hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
tausbn/python-add-models-for-zstd-compression
codeql/javascript/ql/test/query-tests/Security/CWE-643/XpathInjectionBad.js
Asger F 64d39da5f8 JS: Accept Sources/Sink tags
2025-02-28 13:29:30 +01:00

13 lines
405 B
JavaScript
Raw Permalink Blame History

const express = require('express');
const xpath = require('xpath');
const app = express();
app.get('/some/route', function(req, res) {
let userName = req.param("userName"); // $ Source
let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()"); // $ Alert - Use user-provided data directly in an XPath expression
badXPathExpr.select({
node: root
});
});
Reference in New Issue View Git Blame Copy Permalink