-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathtst.js
More file actions
112 lines (89 loc) · 2.45 KB
/
tst.js
File metadata and controls
112 lines (89 loc) · 2.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
var express = require('express');
var Koa = require('koa');
express().get('/some/path', function (req, res) {
var foo = req.query.foo; // $ Source
foo.indexOf(); // $ Alert
foo.concat(); // $ Alert
function f() {
foo.concat(); // $ Alert
}
function g(bar) {
bar.concat(); // $ Alert
}
g(foo);
req.url.indexOf();
foo.indexOf(prefix) === 0;
foo.indexOf(prefix) == 0;
foo.indexOf(prefix) !== 0;
foo.slice(-1) === 'x';
foo.indexOf(prefix) == 1; // $ Alert
foo.slice(1) === 'x'; // $ Alert
foo.length; // $ Alert
if (typeof foo === "string") {
foo.indexOf();
} else {
foo.indexOf();
}
if (foo instanceof Array) {
foo.indexOf();
}
(foo + f()).indexOf();
foo.length; // $ MISSING: Alert - missed due to guards sanitising both branches
});
new Koa().use(function handler(ctx) {
var foo = ctx.request.query.foo; // $ Source
foo.indexOf(); // $ Alert
});
express().get('/some/path/:foo', function (req, res) {
var foo = req.params.foo;
foo.indexOf();
});
express().get('/some/path/:foo', function (req, res) {
if (req.query.path.length) { }
req.query.path.length == 0;
!req.query.path.length;
req.query.path.length > 0;
});
express().get('/some/path/:foo', function (req, res) {
let p = req.query.path;
if (typeof p !== 'string') {
return;
}
while (p.length) {
p = p.substr(1);
}
p.length < 1;
});
express().get('/some/path/:foo', function (req, res) {
let someObject = {};
safeGet(someObject, req.query.path).bar = 'baz'; // $ Source - prototype pollution here - but flagged in `safeGet`
});
function safeGet(obj, p) {
if (p === '__proto__' || // $ Alert - could be singleton array
p === 'constructor') { // $ Alert - could be singleton array
return null;
}
return obj[p];
}
express().get('/foo', function (req, res) {
let data = req.query;
data.foo.indexOf(); // $ Alert
if (typeof data.foo !== 'undefined') {
data.foo.indexOf(); // $ Alert
}
if (typeof data.foo !== 'string') {
data.foo.indexOf();
}
if (typeof data.foo !== 'undefined') {
data.foo.indexOf(); // $ Alert
}
});
express().get('/foo', function (req, res) {
let data = req.query.data; // $ Source
data.indexOf(); // $ Alert
if (Array.isArray(data)) {
data.indexOf();
} else {
data.indexOf();
}
});