add change note and new test for js/incomplete-url-scheme-check

erik-krogh · erik-krogh · commit 38db731e0b74 · 2020-05-05T13:38:27.000+02:00
diff --git a/change-notes/1.25/analysis-javascript.md b/change-notes/1.25/analysis-javascript.md
@@ -22,6 +22,7 @@
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Less results | This query now recognizes additional safe patterns of doing URL redirects. |
 | Client-side cross-site scripting (`js/xss`) | Less results | This query now recognizes more safe strings based on URLs. |
+| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes more url scheme checks. |
 
 ## Changes to libraries
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck.expected
@@ -3,3 +3,4 @@
 | IncompleteUrlSchemeCheck.js:23:9:23:43 | badProt ... scheme) | This check does not consider vbscript:. |
 | IncompleteUrlSchemeCheck.js:30:9:30:43 | badProt ... scheme) | This check does not consider vbscript:. |
 | IncompleteUrlSchemeCheck.js:37:9:37:31 | scheme  ... script" | This check does not consider data: and vbscript:. |
+| IncompleteUrlSchemeCheck.js:51:9:51:31 | scheme  ... script" | This check does not consider data: and vbscript:. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck.js
@@ -45,3 +45,10 @@ function test6(url) {
         return "about:blank";
     return url;
 }
+
+function test7(url) {
+    let scheme = url.split(/:/)[0];
+    if (scheme === "javascript") // NOT OK
+        return "about:blank";
+    return url;
+}
