CWE 830 test where both branches in a ternary are unsafe

Author: Stephan Brandauer

javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql

@@ -69,16 +69,17 @@ module StaticCreation {
     }
 
     override string getProblem() {
-      result =
-        "Script loaded from content delivery network with no integrity check."
+      result = "Script loaded from content delivery network with no integrity check."
     }
   }
 
   /** An iframe element that includes untrusted content. */
   class IframeElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::IframeElement {
     IframeElementWithUntrustedContent() { isUntrustedSourceUrl(super.getSourcePath()) }
 
-    override string getProblem() { result = "HTML iframe element loaded using unencrypted connection." }
+    override string getProblem() {
+      result = "HTML iframe element loaded using unencrypted connection."
+    }
   }
 }
 

javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.html

@@ -13,6 +13,11 @@
               scrpt2.src = 'http://www.cdn.local/ga.js';
               scrpt2.integrity = 'sha256-h0UuK3mE9taiYlB5u9vT9A0s/XDgkfVd+F4VhN/sky=';
 
+              // NOT OK (http + ternary)
+              var scrpt3 = document.createElement('script');
+              scrpt3.type = 'text/javascript';
+              scrpt3.src = ('https:' == document.location.protocol ? 'http://unsafe' : 'http://also-unsafe') + '.cdn.local/ga.js';
+
               // NOT OK (http URL)
               var ifrm = document.createElement('iframe');
               ifrm.src = 'http://www.example.com/';
@@ -27,6 +32,7 @@
               }
               var ifrm3 = document.createElement('iframe');
               ifrm3.src = getUrl('v123');
+
             })();
           </script>
     </head>

javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected

@@ -1,5 +1,6 @@
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | HTML iframe element loaded using unencrypted connection. |
-| DynamicCreationOfUntrustedSourceUse.html:29:27:29:40 | getUrl('v123') | HTML iframe element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:19:28:19:129 | ('https ... /ga.js' | HTML script element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:23:26:23:50 | 'http:/ ... e.com/' | HTML iframe element loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:34:27:34:40 | getUrl('v123') | HTML iframe element loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | <script>...</> | HTML script element loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:9:9:9:58 | <iframe>...</> | HTML iframe element loaded using unencrypted connection. |
 | StaticCreationOfUntrustedSourceUse.html:21:9:21:155 | <script>...</> | Script loaded from content delivery network with no integrity check. |