Skip to content

Commit 33d2049

Browse files
committed
add test for json stringify xss
1 parent b95566b commit 33d2049

File tree

2 files changed

+70
-0
lines changed

2 files changed

+70
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,18 @@
11
nodes
2+
| JsonStringify.jsx:5:9:5:36 | locale |
3+
| JsonStringify.jsx:5:9:5:36 | locale |
4+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") |
5+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") |
6+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") |
7+
| JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` |
8+
| JsonStringify.jsx:14:53:14:58 | locale |
9+
| JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` |
10+
| JsonStringify.jsx:22:58:22:63 | locale |
11+
| JsonStringify.jsx:30:40:30:45 | locale |
12+
| JsonStringify.jsx:30:40:30:45 | locale |
13+
| JsonStringify.jsx:30:40:30:45 | locale |
14+
| JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
15+
| JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
216
| addEventListener.js:1:43:1:47 | event |
317
| addEventListener.js:1:43:1:47 | event |
418
| addEventListener.js:1:43:1:47 | event |
@@ -1154,6 +1168,22 @@ nodes
11541168
| xmlRequest.js:22:24:22:35 | json.message |
11551169
| xmlRequest.js:22:24:22:35 | json.message |
11561170
edges
1171+
| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:14:53:14:58 | locale |
1172+
| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:22:58:22:63 | locale |
1173+
| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
1174+
| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
1175+
| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
1176+
| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
1177+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
1178+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
1179+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
1180+
| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
1181+
| JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
1182+
| JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
1183+
| JsonStringify.jsx:14:53:14:58 | locale | JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` |
1184+
| JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
1185+
| JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
1186+
| JsonStringify.jsx:22:58:22:63 | locale | JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` |
11571187
| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
11581188
| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
11591189
| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
var express = require("express");
2+
var app = express();
3+
4+
app.get("/some/path", function (req, res) {
5+
const locale = req.param("locale");
6+
const jsonLD = {
7+
"@context": "https://schema.org",
8+
"@type": "BreadcrumbList",
9+
itemListElement: [
10+
{
11+
"@type": "ListItem",
12+
position: 1,
13+
item: {
14+
"@id": `https://example.com/some?locale=${locale}`,
15+
name: "Some",
16+
},
17+
},
18+
{
19+
"@type": "ListItem",
20+
position: 2,
21+
item: {
22+
"@id": `https://example.com/some/path?locale=${locale}`,
23+
name: "Real Dresses",
24+
},
25+
},
26+
],
27+
};
28+
<script
29+
type="application/ld+json"
30+
dangerouslySetInnerHTML={{ __html: locale }} // NOT OK
31+
/>;
32+
<script
33+
type="application/ld+json"
34+
dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLD) }} // NOT OK
35+
/>;
36+
<script
37+
type="application/ld+json"
38+
dangerouslySetInnerHTML={{ __html: JSON.stringify({}) }} // OK
39+
/>;
40+
});

0 commit comments

Comments
 (0)