Napalys
de5c7efd63
Added test case for unescape.
2025-03-13 13:47:42 +01:00
Asger F
8599ab2503
JS: Fix attributes nodes missing an enclosing callable
2025-03-11 16:47:48 +01:00
Asger F
2a194a53af
raw test output
2025-02-28 13:29:39 +01:00
Asger F
426edd55f2
JS: Update output after line number change
...
Some OK-style comments had to be moved to the following line, shifting line numbers.
In selected range also included the comments themselves.
Lastly, the result sets were reordered by the CLI in some cases.
2025-02-28 13:27:31 +01:00
Asger F
58c8b5fa2b
Merge pull request #18790 from asgerf/js/no-implicit-array-taint
...
JS: Do not taint whole array when storing into ArrayElement
2025-02-19 13:23:31 +01:00
Asger F
d79f429978
JS: Update changes to nodes/edges/subpaths
...
No changes in actual alerts
2025-02-17 10:36:05 +01:00
Asger F
25314b61db
JS: Update nodes/edges output
2025-02-14 10:26:21 +01:00
aegilops
76da479550
Updated tests
2025-01-24 16:52:11 +00:00
aegilops
522f3d1337
Merge
2025-01-23 17:00:56 +00:00
aegilops
b07e801c10
Add new test for new XSS sink, update expected to match
2025-01-09 18:02:45 +00:00
Asger F
f8dc7eb25b
JS: Update output from tests that changed on main
2024-12-19 15:25:47 +01:00
Napalys
c71778f1aa
JS: xss does not flag anymore replace with RegExp unknown flags
2024-11-28 11:26:53 +01:00
Napalys
dbae553146
JS: add xss test cases with unknownflags for replace using RegExp
2024-11-28 11:26:52 +01:00
Asger F
930a7b6e28
JS: Update output changes to nodes/edges/subpaths
2024-11-21 13:33:39 +01:00
Asger F
d3e70c1e97
JS: Add in-barrier to XSS query
...
This is a bit of a bandaid to cover issues with the push() method on next/router being
treated as an array push, which causes it to flow into other taint sources.
2024-10-29 08:32:08 +01:00
Asger F
12e316b99d
JS: Update test output after merging in 'main'
...
- Paths are now relative to the test case, not the qlpack
- Paths going through an implicit reads have changed slightly
2024-10-08 10:11:15 +02:00
Asger F
6cbe04dcb7
JS: Consistently use the shared XSS barrier guards in the XSS queries
...
Previously only reflected XSS used shared barrier guards.
2024-10-02 14:44:17 +02:00
Asger F
1df69ec1d2
JS: Actually don't propagate into array element 0
...
Preserving tainted-url-suffix into array element 0 seemed like a good idea, but didn't work out so well.
2024-09-12 13:42:36 +02:00
Asger F
cf90c83604
JS: Accept changes to nodes/edges results
2024-09-12 13:42:19 +02:00
Asger F
7790f68fe2
JS: Make the TaintedUrlSuffix library use optional steps/barriers
2024-09-12 13:35:36 +02:00
Asger F
0ddb1c87f5
JS: Test update indicating a problem with .split()
2024-09-10 13:14:37 +02:00
Asger F
4568967a76
JS: Do not use legacy taint steps in TaintedUrlSuffix
...
Tainted URL suffix steps are added as configuration-specific additional
steps, which means implicit reads may occur before any of these steps.
These steps accidentally included the legacy taint steps which include
a step from 'arguments' to all positional parameters. Combined with the
implicit read, arguments could escape their array index and flow to
any parameter while in the tainted-url flow state.
2024-08-29 13:48:30 +02:00
Asger F
65a36b0b3b
JS: Add regression test for argument position confusion
2024-08-29 13:42:28 +02:00
Asger F
2e2181be2c
JS: Update test output that only affects nodes/edges/subpaths
2024-08-27 11:35:33 +02:00
Asger F
a2dd47aeb2
JS: Update test output
...
These files conflicted and have been regenerated.
2024-08-22 14:27:15 +02:00
Asger F
9ee7599aeb
JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query
...
This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query
2024-08-16 14:37:13 +02:00
Asger F
c3806a2210
JS: Messy test output updates
...
These initially got messed up by a merge conflict where I couldn't rerun the tests due to breaking
changes in the data flow library. I wanted the breaking-change updates to live in their own commits,
not just eaten by a merge resolution commit, so the test output became broken for a while.
The '#select' result set is unchanged in all of these, so they should be safe to accept.
2024-06-27 11:59:56 +02:00
Asger F
5e7d1d5c2c
Merge branch 'main' into js/shared-dataflow-merged
2024-03-13 14:27:16 +01:00
erik-krogh
a9f2b3fad6
promote PropsTaintStep to a PreCallGraphStep
2024-01-04 10:45:22 +01:00
Asger F
e091fdefa4
JS: Port DomBasedXss
2023-10-13 13:15:03 +02:00
tyage
933b55d37d
Track interfile useRouter
2023-04-28 15:49:26 +09:00
Asger F
c7f16cd224
JS: Add test
2023-04-17 08:23:03 +02:00
erik-krogh
b1957623c1
add browser history as XSS sink
2023-04-12 13:38:18 +02:00
tyage
320cb99dbf
Add replace method test
2023-04-08 18:31:48 +09:00
tyage
668e1accaa
Remove unnecessary whiteline
2023-04-08 18:24:31 +09:00
tyage
7f9b8557ac
Add Next.js router push as XSS sink
2023-04-08 18:18:34 +09:00
Asger F
92a681213d
JS: Step through jQuery callback return values
2023-03-27 11:17:27 +02:00
Asger F
bc2a772f3b
JS: Add test case showing false negative
2023-03-27 11:08:39 +02:00
Asger F
856b50735d
JS: Expand test case
2023-03-07 13:04:26 +01:00
tyage
54050bf1b6
update test result XssWithAdditionalSources
2022-10-27 10:23:37 +09:00
Asger F
67cef92f94
JS: Rewrite to use DataFlow::Node API and restrict context
2022-10-10 16:08:21 +02:00
tyage
192c1f3d89
make test json.stringify
2022-10-04 17:40:52 +09:00
tyage
726cd2ca8a
refactor test
2022-10-04 17:11:37 +09:00
tyage
2006ae8332
rename file
2022-10-04 17:05:15 +09:00
tyage
33d204913c
add test for json stringify xss
2022-10-04 14:45:09 +09:00
Erik Krogh Kristensen
e387ebaedd
add domNode.innerHTML += sink as a DOM sink
2022-09-05 16:11:55 +02:00
Erik Krogh Kristensen
0e4954a68c
add navigation.navigate as an XSS / URL sink
2022-06-29 14:56:20 +02:00
Erik Krogh Kristensen
7f592a6c64
merge Clipboard.qll and DragAndDrop.qll, and support InputEvent
2022-04-18 22:17:31 +02:00
Erik Krogh Kristensen
34abef8a6c
Merge branch 'main' into dragAndDrop
2022-04-11 23:59:46 +02:00
bananabr
57fac949fd
included ClipboardEvent and DragEvent as XSS sources
2022-04-11 16:37:00 -05:00
