Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0453ded

Browse files
asgerfasgerf
committed
JS: Add query ID to some alerts
1 parent 86932c5 commit 0453ded

8 files changed

Lines changed: 87 additions & 87 deletions

File tree

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,15 +3,15 @@ var express = require('express');
33
var app = express();
44

55
app.get('/some/path', function(req, res) {
6-
var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert
7-
require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert
6+
var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection]
7+
require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection]
88
var runC = require("vm").runInNewContext;
9-
runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert
9+
runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection]
1010
var vm = require("vm");
11-
vm.compileFunction(req.param("code_compileFunction")); // $ Alert
12-
var script = new vm.Script(req.param("code_Script")); // $ Alert
13-
var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert
14-
vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert
11+
vm.compileFunction(req.param("code_compileFunction")); // $ Alert[js/code-injection]
12+
var script = new vm.Script(req.param("code_Script")); // $ Alert[js/code-injection]
13+
var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert[js/code-injection]
14+
vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert[js/code-injection]
1515
});
1616

1717
const cp = require('child_process');

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,22 @@
1-
eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert
1+
eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert[js/code-injection]
22

3-
setTimeout(document.location.hash); // $ Alert
3+
setTimeout(document.location.hash); // $ Alert[js/code-injection]
44

55

66
setTimeout(document.location.protocol);
77

88

99
$('. ' + document.location.hostname);
1010

11-
Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert
11+
Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert[js/code-injection]
1212

13-
WebAssembly.compile(document.location.hash); // $ Alert
13+
WebAssembly.compile(document.location.hash); // $ Alert[js/code-injection]
1414

15-
WebAssembly.compileStreaming(document.location.hash); // $ Alert
15+
WebAssembly.compileStreaming(document.location.hash); // $ Alert[js/code-injection]
1616

17-
eval(atob(document.location.hash.substring(1))); // $ Alert
17+
eval(atob(document.location.hash.substring(1))); // $ Alert[js/code-injection]
1818

19-
$('<a>').attr("onclick", location.search.substring(1)); // $ Alert
19+
$('<a>').attr("onclick", location.search.substring(1)); // $ Alert[js/code-injection]
2020

2121
(function test() {
2222
var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1");

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/UnsafeHtmlExpansion.js

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,28 +6,28 @@
66
html.replace(
77
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,
88
expanded
9-
); // $ Alert
10-
html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // $ Alert
9+
); // $ Alert[js/unsafe-html-expansion]
10+
html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // $ Alert[js/unsafe-html-expansion]
1111

1212
// lib2
1313
html.replace(
1414
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,
1515
expanded
16-
); // $ Alert
17-
html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // $ Alert
16+
); // $ Alert[js/unsafe-html-expansion]
17+
html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // $ Alert[js/unsafe-html-expansion]
1818

1919
// lib3
2020
html.replace(
2121
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,
2222
expanded
23-
); // $ Alert
24-
html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // $ Alert
23+
); // $ Alert[js/unsafe-html-expansion]
24+
html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // $ Alert[js/unsafe-html-expansion]
2525

26-
html.replace(defaultPattern, expanded); // $ Alert
26+
html.replace(defaultPattern, expanded); // $ Alert[js/unsafe-html-expansion]
2727
function getPattern() {
2828
return defaultPattern;
2929
}
30-
html.replace(getPattern(), expanded); // $ Alert
30+
html.replace(getPattern(), expanded); // $ Alert[js/unsafe-html-expansion]
3131

3232
function getExpanded() {
3333
return expanded;

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js

Lines changed: 40 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,28 @@
11
// CVE-2019-10756
22
(function(content) {
3-
content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert
4-
content = content.replace(/ on\w+=".*"/g, ""); // $ Alert
5-
content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert
3+
content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
4+
content = content.replace(/ on\w+=".*"/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
5+
content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
66
return content;
77
});
88
(function(content) {
9-
content = content.replace(/<.*cript.*/gi, ""); // $ Alert
10-
content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert
11-
content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert
9+
content = content.replace(/<.*cript.*/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
10+
content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
11+
content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
1212

1313
return content;
1414
});
1515

1616
// CVE-2020-7656
1717
(function(responseText) {
1818
var rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
19-
responseText.replace(rscript, ""); // $ Alert
19+
responseText.replace(rscript, ""); // $ Alert[js/incomplete-multi-character-sanitization]
2020
return responseText;
2121
});
2222

2323
// CVE-2019-1010091
2424
(function(text) {
25-
text = text.replace(/<!--|--!?>/g, ""); // $ Alert
25+
text = text.replace(/<!--|--!?>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
2626
return text;
2727
});
2828
(function(text) {
@@ -46,7 +46,7 @@
4646
// CVE-2019-8903
4747
(function(req) {
4848
var REG_TRAVEL = /(\/)?\.\.\//g;
49-
req.url = req.url.replace(REG_TRAVEL, ""); // $ Alert
49+
req.url = req.url.replace(REG_TRAVEL, ""); // $ Alert[js/incomplete-multi-character-sanitization]
5050
});
5151
(function(req) {
5252
var beg;
@@ -61,9 +61,9 @@
6161
// New cases
6262

6363
(function(x) {
64-
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); // $ Alert
64+
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
6565

66-
x = x.replace(/(\/|\s)on\w+=(\'|")?[^"]*(\'|")?/g, ""); // $ Alert
66+
x = x.replace(/(\/|\s)on\w+=(\'|")?[^"]*(\'|")?/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
6767

6868
x = x.replace(/<\/script>/g, "");
6969

@@ -72,19 +72,19 @@
7272
x = x.replace(/<(ul|ol)><\/(ul|ol)>/gi, "");
7373
x = x.replace(/<li><\/li>/gi, "");
7474

75-
x = x.replace(/<!--(.*?)-->/gm, ""); // $ Alert
76-
x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert
77-
x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert - ng-attributes
75+
x = x.replace(/<!--(.*?)-->/gm, ""); // $ Alert[js/incomplete-multi-character-sanitization]
76+
x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert[js/incomplete-multi-character-sanitization]
77+
x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - ng-attributes
7878

7979
x = x.replace(/(<!--\[CDATA\[|\]\]-->)/g, "\n"); // OK - not a sanitizer
8080

81-
x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // $ SPURIOUS: Alert
81+
x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // $ SPURIOUS: Alert[js/incomplete-multi-character-sanitization]
8282
x = x.replace(/<script async.+?<\/script>/g, "");
83-
x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // $ Alert
83+
x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
8484

85-
x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // $ Alert - matches "../../"
85+
x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - matches "../../"
8686

87-
x = x.replace(/<script.*>.*<\/script>/gi, ""); // $ Alert
87+
x = x.replace(/<script.*>.*<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
8888

8989
x = x.replace(/^(\.\.\/?)+/g, "");
9090

@@ -97,17 +97,17 @@
9797
x = x.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, ""); // $ MISSING: Alert
9898

9999
x = x.replace(/\.\./g, "");
100-
x = x.replace(/\.\.\//g, ""); // $ Alert
101-
x = x.replace(/\/\.\./g, ""); // $ Alert
100+
x = x.replace(/\.\.\//g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
101+
x = x.replace(/\/\.\./g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
102102

103-
x = x.replace(/<script(.*?)>([\s\S]*?)<\/script>/gi, ""); // $ Alert
103+
x = x.replace(/<script(.*?)>([\s\S]*?)<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
104104

105-
x = x.replace(/<(script|del)(?=[\s>])[\w\W]*?<\/\1\s*>/gi, ""); // $ Alert
106-
x = x.replace(/\<script[\s\S]*?\>[\s\S]*?\<\/script\>/g, ""); // $ Alert
107-
x = x.replace(/<(script|style|title)[^<]+<\/(script|style|title)>/gm, ""); // $ Alert
108-
x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // $ Alert
109-
x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert
110-
x = x.replace(/ ?<!-- ?/g, ""); // $ Alert
105+
x = x.replace(/<(script|del)(?=[\s>])[\w\W]*?<\/\1\s*>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
106+
x = x.replace(/\<script[\s\S]*?\>[\s\S]*?\<\/script\>/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
107+
x = x.replace(/<(script|style|title)[^<]+<\/(script|style|title)>/gm, ""); // $ Alert[js/incomplete-multi-character-sanitization]
108+
x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
109+
x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
110+
x = x.replace(/ ?<!-- ?/g, ""); // $ Alert[js/incomplete-multi-character-sanitization]
111111
x = x.replace(/require\('\.\.\/common'\);/g, "");
112112
x = x.replace(/\.\.\/\.\.\/lib\//g, "");
113113

@@ -125,32 +125,32 @@
125125
x = x
126126
.replace(/^\.\//, "")
127127
.replace(/\/\.\//, "/")
128-
.replace(/[^\/]*\/\.\.\//, ""); // $ Alert
128+
.replace(/[^\/]*\/\.\.\//, ""); // $ Alert[js/incomplete-multi-character-sanitization]
129129

130130
return x;
131131
});
132132

133133
(function (content) {
134-
content.replace(/<script.*\/script>/gi, ""); // $ Alert
135-
content.replace(/<(script).*\/script>/gi, ""); // $ Alert
136-
content.replace(/.+<(script).*\/script>/gi, ""); // $ Alert
137-
content.replace(/.*<(script).*\/script>/gi, ""); // $ Alert
134+
content.replace(/<script.*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
135+
content.replace(/<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
136+
content.replace(/.+<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
137+
content.replace(/.*<(script).*\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
138138
});
139139

140140
(function (content) {
141-
content = content.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert
142-
content = content.replace(/<[a-zA-Z\/](.|\n)*?>/g, '') || ' '; // $ Alert
143-
content = content.replace(/<(script|iframe|video)[\s\S]*?<\/(script|iframe|video)>/g, '') // $ Alert
144-
content = content.replace(/<(script|iframe|video)(.|\s)*?\/(script|iframe|video)>/g, '') // $ Alert
141+
content = content.replace(/<script[\s\S]*?<\/script>/gi, ""); // $ Alert[js/incomplete-multi-character-sanitization]
142+
content = content.replace(/<[a-zA-Z\/](.|\n)*?>/g, '') || ' '; // $ Alert[js/incomplete-multi-character-sanitization]
143+
content = content.replace(/<(script|iframe|video)[\s\S]*?<\/(script|iframe|video)>/g, '') // $ Alert[js/incomplete-multi-character-sanitization]
144+
content = content.replace(/<(script|iframe|video)(.|\s)*?\/(script|iframe|video)>/g, '') // $ Alert[js/incomplete-multi-character-sanitization]
145145
content = content.replace(/<[^<]*>/g, "");
146146

147-
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert
147+
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert[js/incomplete-multi-character-sanitization]
148148
o.push({specified : 1, nodeName : a});
149149
});
150150

151-
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert
151+
n.cloneNode(false).outerHTML.replace(/<\/?[\w:\-]+ ?|=[\"][^\"]+\"|=\'[^\']+\'|=[\w\-]+|>/gi, '').replace(/[\w:\-]+/gi, function(a) { // $ Alert[js/incomplete-multi-character-sanitization]
152152
o.push({specified : 1, nodeName : a});
153-
});
153+
});
154154

155155
content = content.replace(/.+?(?=\s)/, '');
156-
});
156+
});

javascript/ql/test/query-tests/Security/CWE-200/bufferRead.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,12 @@ fs.exists(fileName, function (exists) {
2929
res.setEncoding('utf8');
3030
});
3131

32-
req.write(postData); // $ Alert - write data from file to request body
33-
req.end();
32+
req.write(postData); // $ Alert[js/file-access-to-http] - write data from file to request body
33+
req.end();
3434
});
3535

3636
fs.close(fd);
3737
});
3838
});
3939
}
40-
});
40+
});

javascript/ql/test/query-tests/Security/CWE-327/bad-random.js

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
11
const crypto = require('crypto');
22

3-
var bad = crypto.randomBytes(1)[0] + crypto.randomBytes(1)[0]; // $ Alert
4-
var bad = crypto.randomBytes(1)[0] * crypto.randomBytes(1)[0]; // $ Alert
3+
var bad = crypto.randomBytes(1)[0] + crypto.randomBytes(1)[0]; // $ Alert[js/biased-cryptographic-random]
4+
var bad = crypto.randomBytes(1)[0] * crypto.randomBytes(1)[0]; // $ Alert[js/biased-cryptographic-random]
55

66
const buffer = crypto.randomBytes(bytes);
77
const digits = [];
88
for (let i = 0; i < buffer.length; ++i) {
9-
digits.push(Math.floor(buffer[i] / 25.6)); // $ Alert
9+
digits.push(Math.floor(buffer[i] / 25.6)); // $ Alert[js/biased-cryptographic-random]
1010
digits.push(buffer[i] % 8); // OK - input is a random byte, so the output is a uniformly random number between 0 and 7.
11-
digits.push(buffer[i] % 100); // $ Alert
11+
digits.push(buffer[i] % 100); // $ Alert[js/biased-cryptographic-random]
1212
}
1313

14-
var bad = Number('0.' + crypto.randomBytes(3).readUIntBE(0, 3)); // $ Alert
14+
var bad = Number('0.' + crypto.randomBytes(3).readUIntBE(0, 3)); // $ Alert[js/biased-cryptographic-random]
1515
var good = Number(10 + crypto.randomBytes(3).readUIntBE(0, 3));
1616

1717
const internals = {};
@@ -70,30 +70,30 @@ function setSteps() {
7070
const buffer = crypto.randomBytes(bytes);
7171
const digits = [];
7272
for (const byte of buffer.values()) {
73-
digits.push(Math.floor(byte / 25.6)); // $ Alert
73+
digits.push(Math.floor(byte / 25.6)); // $ Alert[js/biased-cryptographic-random]
7474
digits.push(byte % 8); // OK - 8 is a power of 2, so the result is unbiased.
75-
digits.push(byte % 100); // $ Alert
75+
digits.push(byte % 100); // $ Alert[js/biased-cryptographic-random]
7676
}
7777
}
7878

7979
const secureRandom = require("secure-random");
8080

81-
var bad = secureRandom(10)[0] + secureRandom(10)[0]; // $ Alert
81+
var bad = secureRandom(10)[0] + secureRandom(10)[0]; // $ Alert[js/biased-cryptographic-random]
8282

8383
var goodRandom1 = 5 + secureRandom(10)[0];
8484
var goodRandom2 = 5 + secureRandom(10)[0];
85-
var bad = goodRandom1 + goodRandom2; // $ Alert
85+
var bad = goodRandom1 + goodRandom2; // $ Alert[js/biased-cryptographic-random]
8686

87-
var dontFlag = bad + bad; // OK - the operands have already been flagged - but flagged anyway due to us not detecting that [INCONSISTENCY].
87+
var dontFlag = bad + bad; // $ Alert[js/biased-cryptographic-random] - OK - the operands have already been flagged - but flagged anyway due to us not detecting that [INCONSISTENCY].
8888

8989
var good = secureRandom(10)[0] / 0xff; // OK - result is not rounded.
90-
var good = Math.ceil(0.5 - (secureRandom(10)[0] / 25.6)); // $ Alert - division generally introduces bias - but not flagged due to not looking through nested arithmetic.
90+
var good = Math.ceil(0.5 - (secureRandom(10)[0] / 25.6)); // $ Alert[js/biased-cryptographic-random] - division generally introduces bias - but not flagged due to not looking through nested arithmetic.
9191

9292
var good = (crypto.randomBytes(1)[0] << 8) + crypto.randomBytes(3)[0]; // OK - bit shifts are usually used to construct larger/smaller numbers,
9393

9494
var good = Math.floor(max * (crypto.randomBytes(1)[0] / 0xff)); // OK - division by 0xff (255) gives a uniformly random number between 0 and 1.
9595

96-
var bad = Math.floor(max * (crypto.randomBytes(1)[0] / 100)); // $ Alert - division by 100 gives bias - but not flagged due to not looking through nested arithmetic.
96+
var bad = Math.floor(max * (crypto.randomBytes(1)[0] / 100)); // $ Alert[js/biased-cryptographic-random] - division by 100 gives bias - but not flagged due to not looking through nested arithmetic.
9797

9898
var crb = crypto.randomBytes(4);
9999
var cryptoRand = 0x01000000 * crb[0] + 0x00010000 * crb[1] + 0x00000100 * crb[2] + 0x00000001 * crb[3]; // OK - producing a larger number from smaller numbers.
@@ -115,7 +115,7 @@ var foo = 0xffffffffffff + 0xfffffffffff + 0xffffffffff + 0xfffffffff + 0xffffff
115115
// Bad documentation example:
116116
const digits = [];
117117
for (let i = 0; i < 10; i++) {
118-
digits.push(crypto.randomBytes(1)[0] % 10); // $ Alert
118+
digits.push(crypto.randomBytes(1)[0] % 10); // $ Alert[js/biased-cryptographic-random]
119119
}
120120

121121
// Good documentation example:

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/jsonschema.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ import Ajv from 'ajv';
22

33
let thing = {
44
type: 'string',
5-
pattern: '(a?a?)*b' // $ Alert
5+
pattern: '(a?a?)*b' // $ Alert[js/redos]
66
}
77
new Ajv().addSchema(thing, 'thing');
88

@@ -12,12 +12,12 @@ export default {
1212
properties: {
1313
foo: {
1414
type: "string",
15-
pattern: "(a?a?)*b" // $ Alert
15+
pattern: "(a?a?)*b" // $ Alert[js/redos]
1616
},
1717
bar: {
1818
type: "object",
1919
patternProperties: {
20-
"(a?a?)*b": { // $ Alert
20+
"(a?a?)*b": { // $ Alert[js/redos]
2121
type: "number"
2222
}
2323
}

javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ var URI = require("urijs");
44
app.get('/findKey', function(req, res) {
55
var key = req.param("key"), input = req.param("input");
66

7-
var re = new RegExp("\\b" + key + "=(.*)\n"); // $ Alert - Unsanitized user input is used to construct a regular expression
7+
var re = new RegExp("\\b" + key + "=(.*)\n"); // $ Alert[js/regex-injection] - Unsanitized user input is used to construct a regular expression
88

99
function wrap(s) {
1010
return "\\b" + wrap2(s);
@@ -14,16 +14,16 @@ app.get('/findKey', function(req, res) {
1414
return s + "=(.*)\n";
1515
}
1616

17-
new RegExp(wrap(key)); // $ Alert
18-
new RegExp(wrap(key)); // $ Alert - duplicated to test precision of flow tracking
17+
new RegExp(wrap(key)); // $ Alert[js/regex-injection]
18+
new RegExp(wrap(key)); // $ Alert[js/regex-injection] - duplicated to test precision of flow tracking
1919

2020
function getKey() {
2121
return req.param("key");
2222
}
23-
new RegExp(getKey()); // $ Alert
23+
new RegExp(getKey()); // $ Alert[js/regex-injection]
2424

2525
function mkRegExp(s) {
26-
return new RegExp(s); // $ Alert
26+
return new RegExp(s); // $ Alert[js/regex-injection]
2727
}
2828
mkRegExp(key);
2929
mkRegExp(getKey());
@@ -93,7 +93,7 @@ app.get("argv", function(req, res) {
9393

9494
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]"), "\\$&");
9595
new RegExp(sanitized); // $ Alert[js/regex-injection]
96-
96+
9797
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]", "g"), "\\$&");
9898
new RegExp(sanitized);
9999

0 commit comments

Comments
 (0)