Skip to content

Commit de7723f

Browse files
committed
Add SPURIOUS and MISSING tags
1 parent 5c2e5bf commit de7723f

4 files changed

Lines changed: 20 additions & 20 deletions

File tree

javascript/ql/test/experimental/Security/CWE-918/check-middleware.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ const express = require('express');
66
const app = express();
77

88
app.get('/check-with-axios', validationMiddleware, req => {
9-
axios.get("test.com/" + req.query.tainted); // $ Alert // OK is sanitized by the middleware - False Positive
9+
axios.get("test.com/" + req.query.tainted); // $ SPURIOUS: Alert // OK is sanitized by the middleware - False Positive
1010
});
1111

1212

javascript/ql/test/experimental/Security/CWE-918/check-regex.js

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,14 +13,14 @@ app.get('/check-with-axios', req => {
1313
axios.get("test.com/" + req.query.tainted); // OK
1414
}
1515
if (req.query.tainted.match(/^.*$/)) { // anything
16-
axios.get("test.com/" + req.query.tainted); // $ Alert // SSRF - False Negative
16+
axios.get("test.com/" + req.query.tainted); // $ Alert // SSRF
1717
}
1818

1919
const baseURL = "test.com/"
20-
if (isValidPath(req.params.tainted) ) {
20+
if (isValidPath(req.params.tainted)) {
2121
axios.get(baseURL + req.params.tainted); // OK
2222
}
23-
if (!isValidPath(req.params.tainted) ) {
23+
if (!isValidPath(req.params.tainted)) {
2424
axios.get(baseURL + req.params.tainted); // $ Alert // SSRF
2525
} else {
2626
axios.get(baseURL + req.params.tainted); // OK
@@ -30,15 +30,15 @@ app.get('/check-with-axios', req => {
3030
if (!req.query.tainted.match(/^[/\.%]+$/)) {
3131
axios.get("test.com/" + req.query.tainted); // $ Alert // SSRF
3232
}
33-
if (!isInBlacklist(req.params.tainted) ) {
33+
if (!isInBlacklist(req.params.tainted)) {
3434
axios.get(baseURL + req.params.tainted); // $ Alert // SSRF
3535
}
3636

3737
if (!isValidPath(req.params.tainted)) {
3838
return;
3939
}
4040

41-
axios.get("test.com/" + req.query.tainted); // $ Alert // OK - False Positive
41+
axios.get("test.com/" + req.query.tainted); // $ SPURIOUS: Alert // OK - False Positive
4242

4343
if (req.query.tainted.matchAll(/^[0-9a-z]+$/g)) { // letters and numbers
4444
axios.get("test.com/" + req.query.tainted); // OK
@@ -48,20 +48,20 @@ app.get('/check-with-axios', req => {
4848
}
4949
});
5050

51-
const isValidPath = path => path.match(/^[0-9a-z]+$/);
51+
const isValidPath = path => path.match(/^[0-9a-z]+$/);
5252

53-
const isInBlackList = path => path.match(/^[/\.%]+$/);
53+
const isInBlackList = path => path.match(/^[/\.%]+$/);
5454

5555
app.get('/check-with-axios', req => {
5656
const baseURL = "test.com/"
57-
if (isValidPathMatchAll(req.params.tainted) ) {
57+
if (isValidPathMatchAll(req.params.tainted)) {
5858
axios.get(baseURL + req.params.tainted); // OK
5959
}
60-
if (!isValidPathMatchAll(req.params.tainted) ) {
60+
if (!isValidPathMatchAll(req.params.tainted)) {
6161
axios.get(baseURL + req.params.tainted); // $ Alert // NOT OK - SSRF
6262
} else {
6363
axios.get(baseURL + req.params.tainted); // OK
6464
}
6565
});
6666

67-
const isValidPathMatchAll = path => path.matchAll(/^[0-9a-z]+$/g);
67+
const isValidPathMatchAll = path => path.matchAll(/^[0-9a-z]+$/g);

javascript/ql/test/experimental/Security/CWE-918/check-validator.js

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ app.get("/check-with-axios", req => {
4747
axios.get("test.com/" + req.query.tainted); // OK
4848
}
4949
if (validHexa(req.query.tainted)) {
50-
axios.get("test.com/" + req.query.tainted); // $ Alert // OK. False Positive
50+
axios.get("test.com/" + req.query.tainted); // $ SPURIOUS: Alert // OK. False Positive
5151
}
5252

5353
// with simple assignation
@@ -56,16 +56,16 @@ app.get("/check-with-axios", req => {
5656
axios.get("test.com/" + numberURL); // OK
5757
}
5858
if (validNumber(numberURL)) {
59-
axios.get("test.com/" + req.query.tainted); // $ Alert // OK. False Positive
59+
axios.get("test.com/" + req.query.tainted); // $ SPURIOUS: Alert // OK. False Positive
6060
}
6161
if (validNumber(req.query.tainted)) {
62-
axios.get("test.com/" + numberURL); // $ Alert // OK. False Positive
62+
axios.get("test.com/" + numberURL); // $ SPURIOUS: Alert // OK. False Positive
6363
}
6464

65-
if (validHexadecimal(req.query.tainted) || validHexaColor(req.query.tainted) ||
66-
validDecimal(req.query.tainted) || validFloat(req.query.tainted) || validInt(req.query.tainted) ||
67-
validNumber(req.query.tainted) || validOctal(req.query.tainted)) {
68-
axios.get("test.com/" + req.query.tainted); // $ Alert // OK. False Positive
65+
if (validHexadecimal(req.query.tainted) || validHexaColor(req.query.tainted) ||
66+
validDecimal(req.query.tainted) || validFloat(req.query.tainted) || validInt(req.query.tainted) ||
67+
validNumber(req.query.tainted) || validOctal(req.query.tainted)) {
68+
axios.get("test.com/" + req.query.tainted); // $ SPURIOUS: Alert // OK. False Positive
6969
}
7070
});
7171

@@ -93,6 +93,6 @@ const validHexaColor = url => validator.isHexColor(url);
9393
const validUUID = url => validator.isUUID(url);
9494

9595
// unsafe validators
96-
const wrongValidation = url => validator.isByteLength(url, {min:4,max:8});
96+
const wrongValidation = url => validator.isByteLength(url, { min: 4, max: 8 });
9797

9898
const isAlphanumeric = url => true;

javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
controller: notInjected7
2222
};
2323

24-
function injected8(name){} // OK - false negative: we do not track through properties
24+
function injected8(name){} // $ MISSING: Alert // false negative: we do not track through properties
2525
var obj8 = {
2626
controller: injected8
2727
};

0 commit comments

Comments
 (0)