зеркало из https://github.com/github/codeql.git
JS: add security tests for malicious torrents
This commit is contained in:
Родитель
bea59ec8ad
Коммит
cc768345d0
|
@ -28,4 +28,9 @@ module StoredXss {
|
|||
class FileNameSourceAsSource extends Source {
|
||||
FileNameSourceAsSource() { this instanceof FileNameSource }
|
||||
}
|
||||
|
||||
/** User-controlled torrent information, considered as a flow source for stored XSS. */
|
||||
class UserControlledTorrentInfoAsSource extends Source {
|
||||
UserControlledTorrentInfoAsSource() { this instanceof ParseTorrent::UserControlledTorrentInfo }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1183,6 +1183,26 @@ nodes
|
|||
| tainted-sendFile.js:25:34:25:45 | req.params.x |
|
||||
| tainted-sendFile.js:25:34:25:45 | req.params.x |
|
||||
| tainted-sendFile.js:25:34:25:45 | req.params.x |
|
||||
| torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name |
|
||||
| torrents.js:6:6:6:45 | loc |
|
||||
| torrents.js:6:6:6:45 | loc |
|
||||
| torrents.js:6:6:6:45 | loc |
|
||||
| torrents.js:6:12:6:45 | dir + " ... t.data" |
|
||||
| torrents.js:6:12:6:45 | dir + " ... t.data" |
|
||||
| torrents.js:6:12:6:45 | dir + " ... t.data" |
|
||||
| torrents.js:6:24:6:27 | name |
|
||||
| torrents.js:6:24:6:27 | name |
|
||||
| torrents.js:6:24:6:27 | name |
|
||||
| torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:7:25:7:27 | loc |
|
||||
| views.js:1:43:1:55 | req.params[0] |
|
||||
| views.js:1:43:1:55 | req.params[0] |
|
||||
| views.js:1:43:1:55 | req.params[0] |
|
||||
|
@ -2910,6 +2930,27 @@ edges
|
|||
| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) |
|
||||
| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) |
|
||||
| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) |
|
||||
| torrents.js:5:6:5:38 | name | torrents.js:6:24:6:27 | name |
|
||||
| torrents.js:5:6:5:38 | name | torrents.js:6:24:6:27 | name |
|
||||
| torrents.js:5:6:5:38 | name | torrents.js:6:24:6:27 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
|
||||
| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
|
||||
| torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc |
|
||||
| torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc |
|
||||
| torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc |
|
||||
| torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" |
|
||||
| torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" |
|
||||
| torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" |
|
||||
| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] |
|
||||
#select
|
||||
| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value |
|
||||
|
@ -2981,4 +3022,5 @@ edges
|
|||
| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | a user-provided value |
|
||||
| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | This path depends on $@. | tainted-sendFile.js:24:37:24:48 | req.params.x | a user-provided value |
|
||||
| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | This path depends on $@. | tainted-sendFile.js:25:34:25:45 | req.params.x | a user-provided value |
|
||||
| torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on $@. | torrents.js:5:13:5:38 | parseTo ... t).name | a user-provided value |
|
||||
| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value |
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
const parseTorrent = require('parse-torrent'),
|
||||
fs = require('fs');
|
||||
|
||||
function getTorrentData(dir, torrent){
|
||||
let name = parseTorrent(torrent).name,
|
||||
loc = dir + "/" + name + ".torrent.data";
|
||||
return fs.readFileSync(loc); // NOT OK
|
||||
}
|
|
@ -19,6 +19,11 @@ nodes
|
|||
| xss-through-filenames.js:35:29:35:34 | files2 |
|
||||
| xss-through-filenames.js:37:19:37:24 | files3 |
|
||||
| xss-through-filenames.js:37:19:37:24 | files3 |
|
||||
| xss-through-torrent.js:6:6:6:24 | name |
|
||||
| xss-through-torrent.js:6:13:6:24 | torrent.name |
|
||||
| xss-through-torrent.js:6:13:6:24 | torrent.name |
|
||||
| xss-through-torrent.js:7:11:7:14 | name |
|
||||
| xss-through-torrent.js:7:11:7:14 | name |
|
||||
edges
|
||||
| xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 |
|
||||
| xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 |
|
||||
|
@ -41,8 +46,13 @@ edges
|
|||
| xss-through-filenames.js:35:13:35:35 | files3 | xss-through-filenames.js:37:19:37:24 | files3 |
|
||||
| xss-through-filenames.js:35:22:35:35 | format(files2) | xss-through-filenames.js:35:13:35:35 | files3 |
|
||||
| xss-through-filenames.js:35:29:35:34 | files2 | xss-through-filenames.js:35:22:35:35 | format(files2) |
|
||||
| xss-through-torrent.js:6:6:6:24 | name | xss-through-torrent.js:7:11:7:14 | name |
|
||||
| xss-through-torrent.js:6:6:6:24 | name | xss-through-torrent.js:7:11:7:14 | name |
|
||||
| xss-through-torrent.js:6:13:6:24 | torrent.name | xss-through-torrent.js:6:6:6:24 | name |
|
||||
| xss-through-torrent.js:6:13:6:24 | torrent.name | xss-through-torrent.js:6:6:6:24 | name |
|
||||
#select
|
||||
| xss-through-filenames.js:8:18:8:23 | files1 | xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:7:43:7:48 | files1 | stored value |
|
||||
| xss-through-filenames.js:26:19:26:24 | files1 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value |
|
||||
| xss-through-filenames.js:33:19:33:24 | files2 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:33:19:33:24 | files2 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value |
|
||||
| xss-through-filenames.js:37:19:37:24 | files3 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:37:19:37:24 | files3 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value |
|
||||
| xss-through-torrent.js:7:11:7:14 | name | xss-through-torrent.js:6:13:6:24 | torrent.name | xss-through-torrent.js:7:11:7:14 | name | Stored cross-site scripting vulnerability due to $@. | xss-through-torrent.js:6:13:6:24 | torrent.name | stored value |
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
const parseTorrent = require('parse-torrent'),
|
||||
express = require('express');
|
||||
|
||||
express().get('/user/:id', function(req, res) {
|
||||
let torrent = parseTorrent(unknown),
|
||||
name = torrent.name;
|
||||
res.send(name); // NOT OK
|
||||
});
|
Загрузка…
Ссылка в новой задаче