JS: Accept to web socket-based SSRF alerts

asgerf · asgerf · commit 22991b30adc1 · 2025-02-25T17:29:53.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
@@ -106,15 +106,15 @@ import * as ws from 'ws';
 new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
   socket.on('message', function(message) {
     const url = request.url;
-    const socket = new ws(url);
+    const socket = new ws(url); // $ Alert[js/request-forgery]
   });
 });
 
 new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
   socket.on('message', function (message) {
     const url = new URL(request.url, base);
     const target = new URL(url.pathname, base);
-    const socket = new ws(url);
+    const socket = new ws(url); // $ Alert[js/request-forgery]
   });
 });
 
