Skip to content

Commit f4eb899

Browse files
NapalysNapalys
committed
JS: Added test cases for fastify.addHook 
1 parent 4ae49cf commit f4eb899

File tree

2 files changed

+74
-0
lines changed

2 files changed

+74
-0
lines changed

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,10 @@
2727
| express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value |
2828
| express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value |
2929
| express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value |
30+
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
31+
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
32+
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
33+
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
3034
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
3135
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
3236
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -75,6 +79,10 @@ edges
7579
| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | |
7680
| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | |
7781
| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | |
82+
| fastify.js:57:9:57:39 | userInput | fastify.js:58:44:58:52 | userInput | provenance | |
83+
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
84+
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
85+
| fastify.js:57:21:57:39 | request.query.input | fastify.js:57:9:57:39 | userInput | provenance | |
7886
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
7987
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
8088
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -144,6 +152,11 @@ nodes
144152
| express.js:36:15:36:19 | taint | semmle.label | taint |
145153
| express.js:42:30:42:32 | msg | semmle.label | msg |
146154
| express.js:43:10:43:12 | msg | semmle.label | msg |
155+
| fastify.js:57:9:57:39 | userInput | semmle.label | userInput |
156+
| fastify.js:57:21:57:33 | request.query | semmle.label | request.query |
157+
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
158+
| fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
159+
| fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
147160
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
148161
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
149162
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
const fastify = require('fastify')({ logger: true });
2+
3+
fastify.addHook('onRequest', async (request, reply) => {
4+
const userInput = request.query.onRequest; // $ MISSING: Source[js/code-injection]
5+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
6+
});
7+
8+
fastify.addHook('onSend', async (request, reply, payload) => {
9+
const userInput = request.query.onSend; // $ MISSING: Source[js/code-injection]
10+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
11+
return JSON.stringify({ ...JSON.parse(payload), onSend: request.evalResult });
12+
});
13+
14+
fastify.addHook('preParsing', async (request, reply, payload) => {
15+
const userInput = request.query.preParsing; // $ MISSING: Source[js/code-injection]
16+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
17+
return payload;
18+
});
19+
20+
fastify.addHook('preValidation', async (request, reply) => {
21+
const userInput = request.query.preValidation; // $ MISSING: Source[js/code-injection]
22+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
23+
});
24+
25+
fastify.addHook('preHandler', async (request, reply) => {
26+
const userInput = request.query.preHandler; // $ MISSING: Source[js/code-injection]
27+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
28+
});
29+
30+
fastify.addHook('preSerialization', async (request, reply, payload) => {
31+
const userInput = request.query.preSerialization; // $ MISSING: Source[js/code-injection]
32+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
33+
return payload;
34+
});
35+
36+
fastify.addHook('onResponse', async (request, reply) => {
37+
const userInput = request.query.onResponse; // $ MISSING: Source[js/code-injection]
38+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
39+
});
40+
41+
fastify.addHook('onError', async (request, reply, error) => {
42+
const userInput = request.query.onError; // $ MISSING: Source[js/code-injection]
43+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
44+
});
45+
46+
fastify.addHook('onTimeout', async (request, reply) => {
47+
const userInput = request.query.onTimeout; // $ MISSING: Source[js/code-injection]
48+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
49+
});
50+
51+
fastify.addHook('onRequestAbort', (request, done) => {
52+
const userInput = request.query.onRequestAbort; // $ MISSING: Source[js/code-injection]
53+
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
54+
});
55+
56+
fastify.get('/dangerous', async (request, reply) => {
57+
const userInput = request.query.input; // $ Source[js/code-injection]
58+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
59+
const result = eval(userInput); // $ Alert[js/code-injection]
60+
return { result };
61+
});

0 commit comments

Comments
 (0)