Skip to content

Commit dee6386

Browse files
authored
Merge pull request #22126 from owen-mc/js/convert-qlref-inline-expectations
JS: Convert qlref tests to inline expectations
2 parents 9fc65df + de7723f commit dee6386

42 files changed

Lines changed: 158 additions & 147 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
1-
experimental/Security/CWE-094-dataURL/CodeInjection.ql
1+
query: experimental/Security/CWE-094-dataURL/CodeInjection.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,21 @@ const { Worker } = require('node:worker_threads');
22
var app = require('express')();
33

44
app.post('/path', async function (req, res) {
5-
const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//'
5+
const payload = req.query.queryParameter // $ Source // like: payload = 'data:text/javascript,console.log("hello!");//'
66
let payloadURL = new URL(payload + sth) // NOT OK
7-
new Worker(payloadURL);
7+
new Worker(payloadURL); // $ Alert
88

99
payloadURL = new URL(payload + sth) // NOT OK
10-
new Worker(payloadURL);
10+
new Worker(payloadURL); // $ Alert
1111

1212
payloadURL = new URL(sth + payload) // OK
1313
new Worker(payloadURL);
1414
});
1515

1616
app.post('/path2', async function (req, res) {
17-
const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//'
18-
await import(payload) // NOT OK
19-
await import(payload + sth) // NOT OK
17+
const payload = req.query.queryParameter // $ Source // like: payload = 'data:text/javascript,console.log("hello!");//'
18+
await import(payload) // $ Alert // NOT OK
19+
await import(payload + sth) // $ Alert // NOT OK
2020
await import(sth + payload) // OK
2121
});
2222

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
1-
experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
1+
query: experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,9 @@ const http = require('node:http');
22

33

44
http.createServer((req, res) => {
5-
const { EnvValue, EnvKey } = req.body;
6-
process.env[EnvKey] = EnvValue; // NOT OK
7-
process.env[EnvKey] = EnvValue; // NOT OK
5+
const { EnvValue, EnvKey } = req.body; // $ Source
6+
process.env[EnvKey] = EnvValue; // $ Alert // NOT OK
7+
process.env[EnvKey] = EnvValue; // $ Alert // NOT OK
88

99
res.end('env has been injected!');
1010
});
Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
1-
experimental/Security/CWE-099/EnvValueInjection.ql
1+
query: experimental/Security/CWE-099/EnvValueInjection.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql
Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
const http = require('node:http');
22

33
http.createServer((req, res) => {
4-
const { EnvValue } = req.body;
5-
process.env["A_Critical_Env"] = EnvValue; // NOT OK
6-
process.env[AKey] = EnvValue; // NOT OK
7-
process.env.AKey = EnvValue; // NOT OK
4+
const { EnvValue } = req.body; // $ Source
5+
process.env["A_Critical_Env"] = EnvValue; // $ Alert // NOT OK
6+
process.env[AKey] = EnvValue; // $ Alert // NOT OK
7+
process.env.AKey = EnvValue; // $ Alert // NOT OK
88

99
res.end('env has been injected!');
1010
});

javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,18 +10,18 @@ function aJWT() {
1010
}
1111

1212
(function () {
13-
const UserToken = aJwt()
13+
const UserToken = aJwt() // $ Alert
1414

1515
// BAD: no signature verification
16-
jwtJsonwebtoken.decode(UserToken) // NOT OK
16+
jwtJsonwebtoken.decode(UserToken) // $ Sink // NOT OK
1717
})();
1818

1919
(function () {
20-
const UserToken = aJwt()
20+
const UserToken = aJwt() // $ Alert
2121

2222
// BAD: no signature verification
23-
jwtJsonwebtoken.decode(UserToken) // NOT OK
24-
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
23+
jwtJsonwebtoken.decode(UserToken) // $ Sink // NOT OK
24+
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // $ Sink // NOT OK
2525
})();
2626

2727
(function () {
Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
1-
experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
1+
query: experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
2+
postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,10 @@ function aJWT() {
99
}
1010

1111
(function () {
12-
const UserToken = aJwt()
12+
const UserToken = aJwt() // $ Alert
1313

1414
// no signature verification
15-
jose.decodeJwt(UserToken) // NOT OK
15+
jose.decodeJwt(UserToken) // $ Sink // NOT OK
1616
})();
1717

1818
(async function () {

javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,9 @@ function aJWT() {
1010
}
1111

1212
(function () {
13-
const UserToken = aJwt()
13+
const UserToken = aJwt() // $ Alert
1414

1515
// jwt-decode
1616
// no signature verification
17-
jwt_decode(UserToken) // NOT OK
17+
jwt_decode(UserToken) // $ Sink // NOT OK
1818
})();

0 commit comments

Comments
 (0)