Skip to content

Commit c559ab1

Browse files
asgerfasgerf
committed
JS: Add test and handle parameter with source object
1 parent 34a9dce commit c559ab1

File tree

3 files changed

+182
-1
lines changed

3 files changed

+182
-1
lines changed

javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ SourceNode getAnEnumeratedArrayElement(SourceNode array) {
4242
*/
4343
abstract class EnumeratedPropName extends DataFlow::Node {
4444
/**
45-
* Gets the object whose properties are being enumerated.
45+
* Gets the data flow node holding the object whose properties are being enumerated.
4646
*
4747
* For example, gets `src` in `for (var key in src)`.
4848
*/
@@ -137,6 +137,12 @@ class ForOwnEnumeratedPropName extends EnumeratedPropName {
137137
result = call.getArgument(0)
138138
}
139139

140+
override SourceNode getASourceObjectRef() {
141+
result = super.getASourceObjectRef()
142+
or
143+
result = callback.getParameter(2)
144+
}
145+
140146
override SourceNode getASourceProp() {
141147
result = super.getASourceProp()
142148
or

javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected

Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -953,6 +953,70 @@ nodes
953953
| PrototypePollutionUtility/tests.js:437:24:437:28 | value |
954954
| PrototypePollutionUtility/tests.js:437:24:437:28 | value |
955955
| PrototypePollutionUtility/tests.js:437:24:437:28 | value |
956+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
957+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
958+
| PrototypePollutionUtility/tests.js:442:31:442:33 | src |
959+
| PrototypePollutionUtility/tests.js:442:31:442:33 | src |
960+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value |
961+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value |
962+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value |
963+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key |
964+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key |
965+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key |
966+
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
967+
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
968+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
969+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
970+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
971+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
972+
| PrototypePollutionUtility/tests.js:446:33:446:35 | key |
973+
| PrototypePollutionUtility/tests.js:446:33:446:35 | key |
974+
| PrototypePollutionUtility/tests.js:446:39:446:41 | src |
975+
| PrototypePollutionUtility/tests.js:446:39:446:41 | src |
976+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
977+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
978+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
979+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
980+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
981+
| PrototypePollutionUtility/tests.js:446:43:446:45 | key |
982+
| PrototypePollutionUtility/tests.js:446:43:446:45 | key |
983+
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
984+
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
985+
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
986+
| PrototypePollutionUtility/tests.js:449:34:449:36 | key |
987+
| PrototypePollutionUtility/tests.js:449:34:449:36 | key |
988+
| PrototypePollutionUtility/tests.js:449:34:449:36 | key |
989+
| PrototypePollutionUtility/tests.js:449:41:449:43 | src |
990+
| PrototypePollutionUtility/tests.js:449:41:449:43 | src |
991+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
992+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
993+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
994+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
995+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
996+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
997+
| PrototypePollutionUtility/tests.js:449:45:449:47 | key |
998+
| PrototypePollutionUtility/tests.js:449:45:449:47 | key |
999+
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
1000+
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
1001+
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
1002+
| PrototypePollutionUtility/tests.js:450:34:450:36 | key |
1003+
| PrototypePollutionUtility/tests.js:450:34:450:36 | key |
1004+
| PrototypePollutionUtility/tests.js:450:34:450:36 | key |
1005+
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
1006+
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
1007+
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
1008+
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
1009+
| PrototypePollutionUtility/tests.js:450:43:450:45 | key |
1010+
| PrototypePollutionUtility/tests.js:450:43:450:45 | key |
1011+
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
1012+
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
1013+
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
1014+
| PrototypePollutionUtility/tests.js:451:34:451:36 | key |
1015+
| PrototypePollutionUtility/tests.js:451:34:451:36 | key |
1016+
| PrototypePollutionUtility/tests.js:451:34:451:36 | key |
1017+
| PrototypePollutionUtility/tests.js:451:41:451:45 | value |
1018+
| PrototypePollutionUtility/tests.js:451:41:451:45 | value |
1019+
| PrototypePollutionUtility/tests.js:451:41:451:45 | value |
9561020
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
9571021
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
9581022
| examples/PrototypePollutionUtility.js:1:21:1:23 | src |
@@ -2242,6 +2306,100 @@ edges
22422306
| PrototypePollutionUtility/tests.js:435:39:435:43 | value | PrototypePollutionUtility/tests.js:430:33:430:35 | src |
22432307
| PrototypePollutionUtility/tests.js:435:39:435:43 | value | PrototypePollutionUtility/tests.js:430:33:430:35 | src |
22442308
| PrototypePollutionUtility/tests.js:435:39:435:43 | value | PrototypePollutionUtility/tests.js:430:33:430:35 | src |
2309+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
2310+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:446:29:446:31 | dst |
2311+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
2312+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
2313+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
2314+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:449:30:449:32 | dst |
2315+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
2316+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
2317+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
2318+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:450:30:450:32 | dst |
2319+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
2320+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
2321+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
2322+
| PrototypePollutionUtility/tests.js:442:26:442:28 | dst | PrototypePollutionUtility/tests.js:451:30:451:32 | dst |
2323+
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:446:39:446:41 | src |
2324+
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:446:39:446:41 | src |
2325+
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:449:41:449:43 | src |
2326+
| PrototypePollutionUtility/tests.js:442:31:442:33 | src | PrototypePollutionUtility/tests.js:449:41:449:43 | src |
2327+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2328+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2329+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2330+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2331+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2332+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2333+
| PrototypePollutionUtility/tests.js:444:18:444:22 | value | PrototypePollutionUtility/tests.js:451:41:451:45 | value |
2334+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
2335+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
2336+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
2337+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:33:446:35 | key |
2338+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
2339+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
2340+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
2341+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:446:43:446:45 | key |
2342+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2343+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2344+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2345+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2346+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2347+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2348+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:34:449:36 | key |
2349+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
2350+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
2351+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
2352+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:45:449:47 | key |
2353+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2354+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2355+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2356+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2357+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2358+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2359+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:34:450:36 | key |
2360+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
2361+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
2362+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
2363+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:43:450:45 | key |
2364+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2365+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2366+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2367+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2368+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2369+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2370+
| PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:34:451:36 | key |
2371+
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
2372+
| PrototypePollutionUtility/tests.js:446:29:446:31 | dst | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
2373+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
2374+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
2375+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
2376+
| PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] | PrototypePollutionUtility/tests.js:442:26:442:28 | dst |
2377+
| PrototypePollutionUtility/tests.js:446:33:446:35 | key | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
2378+
| PrototypePollutionUtility/tests.js:446:33:446:35 | key | PrototypePollutionUtility/tests.js:446:29:446:36 | dst[key] |
2379+
| PrototypePollutionUtility/tests.js:446:39:446:41 | src | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
2380+
| PrototypePollutionUtility/tests.js:446:39:446:41 | src | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
2381+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
2382+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
2383+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
2384+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
2385+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
2386+
| PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] | PrototypePollutionUtility/tests.js:442:31:442:33 | src |
2387+
| PrototypePollutionUtility/tests.js:446:43:446:45 | key | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
2388+
| PrototypePollutionUtility/tests.js:446:43:446:45 | key | PrototypePollutionUtility/tests.js:446:39:446:46 | src[key] |
2389+
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2390+
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2391+
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2392+
| PrototypePollutionUtility/tests.js:449:41:449:43 | src | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2393+
| PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2394+
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2395+
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2396+
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2397+
| PrototypePollutionUtility/tests.js:449:45:449:47 | key | PrototypePollutionUtility/tests.js:449:41:449:48 | src[key] |
2398+
| PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
2399+
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
2400+
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
2401+
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
2402+
| PrototypePollutionUtility/tests.js:450:43:450:45 | key | PrototypePollutionUtility/tests.js:450:41:450:46 | o[key] |
22452403
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
22462404
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
22472405
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:7:13:7:15 | dst |
@@ -2364,4 +2522,7 @@ edges
23642522
| PrototypePollutionUtility/tests.js:387:13:387:15 | dst | PrototypePollutionUtility/tests.js:365:14:365:16 | key | PrototypePollutionUtility/tests.js:387:13:387:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:365:21:365:23 | obj | obj | PrototypePollutionUtility/tests.js:387:13:387:15 | dst | dst |
23652523
| PrototypePollutionUtility/tests.js:403:13:403:15 | dst | PrototypePollutionUtility/tests.js:397:14:397:16 | key | PrototypePollutionUtility/tests.js:403:13:403:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:397:21:397:23 | src | src | PrototypePollutionUtility/tests.js:403:13:403:15 | dst | dst |
23662524
| PrototypePollutionUtility/tests.js:420:13:420:15 | dst | PrototypePollutionUtility/tests.js:414:14:414:16 | key | PrototypePollutionUtility/tests.js:420:13:420:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:414:21:414:23 | src | src | PrototypePollutionUtility/tests.js:420:13:420:15 | dst | dst |
2525+
| PrototypePollutionUtility/tests.js:449:30:449:32 | dst | PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:449:30:449:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:444:12:444:14 | src | src | PrototypePollutionUtility/tests.js:449:30:449:32 | dst | dst |
2526+
| PrototypePollutionUtility/tests.js:450:30:450:32 | dst | PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:450:30:450:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:444:12:444:14 | src | src | PrototypePollutionUtility/tests.js:450:30:450:32 | dst | dst |
2527+
| PrototypePollutionUtility/tests.js:451:30:451:32 | dst | PrototypePollutionUtility/tests.js:444:25:444:27 | key | PrototypePollutionUtility/tests.js:451:30:451:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:444:12:444:14 | src | src | PrototypePollutionUtility/tests.js:451:30:451:32 | dst | dst |
23672528
| examples/PrototypePollutionUtility.js:7:13:7:15 | dst | examples/PrototypePollutionUtility.js:2:14:2:16 | key | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | examples/PrototypePollutionUtility.js:2:21:2:23 | src | src | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | dst |

javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -438,3 +438,17 @@ function copyUsingSafeRead(dst, src) {
438438
}
439439
}
440440
}
441+
442+
function copyUsingForOwn(dst, src) {
443+
let forOwn = import('for-own');
444+
forOwn(src, (value, key, o) => {
445+
if (dst[key]) {
446+
copyUsingForOwn(dst[key], src[key]);
447+
} else {
448+
// Handle a few different ways to access src[key]
449+
if (something()) dst[key] = src[key]; // NOT OK
450+
if (something()) dst[key] = o[key]; // NOT OK
451+
if (something()) dst[key] = value; // NOT OK
452+
}
453+
});
454+
}

0 commit comments

Comments
 (0)