hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-30 20:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
22f16dda854372544eabcb5bc3836a6a2770aa79
codeql/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
Asger F 4a001f960f JS: Add tests in request forgery queries
2026-03-11 13:53:25 +01:00

281 lines
32 KiB
Plaintext
Raw Blame History

#select
| Request/app/api/proxy/route2.serverSide.ts:5:21:5:30 | fetch(url) | Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | The $@ of this request depends on a $@. | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | URL | Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | user-provided value |
| Request/app/api/proxy/route.serverSide.ts:3:21:3:30 | fetch(url) | Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | The $@ of this request depends on a $@. | Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | URL | Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | user-provided value |
| Request/middleware.ts:7:25:7:37 | fetch(target) | Request/middleware.ts:4:20:4:30 | req.nextUrl | Request/middleware.ts:7:31:7:36 | target | The $@ of this request depends on a $@. | Request/middleware.ts:7:31:7:36 | target | URL | Request/middleware.ts:4:20:4:30 | req.nextUrl | user-provided value |
| Request/middleware.ts:12:27:12:40 | fetch(target2) | Request/middleware.ts:5:21:5:53 | target. ... arget') | Request/middleware.ts:12:33:12:39 | target2 | The $@ of this request depends on a $@. | Request/middleware.ts:12:33:12:39 | target2 | URL | Request/middleware.ts:5:21:5:53 | target. ... arget') | user-provided value |
| apollo.serverSide.ts:8:39:8:64 | get(fil ... => {}) | apollo.serverSide.ts:7:36:7:44 | { files } | apollo.serverSide.ts:8:43:8:50 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:8:43:8:50 | file.url | URL | apollo.serverSide.ts:7:36:7:44 | { files } | user-provided value |
| apollo.serverSide.ts:18:37:18:62 | get(fil ... => {}) | apollo.serverSide.ts:17:34:17:42 | { files } | apollo.serverSide.ts:18:41:18:48 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:18:41:18:48 | file.url | URL | apollo.serverSide.ts:17:34:17:42 | { files } | user-provided value |
| axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | The $@ of this request depends on a $@. | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | endpoint | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | user-provided value |
| serverSide2.js:17:26:17:45 | axios.get(targetUrl) | serverSide2.js:10:25:10:31 | req.url | serverSide2.js:17:36:17:44 | targetUrl | The $@ of this request depends on a $@. | serverSide2.js:17:36:17:44 | targetUrl | URL | serverSide2.js:10:25:10:31 | req.url | user-provided value |
| serverSide2.js:20:27:20:47 | axios.g ... etUrl1) | serverSide2.js:9:43:9:56 | req._parsedUrl | serverSide2.js:20:37:20:46 | targetUrl1 | The $@ of this request depends on a $@. | serverSide2.js:20:37:20:46 | targetUrl1 | URL | serverSide2.js:9:43:9:56 | req._parsedUrl | user-provided value |
| serverSide2.js:23:27:23:47 | axios.g ... etUrl2) | serverSide2.js:22:22:22:28 | req.url | serverSide2.js:23:37:23:46 | targetUrl2 | The $@ of this request depends on a $@. | serverSide2.js:23:37:23:46 | targetUrl2 | URL | serverSide2.js:22:22:22:28 | req.url | user-provided value |
| serverSide2.js:26:27:26:47 | axios.g ... etUrl3) | serverSide2.js:11:24:11:30 | req.url | serverSide2.js:26:37:26:46 | targetUrl3 | The $@ of this request depends on a $@. | serverSide2.js:26:37:26:46 | targetUrl3 | URL | serverSide2.js:11:24:11:30 | req.url | user-provided value |
| serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:24:5:24:20 | request(options) | serverSide.js:14:29:14:35 | req.url | serverSide.js:23:19:23:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:23:19:23:25 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:26:5:26:32 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:26:13:26:31 | "http://" + tainted | The $@ of this request depends on a $@. | serverSide.js:26:13:26:31 | "http://" + tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:28:5:28:43 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:28:13:28:42 | "http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:30:5:30:44 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:30:13:30:43 | "http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:34:5:34:44 | http.ge ... nted }) | serverSide.js:14:29:14:35 | req.url | serverSide.js:34:35:34:41 | tainted | The $@ of this request depends on a $@. | serverSide.js:34:35:34:41 | tainted | host | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:36:5:36:32 | XhrIo.s ... inted)) | serverSide.js:14:29:14:35 | req.url | serverSide.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on a $@. | serverSide.js:36:16:36:31 | new Uri(tainted) | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:37:5:37:38 | new Xhr ... inted)) | serverSide.js:14:29:14:35 | req.url | serverSide.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on a $@. | serverSide.js:37:22:37:37 | new Uri(tainted) | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:41:5:41:52 | request ... nted}`) | serverSide.js:14:29:14:35 | req.url | serverSide.js:41:13:41:51 | `http:/ ... inted}` | The $@ of this request depends on a $@. | serverSide.js:41:13:41:51 | `http:/ ... inted}` | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:43:5:43:55 | request ... nted}`) | serverSide.js:14:29:14:35 | req.url | serverSide.js:43:13:43:54 | `http:/ ... inted}` | The $@ of this request depends on a $@. | serverSide.js:43:13:43:54 | `http:/ ... inted}` | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:45:5:45:57 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:45:13:45:56 | 'http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:45:13:45:56 | 'http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
| serverSide.js:61:5:61:42 | client. ... nted }) | serverSide.js:58:29:58:35 | req.url | serverSide.js:61:33:61:39 | tainted | The $@ of this request depends on a $@. | serverSide.js:61:33:61:39 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value |
| serverSide.js:64:9:64:46 | client. ... nted }) | serverSide.js:58:29:58:35 | req.url | serverSide.js:64:37:64:43 | tainted | The $@ of this request depends on a $@. | serverSide.js:64:37:64:43 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value |
| serverSide.js:68:9:68:46 | client. ... nted }) | serverSide.js:58:29:58:35 | req.url | serverSide.js:68:37:68:43 | tainted | The $@ of this request depends on a $@. | serverSide.js:68:37:68:43 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value |
| serverSide.js:76:5:76:26 | JSDOM.f ... ainted) | serverSide.js:74:29:74:35 | req.url | serverSide.js:76:19:76:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:76:19:76:25 | tainted | URL | serverSide.js:74:29:74:35 | req.url | user-provided value |
| serverSide.js:84:5:84:25 | JSDOM.f ... param1) | serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 | The $@ of this request depends on a $@. | serverSide.js:84:19:84:24 | param1 | URL | serverSide.js:83:38:83:43 | param1 | user-provided value |
| serverSide.js:90:5:90:33 | JSDOM.f ... ms.foo) | serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo | The $@ of this request depends on a $@. | serverSide.js:90:19:90:32 | ctx.params.foo | URL | serverSide.js:90:19:90:28 | ctx.params | user-provided value |
| serverSide.js:92:5:92:33 | JSDOM.f ... ms.foo) | serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo | The $@ of this request depends on a $@. | serverSide.js:92:19:92:32 | ctx.params.foo | URL | serverSide.js:92:19:92:28 | ctx.params | user-provided value |
| serverSide.js:100:5:100:26 | new Web ... ainted) | serverSide.js:98:29:98:35 | req.url | serverSide.js:100:19:100:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:100:19:100:25 | tainted | URL | serverSide.js:98:29:98:35 | req.url | user-provided value |
| serverSide.js:109:24:109:34 | new ws(url) | serverSide.js:108:21:108:31 | request.url | serverSide.js:109:31:109:33 | url | The $@ of this request depends on a $@. | serverSide.js:109:31:109:33 | url | URL | serverSide.js:108:21:108:31 | request.url | user-provided value |
| serverSide.js:117:24:117:34 | new ws(url) | serverSide.js:115:29:115:39 | request.url | serverSide.js:117:31:117:33 | url | The $@ of this request depends on a $@. | serverSide.js:117:31:117:33 | url | URL | serverSide.js:115:29:115:39 | request.url | user-provided value |
| serverSide.js:125:5:128:6 | axios({ ... \\n }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
| serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
| serverSide.js:141:5:141:32 | axios.g ... ring()) | serverSide.js:139:19:139:31 | req.query.url | serverSide.js:141:15:141:31 | target.toString() | The $@ of this request depends on a $@. | serverSide.js:141:15:141:31 | target.toString() | URL | serverSide.js:139:19:139:31 | req.query.url | user-provided value |
| serverSide.js:142:5:142:21 | axios.get(target) | serverSide.js:139:19:139:31 | req.query.url | serverSide.js:142:15:142:20 | target | The $@ of this request depends on a $@. | serverSide.js:142:15:142:20 | target | URL | serverSide.js:139:19:139:31 | req.query.url | user-provided value |
| serverSide.js:143:5:143:26 | axios.g ... t.href) | serverSide.js:139:19:139:31 | req.query.url | serverSide.js:143:15:143:25 | target.href | The $@ of this request depends on a $@. | serverSide.js:143:15:143:25 | target.href | URL | serverSide.js:139:19:139:31 | req.query.url | user-provided value |
| serverSide.js:145:5:145:25 | axios.g ... dedUrl) | serverSide.js:139:19:139:31 | req.query.url | serverSide.js:145:15:145:24 | encodedUrl | The $@ of this request depends on a $@. | serverSide.js:145:15:145:24 | encodedUrl | URL | serverSide.js:139:19:139:31 | req.query.url | user-provided value |
| serverSide.js:147:5:147:25 | axios.g ... pedUrl) | serverSide.js:139:19:139:31 | req.query.url | serverSide.js:147:15:147:24 | escapedUrl | The $@ of this request depends on a $@. | serverSide.js:147:15:147:24 | escapedUrl | URL | serverSide.js:139:19:139:31 | req.query.url | user-provided value |
| serverSide.js:151:1:151:15 | request(custom) | serverSide.js:150:16:150:51 | require ... ource() | serverSide.js:151:9:151:14 | custom | The $@ of this request depends on a $@. | serverSide.js:151:9:151:14 | custom | URL | serverSide.js:150:16:150:51 | require ... ource() | user-provided value |
edges
| Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | Request/app/api/proxy/route2.serverSide.ts:4:11:4:13 | url | provenance | |
| Request/app/api/proxy/route2.serverSide.ts:4:11:4:13 | url | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | provenance | |
| Request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | provenance | |
| Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | Request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | provenance | |
| Request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | Request/app/api/proxy/route.serverSide.ts:2:11:2:13 | url | provenance | |
| Request/app/api/proxy/route.serverSide.ts:2:11:2:13 | url | Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | provenance | |
| Request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | Request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | provenance | |
| Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | Request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | provenance | |
| Request/middleware.ts:4:11:4:16 | target | Request/middleware.ts:7:31:7:36 | target | provenance | |
| Request/middleware.ts:4:20:4:30 | req.nextUrl | Request/middleware.ts:4:11:4:16 | target | provenance | |
| Request/middleware.ts:5:11:5:17 | target2 | Request/middleware.ts:12:33:12:39 | target2 | provenance | |
| Request/middleware.ts:5:21:5:53 | target. ... arget') | Request/middleware.ts:5:11:5:17 | target2 | provenance | |
| apollo.serverSide.ts:7:36:7:44 | { files } | apollo.serverSide.ts:7:38:7:42 | files | provenance | |
| apollo.serverSide.ts:7:38:7:42 | files | apollo.serverSide.ts:8:13:8:17 | files | provenance | |
| apollo.serverSide.ts:8:13:8:17 | files | apollo.serverSide.ts:8:28:8:31 | file | provenance | |
| apollo.serverSide.ts:8:28:8:31 | file | apollo.serverSide.ts:8:43:8:46 | file | provenance | |
| apollo.serverSide.ts:8:43:8:46 | file | apollo.serverSide.ts:8:43:8:50 | file.url | provenance | |
| apollo.serverSide.ts:17:34:17:42 | { files } | apollo.serverSide.ts:17:36:17:40 | files | provenance | |
| apollo.serverSide.ts:17:36:17:40 | files | apollo.serverSide.ts:18:11:18:15 | files | provenance | |
| apollo.serverSide.ts:18:11:18:15 | files | apollo.serverSide.ts:18:26:18:29 | file | provenance | |
| apollo.serverSide.ts:18:26:18:29 | file | apollo.serverSide.ts:18:41:18:44 | file | provenance | |
| apollo.serverSide.ts:18:41:18:44 | file | apollo.serverSide.ts:18:41:18:48 | file.url | provenance | |
| axiosInterceptors.serverSide.js:19:11:19:17 | { url } | axiosInterceptors.serverSide.js:19:13:19:15 | url | provenance | |
| axiosInterceptors.serverSide.js:19:13:19:15 | url | axiosInterceptors.serverSide.js:20:23:20:25 | url | provenance | |
| axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:19:11:19:17 | { url } | provenance | |
| axiosInterceptors.serverSide.js:20:5:20:19 | userProvidedUrl | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | provenance | |
| axiosInterceptors.serverSide.js:20:23:20:25 | url | axiosInterceptors.serverSide.js:20:5:20:19 | userProvidedUrl | provenance | |
| serverSide2.js:9:34:9:63 | qs.pars ... .query) | serverSide2.js:19:22:19:49 | req.par ... rsedUrl | provenance | |
| serverSide2.js:9:43:9:56 | req._parsedUrl | serverSide2.js:9:34:9:63 | qs.pars ... .query) | provenance | |
| serverSide2.js:10:25:10:31 | req.url | serverSide2.js:16:21:16:39 | req.parsedQuery.url | provenance | |
| serverSide2.js:11:24:11:30 | req.url | serverSide2.js:25:22:25:39 | req.SomeObject.url | provenance | |
| serverSide2.js:16:9:16:17 | targetUrl | serverSide2.js:17:36:17:44 | targetUrl | provenance | |
| serverSide2.js:16:21:16:39 | req.parsedQuery.url | serverSide2.js:16:9:16:17 | targetUrl | provenance | |
| serverSide2.js:19:9:19:18 | targetUrl1 | serverSide2.js:20:37:20:46 | targetUrl1 | provenance | |
| serverSide2.js:19:22:19:49 | req.par ... rsedUrl | serverSide2.js:19:9:19:18 | targetUrl1 | provenance | |
| serverSide2.js:22:9:22:18 | targetUrl2 | serverSide2.js:23:37:23:46 | targetUrl2 | provenance | |
| serverSide2.js:22:22:22:28 | req.url | serverSide2.js:22:9:22:18 | targetUrl2 | provenance | |
| serverSide2.js:25:9:25:18 | targetUrl3 | serverSide2.js:26:37:26:46 | targetUrl3 | provenance | |
| serverSide2.js:25:22:25:39 | req.SomeObject.url | serverSide2.js:25:9:25:18 | targetUrl3 | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:18:13:18:19 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:20:17:20:23 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:23:19:23:25 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:26:25:26:31 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:28:36:28:42 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:30:37:30:43 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:34:35:34:41 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:36:24:36:30 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:37:30:37:36 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:41:43:41:49 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:43:46:43:52 | tainted | provenance | |
| serverSide.js:14:9:14:15 | tainted | serverSide.js:45:50:45:56 | tainted | provenance | |
| serverSide.js:14:19:14:42 | url.par ... , true) | serverSide.js:14:9:14:15 | tainted | provenance | |
| serverSide.js:14:29:14:35 | req.url | serverSide.js:14:19:14:42 | url.par ... , true) | provenance | |
| serverSide.js:26:25:26:31 | tainted | serverSide.js:26:13:26:31 | "http://" + tainted | provenance | |
| serverSide.js:28:36:28:42 | tainted | serverSide.js:28:13:28:42 | "http:/ ... tainted | provenance | |
| serverSide.js:30:37:30:43 | tainted | serverSide.js:30:13:30:43 | "http:/ ... tainted | provenance | |
| serverSide.js:36:24:36:30 | tainted | serverSide.js:36:16:36:31 | new Uri(tainted) | provenance | |
| serverSide.js:37:30:37:36 | tainted | serverSide.js:37:22:37:37 | new Uri(tainted) | provenance | |
| serverSide.js:41:43:41:49 | tainted | serverSide.js:41:13:41:51 | `http:/ ... inted}` | provenance | |
| serverSide.js:43:46:43:52 | tainted | serverSide.js:43:13:43:54 | `http:/ ... inted}` | provenance | |
| serverSide.js:45:50:45:56 | tainted | serverSide.js:45:13:45:56 | 'http:/ ... tainted | provenance | |
| serverSide.js:58:9:58:15 | tainted | serverSide.js:61:33:61:39 | tainted | provenance | |
| serverSide.js:58:9:58:15 | tainted | serverSide.js:61:33:61:39 | tainted | provenance | |
| serverSide.js:58:19:58:42 | url.par ... , true) | serverSide.js:58:9:58:15 | tainted | provenance | |
| serverSide.js:58:29:58:35 | req.url | serverSide.js:58:19:58:42 | url.par ... , true) | provenance | |
| serverSide.js:61:33:61:39 | tainted | serverSide.js:64:37:64:43 | tainted | provenance | |
| serverSide.js:61:33:61:39 | tainted | serverSide.js:68:37:68:43 | tainted | provenance | |
| serverSide.js:74:9:74:15 | tainted | serverSide.js:76:19:76:25 | tainted | provenance | |
| serverSide.js:74:19:74:42 | url.par ... , true) | serverSide.js:74:9:74:15 | tainted | provenance | |
| serverSide.js:74:29:74:35 | req.url | serverSide.js:74:19:74:42 | url.par ... , true) | provenance | |
| serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 | provenance | |
| serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo | provenance | |
| serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo | provenance | |
| serverSide.js:98:9:98:15 | tainted | serverSide.js:100:19:100:25 | tainted | provenance | |
| serverSide.js:98:19:98:42 | url.par ... , true) | serverSide.js:98:9:98:15 | tainted | provenance | |
| serverSide.js:98:29:98:35 | req.url | serverSide.js:98:19:98:42 | url.par ... , true) | provenance | |
| serverSide.js:108:15:108:17 | url | serverSide.js:109:31:109:33 | url | provenance | |
| serverSide.js:108:21:108:31 | request.url | serverSide.js:108:15:108:17 | url | provenance | |
| serverSide.js:115:15:115:17 | url | serverSide.js:117:31:117:33 | url | provenance | |
| serverSide.js:115:21:115:46 | new URL ... , base) | serverSide.js:115:15:115:17 | url | provenance | |
| serverSide.js:115:29:115:39 | request.url | serverSide.js:115:21:115:46 | new URL ... , base) | provenance | Config |
| serverSide.js:123:9:123:15 | tainted | serverSide.js:127:14:127:20 | tainted | provenance | |
| serverSide.js:123:9:123:15 | tainted | serverSide.js:130:37:130:43 | tainted | provenance | |
| serverSide.js:123:19:123:42 | url.par ... , true) | serverSide.js:123:9:123:15 | tainted | provenance | |
| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) | provenance | |
| serverSide.js:130:9:130:13 | myUrl | serverSide.js:131:15:131:19 | myUrl | provenance | |
| serverSide.js:130:37:130:43 | tainted | serverSide.js:130:9:130:13 | myUrl | provenance | |
| serverSide.js:139:11:139:15 | input | serverSide.js:140:28:140:32 | input | provenance | |
| serverSide.js:139:11:139:15 | input | serverSide.js:144:34:144:38 | input | provenance | |
| serverSide.js:139:11:139:15 | input | serverSide.js:146:31:146:35 | input | provenance | |
| serverSide.js:139:19:139:31 | req.query.url | serverSide.js:139:11:139:15 | input | provenance | |
| serverSide.js:140:11:140:16 | target | serverSide.js:141:15:141:20 | target | provenance | |
| serverSide.js:140:11:140:16 | target | serverSide.js:142:15:142:20 | target | provenance | |
| serverSide.js:140:11:140:16 | target | serverSide.js:143:15:143:20 | target | provenance | |
| serverSide.js:140:20:140:33 | new URL(input) | serverSide.js:140:11:140:16 | target | provenance | |
| serverSide.js:140:28:140:32 | input | serverSide.js:140:20:140:33 | new URL(input) | provenance | Config |
| serverSide.js:141:15:141:20 | target | serverSide.js:141:15:141:31 | target.toString() | provenance | |
| serverSide.js:143:15:143:20 | target | serverSide.js:143:15:143:25 | target.href | provenance | |
| serverSide.js:144:11:144:20 | encodedUrl | serverSide.js:145:15:145:24 | encodedUrl | provenance | |
| serverSide.js:144:24:144:39 | encodeURI(input) | serverSide.js:144:11:144:20 | encodedUrl | provenance | |
| serverSide.js:144:34:144:38 | input | serverSide.js:144:24:144:39 | encodeURI(input) | provenance | |
| serverSide.js:146:11:146:20 | escapedUrl | serverSide.js:147:15:147:24 | escapedUrl | provenance | |
| serverSide.js:146:24:146:36 | escape(input) | serverSide.js:146:11:146:20 | escapedUrl | provenance | |
| serverSide.js:146:31:146:35 | input | serverSide.js:146:24:146:36 | escape(input) | provenance | |
| serverSide.js:150:7:150:12 | custom | serverSide.js:151:9:151:14 | custom | provenance | |
| serverSide.js:150:16:150:51 | require ... ource() | serverSide.js:150:7:150:12 | custom | provenance | |
nodes
| Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | semmle.label | { url } |
| Request/app/api/proxy/route2.serverSide.ts:4:11:4:13 | url | semmle.label | url |
| Request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | semmle.label | await req.json() |
| Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | semmle.label | req.json() |
| Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | semmle.label | url |
| Request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | semmle.label | { url } |
| Request/app/api/proxy/route.serverSide.ts:2:11:2:13 | url | semmle.label | url |
| Request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | semmle.label | await req.json() |
| Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | semmle.label | req.json() |
| Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | semmle.label | url |
| Request/middleware.ts:4:11:4:16 | target | semmle.label | target |
| Request/middleware.ts:4:20:4:30 | req.nextUrl | semmle.label | req.nextUrl |
| Request/middleware.ts:5:11:5:17 | target2 | semmle.label | target2 |
| Request/middleware.ts:5:21:5:53 | target. ... arget') | semmle.label | target. ... arget') |
| Request/middleware.ts:7:31:7:36 | target | semmle.label | target |
| Request/middleware.ts:12:33:12:39 | target2 | semmle.label | target2 |
| apollo.serverSide.ts:7:36:7:44 | { files } | semmle.label | { files } |
| apollo.serverSide.ts:7:38:7:42 | files | semmle.label | files |
| apollo.serverSide.ts:8:13:8:17 | files | semmle.label | files |
| apollo.serverSide.ts:8:28:8:31 | file | semmle.label | file |
| apollo.serverSide.ts:8:43:8:46 | file | semmle.label | file |
| apollo.serverSide.ts:8:43:8:50 | file.url | semmle.label | file.url |
| apollo.serverSide.ts:17:34:17:42 | { files } | semmle.label | { files } |
| apollo.serverSide.ts:17:36:17:40 | files | semmle.label | files |
| apollo.serverSide.ts:18:11:18:15 | files | semmle.label | files |
| apollo.serverSide.ts:18:26:18:29 | file | semmle.label | file |
| apollo.serverSide.ts:18:41:18:44 | file | semmle.label | file |
| apollo.serverSide.ts:18:41:18:48 | file.url | semmle.label | file.url |
| axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | semmle.label | userProvidedUrl |
| axiosInterceptors.serverSide.js:19:11:19:17 | { url } | semmle.label | { url } |
| axiosInterceptors.serverSide.js:19:13:19:15 | url | semmle.label | url |
| axiosInterceptors.serverSide.js:19:21:19:28 | req.body | semmle.label | req.body |
| axiosInterceptors.serverSide.js:20:5:20:19 | userProvidedUrl | semmle.label | userProvidedUrl |
| axiosInterceptors.serverSide.js:20:23:20:25 | url | semmle.label | url |
| serverSide2.js:9:34:9:63 | qs.pars ... .query) | semmle.label | qs.pars ... .query) |
| serverSide2.js:9:43:9:56 | req._parsedUrl | semmle.label | req._parsedUrl |
| serverSide2.js:10:25:10:31 | req.url | semmle.label | req.url |
| serverSide2.js:11:24:11:30 | req.url | semmle.label | req.url |
| serverSide2.js:16:9:16:17 | targetUrl | semmle.label | targetUrl |
| serverSide2.js:16:21:16:39 | req.parsedQuery.url | semmle.label | req.parsedQuery.url |
| serverSide2.js:17:36:17:44 | targetUrl | semmle.label | targetUrl |
| serverSide2.js:19:9:19:18 | targetUrl1 | semmle.label | targetUrl1 |
| serverSide2.js:19:22:19:49 | req.par ... rsedUrl | semmle.label | req.par ... rsedUrl |
| serverSide2.js:20:37:20:46 | targetUrl1 | semmle.label | targetUrl1 |
| serverSide2.js:22:9:22:18 | targetUrl2 | semmle.label | targetUrl2 |
| serverSide2.js:22:22:22:28 | req.url | semmle.label | req.url |
| serverSide2.js:23:37:23:46 | targetUrl2 | semmle.label | targetUrl2 |
| serverSide2.js:25:9:25:18 | targetUrl3 | semmle.label | targetUrl3 |
| serverSide2.js:25:22:25:39 | req.SomeObject.url | semmle.label | req.SomeObject.url |
| serverSide2.js:26:37:26:46 | targetUrl3 | semmle.label | targetUrl3 |
| serverSide.js:14:9:14:15 | tainted | semmle.label | tainted |
| serverSide.js:14:19:14:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:14:29:14:35 | req.url | semmle.label | req.url |
| serverSide.js:18:13:18:19 | tainted | semmle.label | tainted |
| serverSide.js:20:17:20:23 | tainted | semmle.label | tainted |
| serverSide.js:23:19:23:25 | tainted | semmle.label | tainted |
| serverSide.js:26:13:26:31 | "http://" + tainted | semmle.label | "http://" + tainted |
| serverSide.js:26:25:26:31 | tainted | semmle.label | tainted |
| serverSide.js:28:13:28:42 | "http:/ ... tainted | semmle.label | "http:/ ... tainted |
| serverSide.js:28:36:28:42 | tainted | semmle.label | tainted |
| serverSide.js:30:13:30:43 | "http:/ ... tainted | semmle.label | "http:/ ... tainted |
| serverSide.js:30:37:30:43 | tainted | semmle.label | tainted |
| serverSide.js:34:35:34:41 | tainted | semmle.label | tainted |
| serverSide.js:36:16:36:31 | new Uri(tainted) | semmle.label | new Uri(tainted) |
| serverSide.js:36:24:36:30 | tainted | semmle.label | tainted |
| serverSide.js:37:22:37:37 | new Uri(tainted) | semmle.label | new Uri(tainted) |
| serverSide.js:37:30:37:36 | tainted | semmle.label | tainted |
| serverSide.js:41:13:41:51 | `http:/ ... inted}` | semmle.label | `http:/ ... inted}` |
| serverSide.js:41:43:41:49 | tainted | semmle.label | tainted |
| serverSide.js:43:13:43:54 | `http:/ ... inted}` | semmle.label | `http:/ ... inted}` |
| serverSide.js:43:46:43:52 | tainted | semmle.label | tainted |
| serverSide.js:45:13:45:56 | 'http:/ ... tainted | semmle.label | 'http:/ ... tainted |
| serverSide.js:45:50:45:56 | tainted | semmle.label | tainted |
| serverSide.js:58:9:58:15 | tainted | semmle.label | tainted |
| serverSide.js:58:19:58:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:58:29:58:35 | req.url | semmle.label | req.url |
| serverSide.js:61:33:61:39 | tainted | semmle.label | tainted |
| serverSide.js:61:33:61:39 | tainted | semmle.label | tainted |
| serverSide.js:64:37:64:43 | tainted | semmle.label | tainted |
| serverSide.js:68:37:68:43 | tainted | semmle.label | tainted |
| serverSide.js:74:9:74:15 | tainted | semmle.label | tainted |
| serverSide.js:74:19:74:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:74:29:74:35 | req.url | semmle.label | req.url |
| serverSide.js:76:19:76:25 | tainted | semmle.label | tainted |
| serverSide.js:83:38:83:43 | param1 | semmle.label | param1 |
| serverSide.js:84:19:84:24 | param1 | semmle.label | param1 |
| serverSide.js:90:19:90:28 | ctx.params | semmle.label | ctx.params |
| serverSide.js:90:19:90:32 | ctx.params.foo | semmle.label | ctx.params.foo |
| serverSide.js:92:19:92:28 | ctx.params | semmle.label | ctx.params |
| serverSide.js:92:19:92:32 | ctx.params.foo | semmle.label | ctx.params.foo |
| serverSide.js:98:9:98:15 | tainted | semmle.label | tainted |
| serverSide.js:98:19:98:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:98:29:98:35 | req.url | semmle.label | req.url |
| serverSide.js:100:19:100:25 | tainted | semmle.label | tainted |
| serverSide.js:108:15:108:17 | url | semmle.label | url |
| serverSide.js:108:21:108:31 | request.url | semmle.label | request.url |
| serverSide.js:109:31:109:33 | url | semmle.label | url |
| serverSide.js:115:15:115:17 | url | semmle.label | url |
| serverSide.js:115:21:115:46 | new URL ... , base) | semmle.label | new URL ... , base) |
| serverSide.js:115:29:115:39 | request.url | semmle.label | request.url |
| serverSide.js:117:31:117:33 | url | semmle.label | url |
| serverSide.js:123:9:123:15 | tainted | semmle.label | tainted |
| serverSide.js:123:19:123:42 | url.par ... , true) | semmle.label | url.par ... , true) |
| serverSide.js:123:29:123:35 | req.url | semmle.label | req.url |
| serverSide.js:127:14:127:20 | tainted | semmle.label | tainted |
| serverSide.js:130:9:130:13 | myUrl | semmle.label | myUrl |
| serverSide.js:130:37:130:43 | tainted | semmle.label | tainted |
| serverSide.js:131:15:131:19 | myUrl | semmle.label | myUrl |
| serverSide.js:139:11:139:15 | input | semmle.label | input |
| serverSide.js:139:19:139:31 | req.query.url | semmle.label | req.query.url |
| serverSide.js:140:11:140:16 | target | semmle.label | target |
| serverSide.js:140:20:140:33 | new URL(input) | semmle.label | new URL(input) |
| serverSide.js:140:28:140:32 | input | semmle.label | input |
| serverSide.js:141:15:141:20 | target | semmle.label | target |
| serverSide.js:141:15:141:31 | target.toString() | semmle.label | target.toString() |
| serverSide.js:142:15:142:20 | target | semmle.label | target |
| serverSide.js:143:15:143:20 | target | semmle.label | target |
| serverSide.js:143:15:143:25 | target.href | semmle.label | target.href |
| serverSide.js:144:11:144:20 | encodedUrl | semmle.label | encodedUrl |
| serverSide.js:144:24:144:39 | encodeURI(input) | semmle.label | encodeURI(input) |
| serverSide.js:144:34:144:38 | input | semmle.label | input |
| serverSide.js:145:15:145:24 | encodedUrl | semmle.label | encodedUrl |
| serverSide.js:146:11:146:20 | escapedUrl | semmle.label | escapedUrl |
| serverSide.js:146:24:146:36 | escape(input) | semmle.label | escape(input) |
| serverSide.js:146:31:146:35 | input | semmle.label | input |
| serverSide.js:147:15:147:24 | escapedUrl | semmle.label | escapedUrl |
| serverSide.js:150:7:150:12 | custom | semmle.label | custom |
| serverSide.js:150:16:150:51 | require ... ource() | semmle.label | require ... ource() |
| serverSide.js:151:9:151:14 | custom | semmle.label | custom |
subpaths
Reference in New Issue View Git Blame Copy Permalink