mirror of
https://github.com/github/codeql.git
synced 2026-04-04 14:48:20 +02:00
821cc0e875
- Fix misplaced semicolons in test files (was inside comment, moved before it) - Update QLdoc comments to reference new browser source kind names - Update docs to list browser source kinds and fix outdated 'only remote' note Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
29 lines
1.4 KiB
JavaScript
29 lines
1.4 KiB
JavaScript
import * as React from "react";
|
|
import { useParams } from "react-router-dom";
|
|
import request from 'request';
|
|
|
|
export function MyComponent() {
|
|
const params = useParams();
|
|
|
|
request('https://example.com/api/' + params.foo + '/id'); // OK - cannot manipulate path using `../`
|
|
request(params.foo); // Possibly problematic, but not currently flagged.
|
|
|
|
const query = window.location.search.substring(1); // $ Source[js/client-side-request-forgery]
|
|
request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery]
|
|
request('https://example.com/api?q=' + query);
|
|
request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] - likely OK - but currently flagged anyway
|
|
|
|
const fragment = window.location.hash.substring(1); // $ Source[js/client-side-request-forgery]
|
|
request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery]
|
|
request('https://example.com/api?q=' + fragment);
|
|
|
|
const name = window.name; // $ Source[js/client-side-request-forgery]
|
|
request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery]
|
|
request('https://example.com/api?q=' + name);
|
|
|
|
request(window.location.href + '?q=123');
|
|
|
|
const custom = require('testlib').getBrowserSource(); // $ Source[js/client-side-request-forgery]
|
|
request(custom); // $ Alert[js/client-side-request-forgery]
|
|
}
|