Added test case @apollo/server with SSRF.

Napalys · Napalys · commit 23fdc3534f8e · 2025-03-19T13:34:27.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts
@@ -0,0 +1,14 @@
+import { ApolloServer } from '@apollo/server';
+import { get } from 'https';
+
+function createApolloServer(typeDefs) {
+    const resolvers = {
+        Mutation: {
+          downloadFiles: async (_, { files }) => { // $ MISSING: Source[js/request-forgery]
+            files.forEach((file) => { get(file.url, (res) => {}); }); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery]
+            return true;
+          },
+        },
+      };
+    const server = new ApolloServer({typeDefs, resolvers});
+}
