hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.7.3
codeql/javascript/ql/test/query-tests/Security/CWE-020/tst-UntrustedDataToExternalAPI.js
Asger Feldthaus f737f34dcd JS: Add UntrustedDataToExternalApi query
2020-11-19 13:42:25 +00:00

46 lines
954 B
JavaScript
Raw Permalink Blame History

let externalLib = require('external-lib');
let untrusted = window.name;
externalLib(untrusted);
externalLib({x: untrusted});
externalLib(...untrusted);
externalLib(...window.CONFIG, untrusted);
externalLib({ ...untrusted });
externalLib(['x', untrusted, 'y']);
externalLib('foo', untrusted);
externalLib({
x: {
y: {
z: untrusted
}
}
});
function getDeepUntrusted() {
return {
x: {
y: {
z: [JSON.parse(untrusted)]
}
}
}
}
externalLib(getDeepUntrusted());
externalLib.get('/foo', (req, res) => {
res.send(untrusted);
req.app.locals.something.foo(untrusted);
});
let jsonSafeParse = require('json-safe-parse');
jsonSafeParse(untrusted); // no need to report; has known taint step
let merge = require('lodash.merge');
merge({}, {
x: untrusted, // should not be treated as individual named parameters
y: untrusted,
z: untrusted
});
Reference in New Issue View Git Blame Copy Permalink