Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 86932c5

Browse files
asgerfasgerf
committed
JS: Move some alerts to their correct location
One of the diffs look confusing but: Previously parameter {2,3} where flagged, now parameter {1,2} are flagged. Note that for command injection, the SystemCommandExecution is flagged despite the test file claiming otherwise.
1 parent f5911c9 commit 86932c5

18 files changed

Lines changed: 103 additions & 103 deletions

File tree

javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
function f(
2-
x,
32
x, // $ Alert
4-
\u0078 // $ Alert
3+
x, // $ Alert
4+
\u0078
55
) { return; }
66

77
this.addPropertyListener(prop.name, function(_, _, _, a) {

javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,30 @@
11
const {BrowserWindow} = require('electron')
22

33
function test() {
4-
var unsafe_1 = { // $ Alert - both enabled
4+
var unsafe_1 = { // both enabled
55
webPreferences: {
66
nodeIntegration: true,
77
nodeIntegrationInWorker: true,
88
plugins: true,
99
webSecurity: true,
1010
sandbox: true
11-
}
11+
} // $ Alert
1212
};
1313

14-
var options_1 = { // $ Alert - `nodeIntegrationInWorker` enabled
14+
var options_1 = { // `nodeIntegrationInWorker` enabled
1515
webPreferences: {
1616
plugins: true,
1717
nodeIntegrationInWorker: false,
1818
webSecurity: true,
1919
sandbox: true
20-
}
20+
} // $ Alert
2121
};
2222

23-
var pref = { // $ Alert - implicitly enabled
23+
var pref = { // implicitly enabled
2424
plugins: true,
2525
webSecurity: true,
2626
sandbox: true
27-
};
27+
}; // $ Alert
2828

2929
var options_2 = { // $ Alert - implicitly enabled
3030
webPreferences: pref,

javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -26,87 +26,87 @@ class C3 extends React.Component {
2626
class C4 extends React.Component {
2727
upd8() {
2828
this.setState({
29-
counter: this.state.foo // $ Alert
30-
});
29+
counter: this.state.foo
30+
}); // $ Alert
3131
}
3232
}
3333

3434
class C5 extends React.Component {
3535
upd8() {
3636
this.setState({
37-
foo: { bar: this.state.foo.bar } // $ Alert
38-
});
37+
foo: { bar: this.state.foo.bar }
38+
}); // $ Alert
3939
}
4040
}
4141

4242
class C7 extends React.Component {
4343
upd8a() {
4444
this.setState({
45-
foo: this.state.foo // $ Alert
46-
});
45+
foo: this.state.foo
46+
}); // $ Alert
4747
}
4848

4949
upd8b() {
5050
this.setState({
51-
foo: this.state.foo // $ Alert
52-
});
51+
foo: this.state.foo
52+
}); // $ Alert
5353
}
5454
}
5555

5656
class C8 extends React.Component {
5757
upd8a() {
5858
this.setState({
59-
foo: this.state.foo + 1 // $ Alert
60-
});
59+
foo: this.state.foo + 1
60+
}); // $ Alert
6161
}
6262

6363
upd8b() {
6464
this.setState({
65-
foo: this.state.foo + 1 // $ Alert
66-
});
65+
foo: this.state.foo + 1
66+
}); // $ Alert
6767
}
6868
}
6969

7070
class C9 extends React.Component {
7171
upd8a() {
7272
this.setState({
73-
foo: { bar: this.state.foo.bar } // $ Alert
74-
});
73+
foo: { bar: this.state.foo.bar }
74+
}); // $ Alert
7575
}
7676

7777
upd8b() {
7878
this.setState({
79-
foo: { bar: this.state.foo.bar } // $ Alert
80-
});
79+
foo: { bar: this.state.foo.bar }
80+
}); // $ Alert
8181
}
8282
}
8383

8484
class C10 extends React.Component {
8585
upd8a() {
8686
this.setState({
87-
foo: this.state.foo, // $ Alert
88-
});
87+
foo: this.state.foo,
8988
bar: this.state.bar // OK - ignored because it is safe in practice
89+
}); // $ Alert
9090
}
9191

9292
upd8b() {
9393
this.setState({
94-
foo: this.state.foo // $ Alert
95-
});
94+
foo: this.state.foo
95+
}); // $ Alert
9696
}
9797
}
9898

9999
class C11 extends React.Component {
100100
upd8a() {
101101
var self = this;
102102
self.setState({
103-
foo: self.state.foo // $ Alert
104-
});
103+
foo: self.state.foo
104+
}); // $ Alert
105105
}
106106

107107
upd8b() {
108108
this.setState({
109-
foo: this.state.foo // $ Alert
110-
});
109+
foo: this.state.foo
110+
}); // $ Alert
111111
}
112112
}

javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,10 +58,10 @@ class C5 extends React.Component {
5858
}
5959
new C5({writtenInUnknownInitializerObject: 42});
6060

61-
React.createClass({
61+
React.createClass({ // $ Alert
6262
render: function() {
6363
this.state.writtenInKnownInitializerObject;
64-
this.state.notWrittenInKnownInitializerObject; // $ Alert
64+
this.state.notWrittenInKnownInitializerObject;
6565
return <div/>;
6666
},
6767
getInitialState: function() {

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -40,18 +40,18 @@ var server = http.createServer(function(req, res) {
4040

4141
let args = [];
4242
args[0] = "-c";
43-
args[1] = cmd; // $ Alert
44-
cp.execFile("/bin/bash", args);
43+
args[1] = cmd;
44+
cp.execFile("/bin/bash", args); // $ Alert
4545

4646
let args = [];
4747
args[0] = "-c";
48-
args[1] = cmd; // $ Alert
48+
args[1] = cmd;
4949
run("sh", args);
5050

5151
let args = [];
5252
args[0] = `-` + "c";
53-
args[1] = cmd; // $ Alert
54-
cp.execFile(`/bin` + "/bash", args);
53+
args[1] = cmd;
54+
cp.execFile(`/bin` + "/bash", args); // $ Alert
5555

5656
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert
5757
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert
@@ -64,7 +64,7 @@ var server = http.createServer(function(req, res) {
6464
});
6565

6666
function run(cmd, args) {
67-
cp.spawn(cmd, args); // OK - the alert happens where `args` is build.
67+
cp.spawn(cmd, args); // $ Alert - but note that the sink is where `args` is build.
6868
}
6969

7070
var util = require("util")
@@ -92,4 +92,4 @@ const router = new Router();
9292

9393
router.get("/ping/:host", async (ctx) => {
9494
cp.exec("ping " + ctx.params.host); // $ Alert
95-
});
95+
});

javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ const kit = new Octokit();
66

77
app.get('/post/:id', function(req, res) {
88
const id = req.params.id;
9-
const response = kit.graphql(` // $ Alert
9+
const response = kit.graphql(`
1010
query {
1111
repository(owner: "github", name: "${id}") {
1212
object(expression: "master:foo") {
@@ -16,7 +16,7 @@ app.get('/post/:id', function(req, res) {
1616
}
1717
}
1818
}
19-
`);
19+
`); // $ Alert
2020
});
2121

2222
import { graphql, withCustomRequest } from "@octokit/graphql";
@@ -72,20 +72,20 @@ var root = {
7272
app.get('/thing/:id', async function(req, res) {
7373
const id = req.query.id;
7474
const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // $ Alert
75-
75+
7676
fetch("https://my-grpahql-server.com/graphql", {
7777
method: "POST",
7878
headers: {
7979
"Content-Type": "application/json"
8080
},
8181
body: JSON.stringify({
82-
query: `{ // $ Alert
82+
query: `{
8383
thing {
8484
name
8585
url
8686
${id}
8787
}
88-
}`
88+
}` // $ Alert
8989
})
9090
})
9191

javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ app.use(session({
1111
app.use(session({
1212
name: 'session',
1313
keys: ['key1', 'key2'],
14-
httpOnly: false // $ Alert
15-
}))
14+
httpOnly: false
15+
})) // $ Alert
1616

1717
app.use(session({
1818
name: 'session',
@@ -51,8 +51,8 @@ var flag2 = flag
5151
app.use(session({
5252
name: 'session',
5353
keys: ['key1', 'key2'],
54-
httpOnly: flag2 // $ Alert
55-
}))
54+
httpOnly: flag2
55+
})) // $ Alert
5656

5757
app.get('/a', function (req, res, next) {
5858
res.cookie('authkey', 'value',
@@ -68,18 +68,18 @@ app.get('/a', function (req, res, next) {
6868
res.cookie('authkey', 'value',
6969
{
7070
maxAge: 9000000000,
71-
httpOnly: false, // $ Alert
71+
httpOnly: false,
7272
secure: false
73-
});
73+
}); // $ Alert
7474
res.end('ok')
7575
})
7676

7777
app.get('/a', function (req, res, next) {
7878
res.cookie('authkey', 'value',
7979
{
8080
maxAge: 9000000000
81-
});
82-
res.end('ok') // $ Alert
81+
}); // $ Alert
82+
res.end('ok')
8383
})
8484

8585
app.get('/a', function (req, res, next) {
@@ -95,10 +95,10 @@ app.get('/a', function (req, res, next) {
9595
app.get('/a', function (req, res, next) {
9696
let options = {
9797
maxAge: 9000000000,
98-
httpOnly: false, // $ Alert
98+
httpOnly: false,
9999
secure: false
100100
}
101-
res.cookie('authkey', 'value', options);
101+
res.cookie('authkey', 'value', options); // $ Alert
102102
res.end('ok')
103103
})
104104

@@ -301,8 +301,8 @@ app.use(session({
301301
app.use(session({
302302
name: 'session',
303303
keys: ['key1', 'key2'],
304-
cookie: { httpOnly: false } // $ Alert
305-
}))
304+
cookie: { httpOnly: false }
305+
})) // $ Alert
306306

307307
app.use(session({
308308
name: 'session',
@@ -318,8 +318,8 @@ app.use(session({ // OK - httpOnly is true by default
318318
app.use(session({
319319
name: 'mycookie',
320320
keys: ['key1', 'key2'],
321-
cookie: { httpOnly: false } // $ Alert - It is a session cookie, name doesn't matter
322-
}))
321+
cookie: { httpOnly: false } // It is a session cookie, name doesn't matter
322+
})) // $ Alert
323323

324324
const http = require('http');
325325
function test10() {

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -88,11 +88,11 @@
8888

8989
x = x.replace(/^(\.\.\/?)+/g, "");
9090

91-
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, function( // $ Alert
91+
x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, function(
9292
$0
9393
) {
9494
return unknown ? $0 : "";
95-
});
95+
}); // $ Alert[js/incomplete-multi-character-sanitization]
9696

9797
x = x.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, ""); // $ MISSING: Alert
9898

javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -120,11 +120,11 @@ const server4 = http.createServer((req, res) => {
120120

121121
const serverMatchAll = http.createServer((req, res) => {
122122
let username = url.parse(req.url, true).query.username;
123-
let otherStr = username.matchAll(/.*/g)[0]; // $ Alert
124-
console.log(otherStr);
123+
let otherStr = username.matchAll(/.*/g)[0];
124+
console.log(otherStr); // $ Alert
125125
});
126126

127127
const serverMatchAl2l = http.createServer((req, res) => {
128-
const result = url.parse(req.url, true).query.username.matchAll(/(\d+)/g); // $ Alert
129-
console.log("First captured group:", RegExp.$1);
128+
const result = url.parse(req.url, true).query.username.matchAll(/(\d+)/g);
129+
console.log("First captured group:", RegExp.$1); // $ Alert
130130
});

0 commit comments

Comments
 (0)