Skip to content

Commit 699d3a0

Browse files
asgerfasgerf
committed
JS: Update a RegExp injection test
RegExpInjection does not use client-side sources, but one of its tests was using postMessage events as the taint source. Updating the test to use a different taint source.
1 parent 467256d commit 699d3a0

File tree

2 files changed

+19
-28
lines changed

2 files changed

+19
-28
lines changed

javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected

Lines changed: 14 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -64,15 +64,13 @@ nodes
6464
| RegExpInjection.js:93:20:93:31 | process.argv |
6565
| RegExpInjection.js:93:20:93:31 | process.argv |
6666
| RegExpInjection.js:93:20:93:34 | process.argv[1] |
67-
| tst.js:1:46:1:46 | e |
68-
| tst.js:1:46:1:46 | e |
69-
| tst.js:2:9:2:21 | data |
70-
| tst.js:2:16:2:16 | e |
71-
| tst.js:2:16:2:21 | e.data |
72-
| tst.js:3:16:3:35 | "^"+ data.name + "$" |
73-
| tst.js:3:16:3:35 | "^"+ data.name + "$" |
74-
| tst.js:3:21:3:24 | data |
75-
| tst.js:3:21:3:29 | data.name |
67+
| tst.js:5:9:5:29 | data |
68+
| tst.js:5:16:5:29 | req.query.data |
69+
| tst.js:5:16:5:29 | req.query.data |
70+
| tst.js:6:16:6:35 | "^"+ data.name + "$" |
71+
| tst.js:6:16:6:35 | "^"+ data.name + "$" |
72+
| tst.js:6:21:6:24 | data |
73+
| tst.js:6:21:6:29 | data.name |
7674
edges
7775
| RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:8:31:8:33 | key |
7876
| RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:19:19:19:21 | key |
@@ -135,14 +133,12 @@ edges
135133
| RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:20:93:34 | process.argv[1] |
136134
| RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
137135
| RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
138-
| tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
139-
| tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
140-
| tst.js:2:9:2:21 | data | tst.js:3:21:3:24 | data |
141-
| tst.js:2:16:2:16 | e | tst.js:2:16:2:21 | e.data |
142-
| tst.js:2:16:2:21 | e.data | tst.js:2:9:2:21 | data |
143-
| tst.js:3:21:3:24 | data | tst.js:3:21:3:29 | data.name |
144-
| tst.js:3:21:3:29 | data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" |
145-
| tst.js:3:21:3:29 | data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" |
136+
| tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data |
137+
| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
138+
| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
139+
| tst.js:6:21:6:24 | data | tst.js:6:21:6:29 | data.name |
140+
| tst.js:6:21:6:29 | data.name | tst.js:6:16:6:35 | "^"+ data.name + "$" |
141+
| tst.js:6:21:6:29 | data.name | tst.js:6:16:6:35 | "^"+ data.name + "$" |
146142
#select
147143
| RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
148144
| RegExpInjection.js:19:14:19:22 | wrap(key) | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:19:14:19:22 | wrap(key) | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
@@ -161,4 +157,4 @@ edges
161157
| RegExpInjection.js:87:14:87:55 | "^.*\\.( ... + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ... + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
162158
| RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
163159
| RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
164-
| tst.js:3:16:3:35 | "^"+ data.name + "$" | tst.js:1:46:1:46 | e | tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |
160+
| tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |

javascript/ql/test/query-tests/Security/CWE-730/tst.js

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,7 @@
1-
window.addEventListener("message", function (e) {
2-
let data = e.data;
3-
new RegExp("^"+ data.name + "$", "i"); // NOT OK
4-
});
1+
const express = require('express');
2+
const app = express();
53

6-
const SOMEONE_I_TRUST = "myself";
7-
window.addEventListener("message", function (e) {
8-
if (e.origin === SOMEONE_I_TRUST) {
9-
let data = e.data;
10-
new RegExp("^"+ data.name + "$", "i"); // OK
11-
}
4+
app.get('/foo', (req, res) => {
5+
let data = req.query.data;
6+
new RegExp("^"+ data.name + "$", "i"); // NOT OK
127
});

0 commit comments

Comments
 (0)