Skip to content

Commit 58af63d

Browse files
erik-krogherik-krogh
committed
add test case for XSS on url suffix
1 parent d3e1a25 commit 58af63d

File tree

3 files changed

+26
-0
lines changed

3 files changed

+26
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,10 @@ nodes
337337
| tst.js:330:18:330:34 | document.location |
338338
| tst.js:336:18:336:35 | params.get('name') |
339339
| tst.js:336:18:336:35 | params.get('name') |
340+
| tst.js:347:20:347:36 | document.location |
341+
| tst.js:347:20:347:36 | document.location |
342+
| tst.js:349:5:349:30 | getUrl( ... ring(1) |
343+
| tst.js:349:5:349:30 | getUrl( ... ring(1) |
340344
| typeahead.js:20:13:20:45 | target |
341345
| typeahead.js:20:22:20:38 | document.location |
342346
| typeahead.js:20:22:20:38 | document.location |
@@ -650,6 +654,10 @@ edges
650654
| tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') |
651655
| tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') |
652656
| tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') |
657+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
658+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
659+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
660+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
653661
| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
654662
| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
655663
| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
@@ -750,6 +758,7 @@ edges
750758
| tst.js:314:20:314:20 | e | tst.js:311:10:311:17 | location | tst.js:314:20:314:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:311:10:311:17 | location | user-provided value |
751759
| tst.js:319:35:319:42 | location | tst.js:319:35:319:42 | location | tst.js:319:35:319:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:319:35:319:42 | location | user-provided value |
752760
| tst.js:336:18:336:35 | params.get('name') | tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:330:18:330:34 | document.location | user-provided value |
761+
| tst.js:349:5:349:30 | getUrl( ... ring(1) | tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:347:20:347:36 | document.location | user-provided value |
753762
| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
754763
| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
755764
| winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,10 @@ nodes
337337
| tst.js:330:18:330:34 | document.location |
338338
| tst.js:336:18:336:35 | params.get('name') |
339339
| tst.js:336:18:336:35 | params.get('name') |
340+
| tst.js:347:20:347:36 | document.location |
341+
| tst.js:347:20:347:36 | document.location |
342+
| tst.js:349:5:349:30 | getUrl( ... ring(1) |
343+
| tst.js:349:5:349:30 | getUrl( ... ring(1) |
340344
| typeahead.js:9:28:9:30 | loc |
341345
| typeahead.js:9:28:9:30 | loc |
342346
| typeahead.js:10:16:10:18 | loc |
@@ -654,6 +658,10 @@ edges
654658
| tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') |
655659
| tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') |
656660
| tst.js:330:18:330:34 | document.location | tst.js:336:18:336:35 | params.get('name') |
661+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
662+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
663+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
664+
| tst.js:347:20:347:36 | document.location | tst.js:349:5:349:30 | getUrl( ... ring(1) |
657665
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
658666
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
659667
| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |

javascript/ql/test/query-tests/Security/CWE-079/tst.js

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -339,4 +339,13 @@ function URLPseudoProperties() {
339339
let myUrl = getTaintedUrl();
340340
$('name').html(myUrl.get('name'));
341341

342+
}
343+
344+
345+
function hash() {
346+
function getUrl() {
347+
return new URL(document.location);
348+
}
349+
$(getUrl().hash.substring(1)); // NOT OK
350+
342351
}

0 commit comments

Comments
 (0)