Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2de230e

Browse files
codeql-cicodeql-ci
authored
Merge pull request #5062 from esbena/js/test-for-html-concat-obfuscation
Approved by erik-krogh
2 parents b8b42ea + 9678534 commit 2de230e

3 files changed

Lines changed: 190 additions & 0 deletions

File tree

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -650,6 +650,47 @@ nodes
650650
| v-html.vue:2:8:2:23 | v-html=tainted |
651651
| v-html.vue:6:42:6:58 | document.location |
652652
| v-html.vue:6:42:6:58 | document.location |
653+
| various-concat-obfuscations.js:2:6:2:39 | tainted |
654+
| various-concat-obfuscations.js:2:16:2:39 | documen ... .search |
655+
| various-concat-obfuscations.js:2:16:2:39 | documen ... .search |
656+
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" |
657+
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" |
658+
| various-concat-obfuscations.js:4:14:4:20 | tainted |
659+
| various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` |
660+
| various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` |
661+
| various-concat-obfuscations.js:5:12:5:18 | tainted |
662+
| various-concat-obfuscations.js:6:4:6:26 | "<div>" ... ainted) |
663+
| various-concat-obfuscations.js:6:4:6:43 | "<div>" ... /div>") |
664+
| various-concat-obfuscations.js:6:4:6:43 | "<div>" ... /div>") |
665+
| various-concat-obfuscations.js:6:19:6:25 | tainted |
666+
| various-concat-obfuscations.js:7:4:7:31 | ["<div> ... /div>"] |
667+
| various-concat-obfuscations.js:7:4:7:38 | ["<div> ... .join() |
668+
| various-concat-obfuscations.js:7:4:7:38 | ["<div> ... .join() |
669+
| various-concat-obfuscations.js:7:14:7:20 | tainted |
670+
| various-concat-obfuscations.js:9:4:9:34 | "<div i ... "\\"/>" |
671+
| various-concat-obfuscations.js:9:4:9:34 | "<div i ... "\\"/>" |
672+
| various-concat-obfuscations.js:9:19:9:25 | tainted |
673+
| various-concat-obfuscations.js:10:4:10:27 | `<div i ... ed}"/>` |
674+
| various-concat-obfuscations.js:10:4:10:27 | `<div i ... ed}"/>` |
675+
| various-concat-obfuscations.js:10:16:10:22 | tainted |
676+
| various-concat-obfuscations.js:11:4:11:31 | "<div i ... ainted) |
677+
| various-concat-obfuscations.js:11:4:11:44 | "<div i ... t("/>") |
678+
| various-concat-obfuscations.js:11:4:11:44 | "<div i ... t("/>") |
679+
| various-concat-obfuscations.js:11:24:11:30 | tainted |
680+
| various-concat-obfuscations.js:12:4:12:34 | ["<div ... "\\"/>"] |
681+
| various-concat-obfuscations.js:12:4:12:41 | ["<div ... .join() |
682+
| various-concat-obfuscations.js:12:4:12:41 | ["<div ... .join() |
683+
| various-concat-obfuscations.js:12:19:12:25 | tainted |
684+
| various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) |
685+
| various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) |
686+
| various-concat-obfuscations.js:20:17:20:40 | documen ... .search |
687+
| various-concat-obfuscations.js:20:17:20:40 | documen ... .search |
688+
| various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs |
689+
| various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) |
690+
| various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) |
691+
| various-concat-obfuscations.js:21:17:21:40 | documen ... .search |
692+
| various-concat-obfuscations.js:21:17:21:40 | documen ... .search |
693+
| various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs |
653694
| winjs.js:2:7:2:53 | tainted |
654695
| winjs.js:2:17:2:33 | document.location |
655696
| winjs.js:2:17:2:33 | document.location |
@@ -1218,6 +1259,44 @@ edges
12181259
| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
12191260
| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
12201261
| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
1262+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:4:14:4:20 | tainted |
1263+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:5:12:5:18 | tainted |
1264+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:6:19:6:25 | tainted |
1265+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:7:14:7:20 | tainted |
1266+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:9:19:9:25 | tainted |
1267+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:10:16:10:22 | tainted |
1268+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:11:24:11:30 | tainted |
1269+
| various-concat-obfuscations.js:2:6:2:39 | tainted | various-concat-obfuscations.js:12:19:12:25 | tainted |
1270+
| various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:2:6:2:39 | tainted |
1271+
| various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:2:6:2:39 | tainted |
1272+
| various-concat-obfuscations.js:4:14:4:20 | tainted | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" |
1273+
| various-concat-obfuscations.js:4:14:4:20 | tainted | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" |
1274+
| various-concat-obfuscations.js:5:12:5:18 | tainted | various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` |
1275+
| various-concat-obfuscations.js:5:12:5:18 | tainted | various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` |
1276+
| various-concat-obfuscations.js:6:4:6:26 | "<div>" ... ainted) | various-concat-obfuscations.js:6:4:6:43 | "<div>" ... /div>") |
1277+
| various-concat-obfuscations.js:6:4:6:26 | "<div>" ... ainted) | various-concat-obfuscations.js:6:4:6:43 | "<div>" ... /div>") |
1278+
| various-concat-obfuscations.js:6:19:6:25 | tainted | various-concat-obfuscations.js:6:4:6:26 | "<div>" ... ainted) |
1279+
| various-concat-obfuscations.js:7:4:7:31 | ["<div> ... /div>"] | various-concat-obfuscations.js:7:4:7:38 | ["<div> ... .join() |
1280+
| various-concat-obfuscations.js:7:4:7:31 | ["<div> ... /div>"] | various-concat-obfuscations.js:7:4:7:38 | ["<div> ... .join() |
1281+
| various-concat-obfuscations.js:7:14:7:20 | tainted | various-concat-obfuscations.js:7:4:7:31 | ["<div> ... /div>"] |
1282+
| various-concat-obfuscations.js:9:19:9:25 | tainted | various-concat-obfuscations.js:9:4:9:34 | "<div i ... "\\"/>" |
1283+
| various-concat-obfuscations.js:9:19:9:25 | tainted | various-concat-obfuscations.js:9:4:9:34 | "<div i ... "\\"/>" |
1284+
| various-concat-obfuscations.js:10:16:10:22 | tainted | various-concat-obfuscations.js:10:4:10:27 | `<div i ... ed}"/>` |
1285+
| various-concat-obfuscations.js:10:16:10:22 | tainted | various-concat-obfuscations.js:10:4:10:27 | `<div i ... ed}"/>` |
1286+
| various-concat-obfuscations.js:11:4:11:31 | "<div i ... ainted) | various-concat-obfuscations.js:11:4:11:44 | "<div i ... t("/>") |
1287+
| various-concat-obfuscations.js:11:4:11:31 | "<div i ... ainted) | various-concat-obfuscations.js:11:4:11:44 | "<div i ... t("/>") |
1288+
| various-concat-obfuscations.js:11:24:11:30 | tainted | various-concat-obfuscations.js:11:4:11:31 | "<div i ... ainted) |
1289+
| various-concat-obfuscations.js:12:4:12:34 | ["<div ... "\\"/>"] | various-concat-obfuscations.js:12:4:12:41 | ["<div ... .join() |
1290+
| various-concat-obfuscations.js:12:4:12:34 | ["<div ... "\\"/>"] | various-concat-obfuscations.js:12:4:12:41 | ["<div ... .join() |
1291+
| various-concat-obfuscations.js:12:19:12:25 | tainted | various-concat-obfuscations.js:12:4:12:34 | ["<div ... "\\"/>"] |
1292+
| various-concat-obfuscations.js:20:17:20:40 | documen ... .search | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs |
1293+
| various-concat-obfuscations.js:20:17:20:40 | documen ... .search | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs |
1294+
| various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) |
1295+
| various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) |
1296+
| various-concat-obfuscations.js:21:17:21:40 | documen ... .search | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs |
1297+
| various-concat-obfuscations.js:21:17:21:40 | documen ... .search | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs |
1298+
| various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) |
1299+
| various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) |
12211300
| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
12221301
| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
12231302
| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
@@ -1374,5 +1453,15 @@ edges
13741453
| tst.js:424:18:424:51 | window. ... '#')[1] | tst.js:424:18:424:32 | window.location | tst.js:424:18:424:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:424:18:424:32 | window.location | user-provided value |
13751454
| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
13761455
| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
1456+
| various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1457+
| various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:5:4:5:26 | `<div>$ ... </div>` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1458+
| various-concat-obfuscations.js:6:4:6:43 | "<div>" ... /div>") | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:6:4:6:43 | "<div>" ... /div>") | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1459+
| various-concat-obfuscations.js:7:4:7:38 | ["<div> ... .join() | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:7:4:7:38 | ["<div> ... .join() | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1460+
| various-concat-obfuscations.js:9:4:9:34 | "<div i ... "\\"/>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:9:4:9:34 | "<div i ... "\\"/>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1461+
| various-concat-obfuscations.js:10:4:10:27 | `<div i ... ed}"/>` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:10:4:10:27 | `<div i ... ed}"/>` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1462+
| various-concat-obfuscations.js:11:4:11:44 | "<div i ... t("/>") | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:11:4:11:44 | "<div i ... t("/>") | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1463+
| various-concat-obfuscations.js:12:4:12:41 | ["<div ... .join() | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:12:4:12:41 | ["<div ... .join() | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
1464+
| various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | various-concat-obfuscations.js:20:17:20:40 | documen ... .search | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:20:17:20:40 | documen ... .search | user-provided value |
1465+
| various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | various-concat-obfuscations.js:21:17:21:40 | documen ... .search | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:21:17:21:40 | documen ... .search | user-provided value |
13771466
| winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
13781467
| winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |

0 commit comments

Comments
 (0)