new test case for unknown base url

Author: luciaromeroML

javascript/ql/test/experimental/Security/CWE-918/SSRF.expected

@@ -37,6 +37,10 @@ nodes
 | check-path.js:37:15:37:45 | 'test.c ... tainted |
 | check-path.js:37:29:37:45 | req.query.tainted |
 | check-path.js:37:29:37:45 | req.query.tainted |
+| check-path.js:45:13:45:44 | `${base ... inted}` |
+| check-path.js:45:13:45:44 | `${base ... inted}` |
+| check-path.js:45:26:45:42 | req.query.tainted |
+| check-path.js:45:26:45:42 | req.query.tainted |
 | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted |
@@ -113,6 +117,10 @@ edges
 | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
 | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
 | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted |
+| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
+| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
+| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
+| check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
 | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
@@ -164,6 +172,7 @@ edges
 | check-path.js:24:13:24:65 | `/addre ... nted)}` | check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:13:24:65 | `/addre ... nted)}` | The URL of this request depends on a user-provided value |
 | check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value |
 | check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value |
+| check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value |
 | check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value |
 | check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value |
 | check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value |

javascript/ql/test/experimental/Security/CWE-918/check-path.js

@@ -41,6 +41,9 @@ app.get('/check-with-axios', req => {
     axios.get('test.com/' + req.query.tainted) // OK
   }
 
+  let baseURL = require('config').base
+  axios.get(`${baseURL}${req.query.tainted}`); // SSRF
+
   if(!isValidInput(req.query.tainted)) {
     return;
   }