Skip to content

Commit e829387

Browse files
committed
add failing test for call the Function with a spread argument
1 parent 144a045 commit e829387

File tree

3 files changed

+53
-0
lines changed

3 files changed

+53
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,16 @@ nodes
157157
| tst.js:26:26:26:40 | location.search |
158158
| tst.js:26:26:26:53 | locatio ... ring(1) |
159159
| tst.js:26:26:26:53 | locatio ... ring(1) |
160+
| tst.js:29:9:29:82 | source |
161+
| tst.js:29:18:29:41 | documen ... .search |
162+
| tst.js:29:18:29:41 | documen ... .search |
163+
| tst.js:29:18:29:82 | documen ... , "$1") |
164+
| tst.js:31:18:31:23 | source |
165+
| tst.js:31:18:31:23 | source |
166+
| tst.js:33:14:33:19 | source |
167+
| tst.js:33:14:33:19 | source |
168+
| tst.js:35:28:35:33 | source |
169+
| tst.js:35:28:35:33 | source |
160170
edges
161171
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
162172
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
@@ -262,6 +272,15 @@ edges
262272
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
263273
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
264274
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
275+
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
276+
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
277+
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
278+
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
279+
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
280+
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
281+
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
282+
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
283+
| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
265284
#select
266285
| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:18:24:18:31 | req.body | User-provided value |
267286
| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:19:36:19:43 | req.body | User-provided value |
@@ -314,3 +333,6 @@ edges
314333
| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:51 | documen ... on.hash | User-provided value |
315334
| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | $@ flows to here and is interpreted as code. | tst.js:23:11:23:32 | documen ... on.hash | User-provided value |
316335
| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | $@ flows to here and is interpreted as code. | tst.js:26:26:26:40 | location.search | User-provided value |
336+
| tst.js:31:18:31:23 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:31:18:31:23 | source | $@ flows to here and is interpreted as code. | tst.js:29:18:29:41 | documen ... .search | User-provided value |
337+
| tst.js:33:14:33:19 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:33:14:33:19 | source | $@ flows to here and is interpreted as code. | tst.js:29:18:29:41 | documen ... .search | User-provided value |
338+
| tst.js:35:28:35:33 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:35:28:35:33 | source | $@ flows to here and is interpreted as code. | tst.js:29:18:29:41 | documen ... .search | User-provided value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,16 @@ nodes
161161
| tst.js:26:26:26:40 | location.search |
162162
| tst.js:26:26:26:53 | locatio ... ring(1) |
163163
| tst.js:26:26:26:53 | locatio ... ring(1) |
164+
| tst.js:29:9:29:82 | source |
165+
| tst.js:29:18:29:41 | documen ... .search |
166+
| tst.js:29:18:29:41 | documen ... .search |
167+
| tst.js:29:18:29:82 | documen ... , "$1") |
168+
| tst.js:31:18:31:23 | source |
169+
| tst.js:31:18:31:23 | source |
170+
| tst.js:33:14:33:19 | source |
171+
| tst.js:33:14:33:19 | source |
172+
| tst.js:35:28:35:33 | source |
173+
| tst.js:35:28:35:33 | source |
164174
edges
165175
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
166176
| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
@@ -270,5 +280,14 @@ edges
270280
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
271281
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
272282
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
283+
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
284+
| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source |
285+
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
286+
| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source |
287+
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
288+
| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source |
289+
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
290+
| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
291+
| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
273292
#select
274293
| eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,15 @@ eval(atob(document.location.hash.substring(1)));
2424

2525
// NOT OK
2626
$('<a>').attr("onclick", location.search.substring(1));
27+
28+
(function test() {
29+
var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1");
30+
31+
new Function(source); // NOT OK
32+
33+
Function(source); // NOT OK
34+
35+
new Function("a", "b", source); // NOT OK
36+
37+
new Function(...["a", "b"], source); // NOT OK - but not flagged [INCONSISTENCY]
38+
})();

0 commit comments

Comments
 (0)