Skip to content

Commit 39f1c79

Browse files
author
Max Schaefer
committed
JavaScript: Address review comments.
1 parent 31d23b6 commit 39f1c79

File tree

3 files changed

+5
-2
lines changed

3 files changed

+5
-2
lines changed

javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCall.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,6 @@ var actions = {
1212

1313
app.get('/perform/:action/:payload', function(req, res) {
1414
let action = actions[req.params.action];
15+
// BAD: `action` may not be a function
1516
res.end(action(req.params.payload));
1617
});

javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,17 @@ var express = require('express');
22
var app = express();
33

44
var actions = new Map();
5-
actions.put("play", function (data) {
5+
actions.put("play", function play(data) {
66
// ...
77
});
8-
actions.put("pause", function(data) {
8+
actions.put("pause", function pause(data) {
99
// ...
1010
});
1111

1212
app.get('/perform/:action/:payload', function(req, res) {
1313
if (actions.has(req.params.action)) {
1414
let action = actions.get(req.params.action);
15+
// GOOD: `action` is either the `play` or the `pause` function from above
1516
res.end(action(req.params.payload));
1617
} else {
1718
res.end("Unsupported action.");

javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood2.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ app.get('/perform/:action/:payload', function(req, res) {
1414
if (actions.hasOwnProperty(req.params.action)) {
1515
let action = actions[req.params.action];
1616
if (typeof action === 'function') {
17+
// GOOD: `action` is an own method of `actions`
1718
res.end(action(req.params.payload));
1819
return;
1920
}

0 commit comments

Comments
 (0)