Skip to content

Commit

Permalink
JS: Reworked CWE-643 test cases
Browse files Browse the repository at this point in the history
  • Loading branch information
Napalys committed Nov 21, 2024
1 parent 295626d commit c573deb
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 11 deletions.
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
Security/CWE-643/XpathInjection.ql
query: Security/CWE-643/XpathInjection.ql
postprocess: testUtilities/InlineExpectationsTestQuery.ql
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ const xpath = require('xpath');
const app = express();

app.get('/some/route', function(req, res) {
let userName = req.param("userName");
let userName = req.param("userName"); // $ Source

// BAD: Use user-provided data directly in an XPath expression
let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()");
let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()"); // $ Alert
badXPathExpr.select({
node: root
});
Expand Down
10 changes: 5 additions & 5 deletions javascript/ql/test/query-tests/Security/CWE-643/tst.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ const xpath = require('xpath');
const app = express();

app.get('/some/route', function(req, res) {
let tainted = req.param("userName");
xpath.parse(tainted); // NOT OK
xpath.select(tainted); // NOT OK
xpath.select1(tainted); // NOT OK
let tainted = req.param("userName"); // $ Source
xpath.parse(tainted); // $ Alert
xpath.select(tainted); // $ Alert
xpath.select1(tainted); // $ Alert
let expr = xpath.useNamespaces(map);
expr(tainted); // NOT OK
expr(tainted); // $ Alert
});
6 changes: 3 additions & 3 deletions javascript/ql/test/query-tests/Security/CWE-643/tst2.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
let query = document.location.hash.substring(1);
document.createExpression(query); // NOT OK
document.evaluate(query); // NOT OK
let query = document.location.hash.substring(1); // $ Source
document.createExpression(query); // $ Alert
document.evaluate(query); // $ Alert

0 comments on commit c573deb

Please sign in to comment.