hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
experimental/benjamin-button
codeql/javascript/ql/test/query-tests/Security/CWE-770/tst.js
Asger Feldthaus 581f4ed757 JS: Generalize handling of route handler wrapper functions
2021-04-20 12:46:40 +01:00

80 lines
2.8 KiB
JavaScript
Raw Permalink Blame History

var express = require('express');
var fs = require('fs');
var child_process = require('child_process');
var mysql = require('mysql');
var connection = mysql.createConnection({
host : 'localhost',
user : 'me',
password : 'secret',
database : 'my_db'
});
connection.connect();
function expensiveHandler1(req, res) { login(); }
function expensiveHandler2(req, res) { fs.writeFileSync("log", "request"); }
function expensiveHandler3(req, res) { child_process.exec("/bin/true"); }
function expensiveHandler4(req, res) { connection.query('SELECT 1 + 1 AS solution'); }
function inexpensiveHandler(req, res) { res.send("Hi"); }
function mkSubRouter1() {
var router = new express.Router();
router.get('/:path', expensiveHandler1); // NOT OK
return router;
}
function mkSubRouter2() {
var router = new express.Router();
router.get('/:path', expensiveHandler1); // OK
return router;
}
var app1 = express();
// no rate limiting
app1.get('/:path', expensiveHandler1); // NOT OK
app1.get('/:path', expensiveHandler2); // NOT OK
app1.get('/:path', expensiveHandler3); // NOT OK
app1.get('/:path', expensiveHandler4); // NOT OK
app1.get('/:path', inexpensiveHandler); // OK
app1.use(mkSubRouter1());
// rate limiting using express-rate-limit
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit();
app1.use(limiter);
app1.get('/:path', expensiveHandler1); // OK
app1.get('/:path', expensiveHandler2); // OK
app1.get('/:path', expensiveHandler3); // OK
app1.get('/:path', expensiveHandler4); // OK
app1.get('/:path', inexpensiveHandler); // OK
app1.use(mkSubRouter2());
// rate limiting using express-brute
var app2 = express();
var ExpressBrute = require('express-brute');
var bruteforce = new ExpressBrute();
app2.get('/:path', bruteforce.prevent, expensiveHandler1); // OK
// rate limiting using express-limiter
var app3 = express();
var limiter = require('express-limiter')(app3);
app3.get('/:path', expensiveHandler1); // OK
express().get('/:path', function(req, res) { verifyUser(req); }); // NOT OK
express().get('/:path', RateLimit(), function(req, res) { verifyUser(req); }); // OK
// rate limiting using rate-limiter-flexible
const { RateLimiterRedis } = require('rate-limiter-flexible');
const rateLimiter = new RateLimiterRedis();
const rateLimiterMiddleware = (req, res, next) => {
rateLimiter.consume(req.ip).then(next).catch(res.status(429).send('rate limited'));
};
express().get('/:path', rateLimiterMiddleware, expensiveHandler1);
const catchAsync = fn => (...args) => fn(...args).catch(args[2]);
express().get('/:path', catchAsync(expensiveHandler1)); // NOT OK
express().get('/:path', rateLimiterMiddleware, catchAsync(expensiveHandler1)); // OK
express().get('/:path', catchAsync(rateLimiterMiddleware), expensiveHandler1); // OK
express().get('/:path', catchAsync(rateLimiterMiddleware), catchAsync(expensiveHandler1)); // OK
Reference in New Issue View Git Blame Copy Permalink