JavaScript: Recognize ":" pseudo-directive.

This commit is contained in:
Max Schaefer 2019-10-31 11:37:33 +00:00
Родитель 6e6dab9ab8
Коммит 311cbd824c
3 изменённых файлов: 7 добавлений и 0 удалений

Просмотреть файл

@ -44,6 +44,7 @@
| Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
| Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |
## Changes to QL libraries

Просмотреть файл

@ -13,6 +13,8 @@ import javascript
from Directive d
where
not d instanceof KnownDirective and
// ignore ":" pseudo-directive sometimes seen in dual-use shell/node.js scripts
not d.getExpr().getStringValue() = ":" and
// but exclude attribute top-levels: `<a href="javascript:'some-attribute-string'">`
not d.getParent() instanceof CodeInAttribute
select d, "Unknown directive: '" + truncate(d.getDirectiveText(), 20, " ... (truncated)") + "'."

Просмотреть файл

@ -0,0 +1,4 @@
#!/bin/sh
":" //# ; exec /usr/bin/env node "$0" "$@"
console.log('javascript');