hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js
Asger F 0453ded338 JS: Add query ID to some alerts
2025-02-28 13:27:41 +01:00

157 lines
6.5 KiB
JavaScript
Raw Permalink Blame History

// CVE-2019-10756
(function(content) {
content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/ on\w+=".*"/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return content;
});
(function(content) {
content = content.replace(/<.*cript.*/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return content;
});
// CVE-2020-7656
(function(responseText) {
var rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
responseText.replace(rscript, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return responseText;
});
// CVE-2019-1010091
(function(text) {
text = text.replace(/<!--|--!?>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return text;
});
(function(text) {
while (/<!--|--!?>/g.test(text)) {
text = text.replace(/<!--|--!?>/g, "");
}
return text;
});
// CVE-2019-10767
(function(id) {
id = id.replace(/\.\./g, ""); // OK - can not contain '..' afterwards
return id;
});
(function(id) {
id = id.replace(/[\]\[*,;'"`<>\\?\/]/g, ""); // OK - or is it?
return id;
});
// CVE-2019-8903
(function(req) {
var REG_TRAVEL = /(\/)?\.\.\//g;
req.url = req.url.replace(REG_TRAVEL, ""); // $ Alert[js/incomplete-multi-character-sanitization]
});
(function(req) {
var beg;
for (var i = 0; i < req.url.length; i++) {
if (req.url[i] === "." && req.url[i + 1] === "/") beg = i + 1;
else if (req.url[i] === "?") break;
}
if (beg) req.url = req.url.substring(beg);
});
// New cases
(function(x) {
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/(\/|\s)on\w+=(\'|")?[^"]*(\'|")?/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<\/script>/g, "");
x = x.replace(/<(.)?br(.)?>/g, "");
x = x.replace(/<\/?b>/g, "");
x = x.replace(/<(ul|ol)><\/(ul|ol)>/gi, "");
x = x.replace(/<li><\/li>/gi, "");
x = x.replace(/<!--(.*?)-->/gm, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - ng-attributes
x = x.replace(/(<!--\[CDATA\[|\]\]-->)/g, "\n"); // OK - not a sanitizer
x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // $ SPURIOUS: Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script async.+?<\/script>/g, "");
x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - matches "../../"
x = x.replace(/<script.*>.*<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/^(\.\.\/?)+/g, "");
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, function(
$0
) {
return unknown ? $0 : "";
}); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, ""); // $ MISSING: Alert
x = x.replace(/\.\./g, "");
x = x.replace(/\.\.\//g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\/\.\./g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script(.*?)>([\s\S]*?)<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<(script|del)(?=[\s>])[\w\W]*?<\/\1\s*>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/\<script[\s\S]*?\>[\s\S]*?\<\/script\>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<(script|style|title)[^<]+<\/(script|style|title)>/gm, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/ ?<!-- ?/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
x = x.replace(/require\('\.\.\/common'\);/g, "");
x = x.replace(/\.\.\/\.\.\/lib\//g, "");
while (x.indexOf(".") !== -1) {
x = x
.replace(/^\.\//, "")
.replace(/\/\.\//, "/")
.replace(/[^\/]*\/\.\.\//, "");
}
x = x.replace(/([^.\s]+\.)+/, "");
x = x.replace(/<!\-\-DEVEL[\d\D]*?DEVEL\-\->/g, "");
x = x
.replace(/^\.\//, "")
.replace(/\/\.\//, "/")
.replace(/[^\/]*\/\.\.\//, ""); // $ Alert[js/incomplete-multi-character-sanitization]
return x;
});
(function (content) {
content.replace(/<script.*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content.replace(/<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content.replace(/.+<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content.replace(/.*<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
});
(function (content) {
content = content.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<[a-zA-Z\/](.|\n)*?>/g, '') || ' '; // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<(script|iframe|video)[\s\S]*?<\/(script|iframe|video)>/g, '') // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<(script|iframe|video)(.|\s)*?\/(script|iframe|video)>/g, '') // $ Alert[js/incomplete-multi-character-sanitization]
content = content.replace(/<[^<]*>/g, "");
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert[js/incomplete-multi-character-sanitization]
o.push({specified : 1, nodeName : a});
});
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert[js/incomplete-multi-character-sanitization]
o.push({specified : 1, nodeName : a});
});
content = content.replace(/.+?(?=\s)/, '');
});
Reference in New Issue View Git Blame Copy Permalink