Files
codeql/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js
Asger F 10a7294327 JS: Accept trivial test changes
This adds Alert annotations for alerts that seem intentional by the test
but has not been annotated with 'NOT OK', or the comment was in the wrong
place.

In a few cases I included 'Source' expectations to make it easier to see
what happened. Other 'Source' expectations will be added in bulk a later
commit.
2025-02-28 13:27:43 +01:00

46 lines
1.1 KiB
JavaScript

let externalLib = require('external-lib');
let untrusted = window.name;
externalLib(untrusted); // $ Alert
externalLib({x: untrusted}); // $ Alert
externalLib(...untrusted); // $ Alert
externalLib(...window.CONFIG, untrusted); // $ Alert
externalLib({ ...untrusted }); // $ Alert
externalLib(['x', untrusted, 'y']); // $ Alert
externalLib('foo', untrusted); // $ Alert
externalLib({
x: {
y: {
z: untrusted
}
} // $ Alert
});
function getDeepUntrusted() {
return {
x: {
y: {
z: [JSON.parse(untrusted)]
}
}
}
}
externalLib(getDeepUntrusted());
externalLib.get('/foo', (req, res) => {
res.send(untrusted); // $ Alert
req.app.locals.something.foo(untrusted); // $ Alert
});
let jsonSafeParse = require('json-safe-parse');
jsonSafeParse(untrusted); // no need to report; has known taint step
let merge = require('lodash.merge');
merge({}, { // $ Alert
x: untrusted, // should not be treated as individual named parameters
y: untrusted,
z: untrusted
}); // $ Alert