update consistency comments for CWE-601

erik-krogh · erik-krogh · commit 1f1c09af020e · 2020-07-08T10:02:29.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected
@@ -56,32 +56,32 @@ nodes
 | koa.js:14:16:14:18 | url |
 | koa.js:20:16:20:18 | url |
 | koa.js:20:16:20:18 | url |
-| node.js:6:7:6:52 | target |
-| node.js:6:16:6:39 | url.par ... , true) |
-| node.js:6:16:6:45 | url.par ... ).query |
-| node.js:6:16:6:52 | url.par ... .target |
-| node.js:6:26:6:32 | req.url |
-| node.js:6:26:6:32 | req.url |
-| node.js:7:34:7:39 | target |
-| node.js:7:34:7:39 | target |
-| node.js:11:7:11:52 | target |
-| node.js:11:16:11:39 | url.par ... , true) |
-| node.js:11:16:11:45 | url.par ... ).query |
-| node.js:11:16:11:52 | url.par ... .target |
-| node.js:11:26:11:32 | req.url |
-| node.js:11:26:11:32 | req.url |
-| node.js:15:34:15:45 | '/' + target |
-| node.js:15:34:15:45 | '/' + target |
-| node.js:15:40:15:45 | target |
-| node.js:29:7:29:52 | target |
-| node.js:29:16:29:39 | url.par ... , true) |
-| node.js:29:16:29:45 | url.par ... ).query |
-| node.js:29:16:29:52 | url.par ... .target |
-| node.js:29:26:29:32 | req.url |
-| node.js:29:26:29:32 | req.url |
-| node.js:32:34:32:39 | target |
-| node.js:32:34:32:55 | target  ... =" + me |
-| node.js:32:34:32:55 | target  ... =" + me |
+| node.js:5:7:5:52 | target |
+| node.js:5:16:5:39 | url.par ... , true) |
+| node.js:5:16:5:45 | url.par ... ).query |
+| node.js:5:16:5:52 | url.par ... .target |
+| node.js:5:26:5:32 | req.url |
+| node.js:5:26:5:32 | req.url |
+| node.js:6:34:6:39 | target |
+| node.js:6:34:6:39 | target |
+| node.js:10:7:10:52 | target |
+| node.js:10:16:10:39 | url.par ... , true) |
+| node.js:10:16:10:45 | url.par ... ).query |
+| node.js:10:16:10:52 | url.par ... .target |
+| node.js:10:26:10:32 | req.url |
+| node.js:10:26:10:32 | req.url |
+| node.js:14:34:14:45 | '/' + target |
+| node.js:14:34:14:45 | '/' + target |
+| node.js:14:40:14:45 | target |
+| node.js:28:7:28:52 | target |
+| node.js:28:16:28:39 | url.par ... , true) |
+| node.js:28:16:28:45 | url.par ... ).query |
+| node.js:28:16:28:52 | url.par ... .target |
+| node.js:28:26:28:32 | req.url |
+| node.js:28:26:28:32 | req.url |
+| node.js:31:34:31:39 | target |
+| node.js:31:34:31:55 | target  ... =" + me |
+| node.js:31:34:31:55 | target  ... =" + me |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:7:17:7:33 | req.param("code") |
@@ -139,29 +139,29 @@ edges
 | koa.js:6:12:6:27 | ctx.query.target | koa.js:6:6:6:27 | url |
 | koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` |
 | koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` |
-| node.js:6:7:6:52 | target | node.js:7:34:7:39 | target |
-| node.js:6:7:6:52 | target | node.js:7:34:7:39 | target |
-| node.js:6:16:6:39 | url.par ... , true) | node.js:6:16:6:45 | url.par ... ).query |
-| node.js:6:16:6:45 | url.par ... ).query | node.js:6:16:6:52 | url.par ... .target |
-| node.js:6:16:6:52 | url.par ... .target | node.js:6:7:6:52 | target |
-| node.js:6:26:6:32 | req.url | node.js:6:16:6:39 | url.par ... , true) |
-| node.js:6:26:6:32 | req.url | node.js:6:16:6:39 | url.par ... , true) |
-| node.js:11:7:11:52 | target | node.js:15:40:15:45 | target |
-| node.js:11:16:11:39 | url.par ... , true) | node.js:11:16:11:45 | url.par ... ).query |
-| node.js:11:16:11:45 | url.par ... ).query | node.js:11:16:11:52 | url.par ... .target |
-| node.js:11:16:11:52 | url.par ... .target | node.js:11:7:11:52 | target |
-| node.js:11:26:11:32 | req.url | node.js:11:16:11:39 | url.par ... , true) |
-| node.js:11:26:11:32 | req.url | node.js:11:16:11:39 | url.par ... , true) |
-| node.js:15:40:15:45 | target | node.js:15:34:15:45 | '/' + target |
-| node.js:15:40:15:45 | target | node.js:15:34:15:45 | '/' + target |
-| node.js:29:7:29:52 | target | node.js:32:34:32:39 | target |
-| node.js:29:16:29:39 | url.par ... , true) | node.js:29:16:29:45 | url.par ... ).query |
-| node.js:29:16:29:45 | url.par ... ).query | node.js:29:16:29:52 | url.par ... .target |
-| node.js:29:16:29:52 | url.par ... .target | node.js:29:7:29:52 | target |
-| node.js:29:26:29:32 | req.url | node.js:29:16:29:39 | url.par ... , true) |
-| node.js:29:26:29:32 | req.url | node.js:29:16:29:39 | url.par ... , true) |
-| node.js:32:34:32:39 | target | node.js:32:34:32:55 | target  ... =" + me |
-| node.js:32:34:32:39 | target | node.js:32:34:32:55 | target  ... =" + me |
+| node.js:5:7:5:52 | target | node.js:6:34:6:39 | target |
+| node.js:5:7:5:52 | target | node.js:6:34:6:39 | target |
+| node.js:5:16:5:39 | url.par ... , true) | node.js:5:16:5:45 | url.par ... ).query |
+| node.js:5:16:5:45 | url.par ... ).query | node.js:5:16:5:52 | url.par ... .target |
+| node.js:5:16:5:52 | url.par ... .target | node.js:5:7:5:52 | target |
+| node.js:5:26:5:32 | req.url | node.js:5:16:5:39 | url.par ... , true) |
+| node.js:5:26:5:32 | req.url | node.js:5:16:5:39 | url.par ... , true) |
+| node.js:10:7:10:52 | target | node.js:14:40:14:45 | target |
+| node.js:10:16:10:39 | url.par ... , true) | node.js:10:16:10:45 | url.par ... ).query |
+| node.js:10:16:10:45 | url.par ... ).query | node.js:10:16:10:52 | url.par ... .target |
+| node.js:10:16:10:52 | url.par ... .target | node.js:10:7:10:52 | target |
+| node.js:10:26:10:32 | req.url | node.js:10:16:10:39 | url.par ... , true) |
+| node.js:10:26:10:32 | req.url | node.js:10:16:10:39 | url.par ... , true) |
+| node.js:14:40:14:45 | target | node.js:14:34:14:45 | '/' + target |
+| node.js:14:40:14:45 | target | node.js:14:34:14:45 | '/' + target |
+| node.js:28:7:28:52 | target | node.js:31:34:31:39 | target |
+| node.js:28:16:28:39 | url.par ... , true) | node.js:28:16:28:45 | url.par ... ).query |
+| node.js:28:16:28:45 | url.par ... ).query | node.js:28:16:28:52 | url.par ... .target |
+| node.js:28:16:28:52 | url.par ... .target | node.js:28:7:28:52 | target |
+| node.js:28:26:28:32 | req.url | node.js:28:16:28:39 | url.par ... , true) |
+| node.js:28:26:28:32 | req.url | node.js:28:16:28:39 | url.par ... , true) |
+| node.js:31:34:31:39 | target | node.js:31:34:31:55 | target  ... =" + me |
+| node.js:31:34:31:39 | target | node.js:31:34:31:55 | target  ... =" + me |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:17:8:23 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:17:8:23 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:9:26:9:32 | tainted |
@@ -185,8 +185,8 @@ edges
 | koa.js:8:15:8:26 | `${url}${x}` | koa.js:6:12:6:27 | ctx.query.target | koa.js:8:15:8:26 | `${url}${x}` | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
 | koa.js:14:16:14:18 | url | koa.js:6:12:6:27 | ctx.query.target | koa.js:14:16:14:18 | url | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
 | koa.js:20:16:20:18 | url | koa.js:6:12:6:27 | ctx.query.target | koa.js:20:16:20:18 | url | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
-| node.js:7:34:7:39 | target | node.js:6:26:6:32 | req.url | node.js:7:34:7:39 | target | Untrusted URL redirection due to $@. | node.js:6:26:6:32 | req.url | user-provided value |
-| node.js:15:34:15:45 | '/' + target | node.js:11:26:11:32 | req.url | node.js:15:34:15:45 | '/' + target | Untrusted URL redirection due to $@. | node.js:11:26:11:32 | req.url | user-provided value |
-| node.js:32:34:32:55 | target  ... =" + me | node.js:29:26:29:32 | req.url | node.js:32:34:32:55 | target  ... =" + me | Untrusted URL redirection due to $@. | node.js:29:26:29:32 | req.url | user-provided value |
+| node.js:6:34:6:39 | target | node.js:5:26:5:32 | req.url | node.js:6:34:6:39 | target | Untrusted URL redirection due to $@. | node.js:5:26:5:32 | req.url | user-provided value |
+| node.js:14:34:14:45 | '/' + target | node.js:10:26:10:32 | req.url | node.js:14:34:14:45 | '/' + target | Untrusted URL redirection due to $@. | node.js:10:26:10:32 | req.url | user-provided value |
+| node.js:31:34:31:55 | target  ... =" + me | node.js:28:26:28:32 | req.url | node.js:31:34:31:55 | target  ... =" + me | Untrusted URL redirection due to $@. | node.js:28:26:28:32 | req.url | user-provided value |
 | react-native.js:8:17:8:23 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:17:8:23 | tainted | Untrusted URL redirection due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-native.js:9:26:9:32 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:26:9:32 | tainted | Untrusted URL redirection due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/express.js b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/express.js
@@ -135,6 +135,6 @@ app.get('/redirect/:user', function(req, res) {
   res.redirect('//' + req.params.user); // BAD - could go to //evil.com
   res.redirect('u' + req.params.user); // BAD - could go to u.evil.com
 
-  res.redirect('/' + ('/u' + req.params.user)); // BAD - could go to //u.evil.com, but not flagged
+  res.redirect('/' + ('/u' + req.params.user)); // BAD - could go to //u.evil.com, but not flagged [INCONSISTENCY]
   res.redirect('/u' + req.params.user); // GOOD
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/node.js b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/node.js
@@ -2,9 +2,8 @@ var https = require('https');
 var url = require('url');
 
 var server = https.createServer(function(req, res) {
-  // BAD: a request parameter is incorporated without validation into a URL redirect
   let target = url.parse(req.url, true).query.target;
-  res.writeHead(302, { Location: target });
+  res.writeHead(302, { Location: target }); // BAD: a request parameter is incorporated without validation into a URL redirect
 })
 
 server.on('request', (req, res) => {
