,
|
||||
DomBasedXss::JQueryHtmlOrSelectorArgument {
|
||||
@@ -173,7 +173,7 @@ module UnsafeJQueryPlugin {
|
||||
}
|
||||
|
||||
/**
|
||||
* An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
|
||||
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
|
||||
*/
|
||||
class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {
|
||||
AmbiguousHtmlOrSelectorArgumentAsSink() {
|
||||
@@ -182,7 +182,7 @@ module UnsafeJQueryPlugin {
|
||||
}
|
||||
|
||||
/**
|
||||
* A hint that a value is expected to be treated as a HTML fragment later.
|
||||
* A hint that a value is expected to be treated as an HTML fragment later.
|
||||
*/
|
||||
class IntentionalHtmlFragmentHint extends Sanitizer {
|
||||
IntentionalHtmlFragmentHint() {
|
||||
@@ -191,7 +191,7 @@ module UnsafeJQueryPlugin {
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there exists a jQuery plugin that likely expects `sink` to be treated as a HTML fragment.
|
||||
* Holds if there exists a jQuery plugin that likely expects `sink` to be treated as an HTML fragment.
|
||||
*/
|
||||
predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {
|
||||
exists(
|
||||
@@ -206,7 +206,7 @@ module UnsafeJQueryPlugin {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a property-write that writes a HTML-like constant string to `prop`.
|
||||
* Gets a property-write that writes an HTML-like constant string to `prop`.
|
||||
*/
|
||||
pragma[noinline]
|
||||
private DataFlow::PropWrite getALikelyHtmlWrite(string prop) {
|
||||
|
||||
@@ -65,7 +65,7 @@ module Shared {
|
||||
private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHtml
|
||||
|
||||
/**
|
||||
* A guard that checks if a string can contain quotes, which is a guard for strings that are inside a HTML attribute.
|
||||
* A guard that checks if a string can contain quotes, which is a guard for strings that are inside an HTML attribute.
|
||||
*/
|
||||
abstract class QuoteGuard extends TaintTracking::SanitizerGuardNode, StringOps::Includes {
|
||||
QuoteGuard() {
|
||||
|
||||
@@ -44,7 +44,7 @@
|
||||
<sample src="examples/unsafe-html-construction_safe.js" />
|
||||
|
||||
<p>
|
||||
Alternatively, a HTML sanitizer can be used to remove unsafe content.
|
||||
Alternatively, an HTML sanitizer can be used to remove unsafe content.
|
||||
</p>
|
||||
|
||||
<sample src="examples/unsafe-html-construction_sanitizer.js" />
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
<recommendation>
|
||||
<p>
|
||||
If using <code>JSON.stringify</code> or a HTML sanitizer to sanitize a string inserted into
|
||||
If using <code>JSON.stringify</code> or an HTML sanitizer to sanitize a string inserted into
|
||||
JavaScript code, then make sure to perform additional sanitization or remove potentially
|
||||
dangerous characters.
|
||||
</p>
|
||||
|
||||
@@ -13,5 +13,5 @@
|
||||
| tst.js:18:6:18:48 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
|
||||
| tst.js:19:6:19:147 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
|
||||
| tst.js:20:3:20:57 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
|
||||
| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as a HTML comment end tag. |
|
||||
| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
|
||||
| tst.js:22:6:22:33 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
|
||||
|
||||
@@ -1,39 +1,39 @@
|
||||
| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 | on\\w+=".*" | on |
|
||||
| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 | on\\w+=\\'.*\\' | on |
|
||||
| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
|
||||
| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
|
||||
| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 | on\\w+=".*" | on |
|
||||
| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 | on\\w+=\\'.*\\' | on |
|
||||
| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
|
||||
| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
|
||||
| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:22:48:23 | \\/ | /.. |
|
||||
| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:26:48:27 | \\. | ../ |
|
||||
| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
|
||||
| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
|
||||
| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
|
||||
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
|
||||
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
|
||||
| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
|
||||
| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
|
||||
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
|
||||
| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:85:7:85:48 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:85:18:85:21 | \\x2E | ../ |
|
||||
| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n }) | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n }) | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:101:7:101:30 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:101:18:101:19 | \\. | ../ |
|
||||
| tst-multi-character-sanitization.js:102:7:102:30 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:102:18:102:19 | \\/ | /.. |
|
||||
| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
|
||||
| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
|
||||
| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
|
||||
| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
|
||||
| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
|
||||
| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
|
||||
| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
|
||||
| tst-multi-character-sanitization.js:126:7:129:34 | x\\n . ... //, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:129:21:129:22 | \\/ | /.. |
|
||||
| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
|
||||
| tst-multi-character-sanitization.js:137:2:137:48 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:137:19:137:20 | .+ | <script |
|
||||
| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:21:138:21 | < | <script |
|
||||
| tst-multi-character-sanitization.js:142:13:142:62 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:142:30:142:36 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:143:13:143:56 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:143:30:143:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:144:13:144:91 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:144:30:144:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
|
||||
| tst-multi-character-sanitization.js:137:2:137:48 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:137:19:137:20 | .+ | <script |
|
||||
| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:21:138:21 | < | <script |
|
||||
| tst-multi-character-sanitization.js:142:13:142:62 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:142:30:142:36 | <script | <script |
|
||||
| tst-multi-character-sanitization.js:143:13:143:56 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:143:30:143:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:144:13:144:91 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:144:30:144:30 | < | <script |
|
||||
| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |
|
||||
|
||||
@@ -259,6 +259,18 @@ nodes
|
||||
| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
|
||||
| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
|
||||
| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
|
||||
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` |
|
||||
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` |
|
||||
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` |
|
||||
| HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` |
|
||||
| HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` |
|
||||
| HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
edges
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
|
||||
@@ -383,6 +395,10 @@ edges
|
||||
| HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
|
||||
| HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
|
||||
| HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
|
||||
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` |
|
||||
| HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` | HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
|
||||
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
|
||||
#select
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
|
||||
@@ -446,3 +462,5 @@ edges
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
|
||||
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | authorization header |
|
||||
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
|
||||
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | authorization header |
|
||||
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | authorization header |
|
||||
|
||||
@@ -284,4 +284,13 @@
|
||||
require("http").request({auth: "user:fake token"}) // OK
|
||||
require("http").request({auth: "user:dcba"}) // OK
|
||||
require("http").request({auth: "user:custom string"}) // OK
|
||||
});
|
||||
});
|
||||
|
||||
(function () {
|
||||
// browser API
|
||||
var headers = new Headers();
|
||||
headers.append("Authorization", `Basic sdsdag:sdsdag`); // NOT OK
|
||||
headers.append("Authorization", `Basic sdsdag:xxxxxxxxxxxxxx`); // OK
|
||||
headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
|
||||
headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user