mirror of
https://github.com/github/codeql.git
synced 2026-02-06 18:21:07 +01:00
23 lines
789 B
Plaintext
23 lines
789 B
Plaintext
/**
|
|
* @name Unvalidated dynamic method call
|
|
* @description Calling a method with a user-controlled name may dispatch to
|
|
* an unexpected target, which could cause an exception.
|
|
* @kind path-problem
|
|
* @problem.severity warning
|
|
* @security-severity 7.5
|
|
* @precision high
|
|
* @id js/unvalidated-dynamic-method-call
|
|
* @tags security
|
|
* external/cwe/cwe-754
|
|
*/
|
|
|
|
import javascript
|
|
import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCallQuery
|
|
import DataFlow::PathGraph
|
|
|
|
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
|
where cfg.hasFlowPath(source, sink)
|
|
select sink.getNode(), source, sink,
|
|
"Invocation of method with $@ name may dispatch to unexpected target and cause an exception.",
|
|
source.getNode(), "user-controlled"
|