Skip to content

Commit 00b6e1f

Browse files
am0o0am0o0
committed
fix tests
1 parent 41e7b91 commit 00b6e1f

File tree

2 files changed

+56
-22
lines changed

2 files changed

+56
-22
lines changed

javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected

Lines changed: 48 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,52 @@
11
WARNING: Unused class Sink (/home/am/CodeQL-home/codeql-repo-amammad/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql:23,16-20)
22
nodes
3-
| test.js:18:11:18:44 | payload |
4-
| test.js:18:21:18:44 | req.que ... rameter |
5-
| test.js:18:21:18:44 | req.que ... rameter |
6-
| test.js:20:18:20:24 | payload |
7-
| test.js:20:18:20:24 | payload |
3+
| test.js:5:11:5:44 | payload |
4+
| test.js:5:21:5:44 | req.que ... rameter |
5+
| test.js:5:21:5:44 | req.que ... rameter |
6+
| test.js:6:9:6:43 | payloadURL |
7+
| test.js:6:22:6:43 | new URL ... + sth) |
8+
| test.js:6:30:6:36 | payload |
9+
| test.js:6:30:6:42 | payload + sth |
10+
| test.js:7:16:7:25 | payloadURL |
11+
| test.js:7:16:7:25 | payloadURL |
12+
| test.js:9:5:9:39 | payloadURL |
13+
| test.js:9:18:9:39 | new URL ... + sth) |
14+
| test.js:9:26:9:32 | payload |
15+
| test.js:9:26:9:38 | payload + sth |
16+
| test.js:10:16:10:25 | payloadURL |
17+
| test.js:10:16:10:25 | payloadURL |
18+
| test.js:17:11:17:44 | payload |
19+
| test.js:17:21:17:44 | req.que ... rameter |
20+
| test.js:17:21:17:44 | req.que ... rameter |
21+
| test.js:18:18:18:24 | payload |
22+
| test.js:18:18:18:24 | payload |
23+
| test.js:19:18:19:24 | payload |
24+
| test.js:19:18:19:30 | payload + sth |
25+
| test.js:19:18:19:30 | payload + sth |
826
edges
9-
| test.js:18:11:18:44 | payload | test.js:20:18:20:24 | payload |
10-
| test.js:18:11:18:44 | payload | test.js:20:18:20:24 | payload |
11-
| test.js:18:21:18:44 | req.que ... rameter | test.js:18:11:18:44 | payload |
12-
| test.js:18:21:18:44 | req.que ... rameter | test.js:18:11:18:44 | payload |
27+
| test.js:5:11:5:44 | payload | test.js:6:30:6:36 | payload |
28+
| test.js:5:11:5:44 | payload | test.js:9:26:9:32 | payload |
29+
| test.js:5:21:5:44 | req.que ... rameter | test.js:5:11:5:44 | payload |
30+
| test.js:5:21:5:44 | req.que ... rameter | test.js:5:11:5:44 | payload |
31+
| test.js:6:9:6:43 | payloadURL | test.js:7:16:7:25 | payloadURL |
32+
| test.js:6:9:6:43 | payloadURL | test.js:7:16:7:25 | payloadURL |
33+
| test.js:6:22:6:43 | new URL ... + sth) | test.js:6:9:6:43 | payloadURL |
34+
| test.js:6:30:6:36 | payload | test.js:6:30:6:42 | payload + sth |
35+
| test.js:6:30:6:42 | payload + sth | test.js:6:22:6:43 | new URL ... + sth) |
36+
| test.js:9:5:9:39 | payloadURL | test.js:10:16:10:25 | payloadURL |
37+
| test.js:9:5:9:39 | payloadURL | test.js:10:16:10:25 | payloadURL |
38+
| test.js:9:18:9:39 | new URL ... + sth) | test.js:9:5:9:39 | payloadURL |
39+
| test.js:9:26:9:32 | payload | test.js:9:26:9:38 | payload + sth |
40+
| test.js:9:26:9:38 | payload + sth | test.js:9:18:9:39 | new URL ... + sth) |
41+
| test.js:17:11:17:44 | payload | test.js:18:18:18:24 | payload |
42+
| test.js:17:11:17:44 | payload | test.js:18:18:18:24 | payload |
43+
| test.js:17:11:17:44 | payload | test.js:19:18:19:24 | payload |
44+
| test.js:17:21:17:44 | req.que ... rameter | test.js:17:11:17:44 | payload |
45+
| test.js:17:21:17:44 | req.que ... rameter | test.js:17:11:17:44 | payload |
46+
| test.js:19:18:19:24 | payload | test.js:19:18:19:30 | payload + sth |
47+
| test.js:19:18:19:24 | payload | test.js:19:18:19:30 | payload + sth |
1348
#select
14-
| test.js:20:18:20:24 | payload | test.js:18:21:18:44 | req.que ... rameter | test.js:20:18:20:24 | payload | payload depends on a $@. | test.js:18:21:18:44 | req.que ... rameter | user-provided value |
49+
| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | payloadURL depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value |
50+
| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | payloadURL depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value |
51+
| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | payload depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value |
52+
| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | payload + sth depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value |

javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -3,24 +3,20 @@ var app = require('express')();
33

44
app.post('/path', async function (req, res) {
55
const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//'
6-
let payloadURL = new URL(payload + sth)
7-
// NOT OK
6+
let payloadURL = new URL(payload + sth) // NOT OK
87
new Worker(payloadURL);
9-
// NOT OK
10-
payloadURL = new URL(payload + sth)
8+
9+
payloadURL = new URL(payload + sth) // NOT OK
1110
new Worker(payloadURL);
12-
// OK
13-
payloadURL = new URL(sth + payload)
11+
12+
payloadURL = new URL(sth + payload) // OK
1413
new Worker(payloadURL);
1514
});
1615

1716
app.post('/path2', async function (req, res) {
1817
const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//'
19-
// NOT OK
20-
await import(payload)
21-
// NOT OK
22-
await import(payload + sth)
23-
// OK
24-
await import(sth + payload)
18+
await import(payload) // NOT OK
19+
await import(payload + sth) // NOT OK
20+
await import(sth + payload) // OK
2521
});
2622

0 commit comments

Comments
 (0)