JS: Add explicit body-parsers to TemplateObjectInjection test

asgerf · asgerf · commit 64db70f3aca4 · 2021-12-07T10:46:18.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js
@@ -1,8 +1,8 @@
 var app = require('express')();
 app.set('view engine', 'hbs');
 
-
-
+app.use(require('body-parser').json());
+app.use(require('body-parser').urlencoded({ extended: false }));
 app.post('/path', function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     var queryParameter = req.query.queryParameter;
diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js
@@ -2,43 +2,43 @@ const handlebars = require("express-handlebars");
 var app = require('express')();
 app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) ); 
 app.set('view engine', '.hbs')
-app.post('/path', function(req, res) {
+app.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // NOT OK
 }); 
 
 var app2 = require('express')();
-app2.post('/path', function(req, res) {
+app2.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // OK
 }); 
 
 var app3 = require('express')();
 app3.set('view engine', 'pug');
-app3.post('/path', function(req, res) {
+app3.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // OK
 }); 
 
 var app4 = require('express')();
 app4.set('view engine', 'ejs');
-app4.post('/path', function(req, res) {
+app4.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // NOT OK
 }); 
 
 var app5 = require('express')();
 app5.engine("foobar", require("consolidate").whiskers);
 app5.set('view engine', 'foobar');
-app5.post('/path', function(req, res) {
+app5.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // NOT OK
 }); 
 
 var app6 = require('express')();
 app6.register(".html", require("consolidate").whiskers);
 app6.set('view engine', 'html');
-app6.post('/path', function(req, res) {
+app6.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // NOT OK
 }); 
@@ -47,7 +47,7 @@ const express = require('express');
 var router = express.Router();
 var app7 = express();
 app7.set('view engine', 'ejs');
-router.post('/path', function(req, res) {
+router.post('/path', require('body-parser').json(), function(req, res) {
     var bodyParameter = req.body.bodyParameter;
     res.render('template', bodyParameter); // NOT OK
 });
