hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js
Asger F 64d39da5f8 JS: Accept Sources/Sink tags
2025-02-28 13:29:30 +01:00

37 lines
958 B
JavaScript
Raw Permalink Blame History

const pako = require('pako');
const express = require('express')
const fileUpload = require("express-fileupload");
const app = express();
const port = 3000;
app.use(fileUpload());
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
});
app.post('/upload', (req, res) => {
zipBomb1(req.files.zipBombFile.data); // $ Source
zipBomb2(req.files.zipBombFile.data); // $ Source
res.send('Hello World!');
});
function zipBomb1(zipFile) {
const myArray = Buffer.from(new Uint8Array(zipFile.data.buffer));
let output;
try {
output = pako.inflate(myArray); // $ Alert
console.log(output);
} catch (err) {
console.log(err);
}
}
function zipBomb2(zipFile) {
const myArray = new Uint8Array(zipFile.data.buffer).buffer;
let output;
try {
output = pako.inflate(myArray); // $ Alert
console.log(output);
} catch (err) {
console.log(err);
}
}
Reference in New Issue View Git Blame Copy Permalink