hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: add security query: js/request-forgery

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2018-08-30 10:19:18 +02:00
parent 2104cf55e3
commit f5a6af54e6
9 changed files with 254 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected Normal file
View File

@@ -0,0 +1,6 @@
| tst.js:16:5:16:20 | request(tainted) | The $@ of this request depends on $@. | tst.js:16:13:16:19 | tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:18:5:18:24 | request.get(tainted) | The $@ of this request depends on $@. | tst.js:18:17:18:23 | tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:22:5:22:20 | request(options) | The $@ of this request depends on $@. | tst.js:21:19:21:25 | tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:24:5:24:32 | request ... ainted) | The $@ of this request depends on $@. | tst.js:24:13:24:31 | "http://" + tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:26:5:26:43 | request ... ainted) | The $@ of this request depends on $@. | tst.js:26:13:26:42 | "http:/ ... tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
| tst.js:28:5:28:44 | request ... ainted) | The $@ of this request depends on $@. | tst.js:28:13:28:43 | "http:/ ... tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |

1
javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-918/RequestForgery.ql

31
javascript/ql/test/query-tests/Security/CWE-918/tst.js Normal file
View File

@@ -0,0 +1,31 @@
import request from 'request';
import requestPromise from 'request-promise';
import superagent from 'superagent';
import http from 'http';
import express from 'express';
import axios from 'axios';
import got from 'got';
import nodeFetch from 'node-fetch';
import url from 'url';
var server = http.createServer(function(req, res) {
var tainted = url.parse(req.url, true).query.url;
request("example.com"); // OK
request(tainted); // NOT OK
request.get(tainted); // NOT OK
var options = {};
options.url = tainted;
request(options); // NOT OK
request("http://" + tainted); // NOT OK
request("http://example.com" + tainted); // NOT OK
request("http://example.com/" + tainted); // NOT OK
request("http://example.com/?" + tainted); // OK
})