mirror of
https://github.com/github/codeql.git
synced 2026-07-18 17:58:14 +02:00
This adds Alert annotations for alerts that seem intentional by the test but has not been annotated with 'NOT OK', or the comment was in the wrong place. In a few cases I included 'Source' expectations to make it easier to see what happened. Other 'Source' expectations will be added in bulk a later commit.
46 lines
1.1 KiB
JavaScript
46 lines
1.1 KiB
JavaScript
let externalLib = require('external-lib');
|
|
|
|
let untrusted = window.name;
|
|
|
|
externalLib(untrusted); // $ Alert
|
|
externalLib({x: untrusted}); // $ Alert
|
|
externalLib(...untrusted); // $ Alert
|
|
externalLib(...window.CONFIG, untrusted); // $ Alert
|
|
externalLib({ ...untrusted }); // $ Alert
|
|
externalLib(['x', untrusted, 'y']); // $ Alert
|
|
externalLib('foo', untrusted); // $ Alert
|
|
externalLib({
|
|
x: {
|
|
y: {
|
|
z: untrusted
|
|
}
|
|
} // $ Alert
|
|
});
|
|
|
|
function getDeepUntrusted() {
|
|
return {
|
|
x: {
|
|
y: {
|
|
z: [JSON.parse(untrusted)]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
externalLib(getDeepUntrusted());
|
|
|
|
externalLib.get('/foo', (req, res) => {
|
|
res.send(untrusted); // $ Alert
|
|
req.app.locals.something.foo(untrusted); // $ Alert
|
|
});
|
|
|
|
let jsonSafeParse = require('json-safe-parse');
|
|
jsonSafeParse(untrusted); // no need to report; has known taint step
|
|
|
|
let merge = require('lodash.merge');
|
|
merge({}, { // $ Alert
|
|
x: untrusted, // should not be treated as individual named parameters
|
|
y: untrusted,
|
|
z: untrusted
|
|
}); // $ Alert
|