Skip to content

Commit 3fbc3a4

Browse files
asgerfasgerf
committed
JS: Add ClientSideRequestForgery to RequestForgery test
1 parent 260638c commit 3fbc3a4

File tree

3 files changed

+68
-0
lines changed

3 files changed

+68
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.expected

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
nodes
2+
| clientSideParam.js:11:11:11:53 | query |
3+
| clientSideParam.js:11:19:11:40 | window. ... .search |
4+
| clientSideParam.js:11:19:11:40 | window. ... .search |
5+
| clientSideParam.js:11:19:11:53 | window. ... ring(1) |
6+
| clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
7+
| clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
8+
| clientSideParam.js:12:42:12:46 | query |
9+
| clientSideParam.js:14:13:14:63 | 'https: ... .search |
10+
| clientSideParam.js:14:13:14:63 | 'https: ... .search |
11+
| clientSideParam.js:14:42:14:63 | window. ... .search |
12+
| clientSideParam.js:14:42:14:63 | window. ... .search |
13+
| clientSideParam.js:16:11:16:54 | fragment |
14+
| clientSideParam.js:16:22:16:41 | window.location.hash |
15+
| clientSideParam.js:16:22:16:41 | window.location.hash |
16+
| clientSideParam.js:16:22:16:54 | window. ... ring(1) |
17+
| clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
18+
| clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
19+
| clientSideParam.js:17:42:17:49 | fragment |
20+
| clientSideParam.js:20:11:20:28 | name |
21+
| clientSideParam.js:20:18:20:28 | window.name |
22+
| clientSideParam.js:20:18:20:28 | window.name |
23+
| clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
24+
| clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
25+
| clientSideParam.js:21:42:21:45 | name |
26+
edges
27+
| clientSideParam.js:11:11:11:53 | query | clientSideParam.js:12:42:12:46 | query |
28+
| clientSideParam.js:11:19:11:40 | window. ... .search | clientSideParam.js:11:19:11:53 | window. ... ring(1) |
29+
| clientSideParam.js:11:19:11:40 | window. ... .search | clientSideParam.js:11:19:11:53 | window. ... ring(1) |
30+
| clientSideParam.js:11:19:11:53 | window. ... ring(1) | clientSideParam.js:11:11:11:53 | query |
31+
| clientSideParam.js:12:42:12:46 | query | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
32+
| clientSideParam.js:12:42:12:46 | query | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' |
33+
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
34+
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
35+
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
36+
| clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search |
37+
| clientSideParam.js:16:11:16:54 | fragment | clientSideParam.js:17:42:17:49 | fragment |
38+
| clientSideParam.js:16:22:16:41 | window.location.hash | clientSideParam.js:16:22:16:54 | window. ... ring(1) |
39+
| clientSideParam.js:16:22:16:41 | window.location.hash | clientSideParam.js:16:22:16:54 | window. ... ring(1) |
40+
| clientSideParam.js:16:22:16:54 | window. ... ring(1) | clientSideParam.js:16:11:16:54 | fragment |
41+
| clientSideParam.js:17:42:17:49 | fragment | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
42+
| clientSideParam.js:17:42:17:49 | fragment | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' |
43+
| clientSideParam.js:20:11:20:28 | name | clientSideParam.js:21:42:21:45 | name |
44+
| clientSideParam.js:20:18:20:28 | window.name | clientSideParam.js:20:11:20:28 | name |
45+
| clientSideParam.js:20:18:20:28 | window.name | clientSideParam.js:20:11:20:28 | name |
46+
| clientSideParam.js:21:42:21:45 | name | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
47+
| clientSideParam.js:21:42:21:45 | name | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' |
48+
#select
49+
| clientSideParam.js:12:5:12:55 | request ... '/id') | clientSideParam.js:11:19:11:40 | window. ... .search | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' | The $@ of this request depends on $@. | clientSideParam.js:12:13:12:54 | 'https: ... + '/id' | URL | clientSideParam.js:11:19:11:40 | window. ... .search | a user-provided value |
50+
| clientSideParam.js:14:5:14:64 | request ... search) | clientSideParam.js:14:42:14:63 | window. ... .search | clientSideParam.js:14:13:14:63 | 'https: ... .search | The $@ of this request depends on $@. | clientSideParam.js:14:13:14:63 | 'https: ... .search | URL | clientSideParam.js:14:42:14:63 | window. ... .search | a user-provided value |
51+
| clientSideParam.js:17:5:17:58 | request ... '/id') | clientSideParam.js:16:22:16:41 | window.location.hash | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' | The $@ of this request depends on $@. | clientSideParam.js:17:13:17:57 | 'https: ... + '/id' | URL | clientSideParam.js:16:22:16:41 | window.location.hash | a user-provided value |
52+
| clientSideParam.js:21:5:21:54 | request ... '/id') | clientSideParam.js:20:18:20:28 | window.name | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' | The $@ of this request depends on $@. | clientSideParam.js:21:13:21:53 | 'https: ... + '/id' | URL | clientSideParam.js:20:18:20:28 | window.name | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE-918/ClientSideRequestForgery.ql

javascript/ql/test/query-tests/Security/CWE-918/clientSideParam.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,4 +7,19 @@ export function MyComponent() {
77

88
request('https://example.com/api/' + params.foo + '/id'); // OK - cannot manipulate path using `../`
99
request(params.foo); // Possibly problematic, but not currently flagged.
10+
11+
const query = window.location.search.substring(1);
12+
request('https://example.com/api/' + query + '/id'); // NOT OK
13+
request('https://example.com/api?q=' + query); // OK
14+
request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway
15+
16+
const fragment = window.location.hash.substring(1);
17+
request('https://example.com/api/' + fragment + '/id'); // NOT OK
18+
request('https://example.com/api?q=' + fragment); // OK
19+
20+
const name = window.name;
21+
request('https://example.com/api/' + name + '/id'); // NOT OK
22+
request('https://example.com/api?q=' + name); // OK
23+
24+
request(window.location.href + '?q=123'); // OK
1025
}

0 commit comments

Comments
 (0)