hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.7.5
codeql/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
Erik Krogh Kristensen aaa8969537 add sort-keys as a clone call
2021-07-15 13:16:17 +02:00

90 lines
1.6 KiB
JavaScript
Raw Permalink Blame History

var express = require('express');
var app = express();
app.get('/user/:id', function(req, res) {
let { p, q: r } = req.params;
res.send(p); // NOT OK
res.send(r); // NOT OK
});
const aKnownValue = "foo";
app.get('/bar', function(req, res) {
let { p } = req.params;
if (p == aKnownValue)
res.send(p); // OK
res.send(p); // NOT OK
if (p != aKnownValue)
res.send(p); // NOT OK
else
res.send(p); // OK
});
const clone = require('clone');
app.get('/baz', function(req, res) {
let { p } = req.params;
var obj = {};
obj.p = p;
var other = clone(obj);
res.send(p); // NOT OK
res.send(other.p); // NOT OK
});
const serializeJavaScript = require('serialize-javascript');
app.get('/baz', function(req, res) {
let { p } = req.params;
var serialized = serializeJavaScript(p);
res.send(serialized); // OK
var unsafe = serializeJavaScript(p, {unsafe: true});
res.send(unsafe); // NOT OK
});
const fclone = require('fclone');
app.get('/baz', function(req, res) {
let { p } = req.params;
var obj = {};
obj.p = p;
var other = fclone(obj);
res.send(p); // NOT OK
res.send(other.p); // NOT OK
});
const jc = require('json-cycle');
app.get('/baz', function(req, res) {
let { p } = req.params;
var obj = {};
obj.p = p;
var other = jc.retrocycle(jc.decycle(obj));
res.send(p); // NOT OK
res.send(other.p); // NOT OK
});
const sortKeys = require('sort-keys');
app.get('/baz', function(req, res) {
let { p } = req.params;
var obj = {};
obj.p = p;
var other = sortKeys(obj);
res.send(p); // NOT OK
res.send(other.p); // NOT OK
});
Reference in New Issue View Git Blame Copy Permalink