Skip to content

Commit d790f3c

Browse files
erik-krogherik-krogh
committed
add test for unsafe-code-construction query
1 parent 198a464 commit d790f3c

File tree

4 files changed

+38
-0
lines changed

4 files changed

+38
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
nodes
2+
| lib/index.js:1:35:1:38 | data |
3+
| lib/index.js:1:35:1:38 | data |
4+
| lib/index.js:2:21:2:24 | data |
5+
| lib/index.js:2:21:2:24 | data |
6+
| lib/index.js:5:35:5:38 | name |
7+
| lib/index.js:5:35:5:38 | name |
8+
| lib/index.js:6:26:6:29 | name |
9+
| lib/index.js:6:26:6:29 | name |
10+
edges
11+
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
12+
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
13+
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
14+
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
15+
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
16+
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
17+
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
18+
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
19+
#select
20+
| lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
21+
| lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE-094/UnsafeCodeConstruction.ql

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
export function unsafeDeserialize(data) {
2+
return eval("(" + data + ")"); // NOT OK
3+
}
4+
5+
export function unsafeGetter(obj, name) {
6+
return eval("obj." + name); // NOT OK
7+
}
8+
9+
export function safeAssignment(obj, value) {
10+
eval("obj.foo = " + JSON.stringify(value)); // OK
11+
}

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/package.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{
2+
"name": "my-lib",
3+
"version": "0.0.7",
4+
"main": "index.js"
5+
}

0 commit comments

Comments
 (0)