diff --git a/change-notes/1.20/analysis-javascript.md b/change-notes/1.20/analysis-javascript.md index af8bb984ae8a..f7282d3cd2cf 100644 --- a/change-notes/1.20/analysis-javascript.md +++ b/change-notes/1.20/analysis-javascript.md @@ -2,7 +2,7 @@ ## General improvements -* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features: +* Support for popular libraries has been improved. Consequently, queries may produce better results on code bases that use the following features: - client-side code, for example [React](https://reactjs.org/) - cookies and webstorage, for example [js-cookie](https://github.com/js-cookie/js-cookie) - server-side code, for example [hapi](https://hapijs.com/) diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll index 964f9e988ef3..17fdbe228897 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll @@ -16,17 +16,3 @@ abstract class RemoteFlowSource extends DataFlow::Node { */ predicate isUserControlledObject() { none() } } - -/** - * An access to `document.cookie`, viewed as a source of remote user input. - */ -private class DocumentCookieSource extends RemoteFlowSource, DataFlow::ValueNode { - DocumentCookieSource() { - isDocument(astNode.(PropAccess).getBase()) and - astNode.(PropAccess).getPropertyName() = "cookie" - } - - override string getSourceType() { - result = "document.cookie" - } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected index 7a73a250542c..c843ca6cca2d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected @@ -53,7 +53,7 @@ nodes | TaintedPath.js:65:54:65:57 | path | | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | | TaintedPath.js:67:57:67:60 | path | -| TaintedPath.js:78:26:78:40 | document.cookie | +| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:84:31:84:70 | require ... eq.url) | | TaintedPath.js:84:31:84:76 | require ... ).query | | TaintedPath.js:84:63:84:69 | req.url | @@ -64,6 +64,9 @@ nodes | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:60:86:66 | req.url | | TaintedPath.js:94:48:94:60 | req.params[0] | +| TaintedPath.js:102:30:102:31 | ev | +| TaintedPath.js:103:24:103:25 | ev | +| TaintedPath.js:103:24:103:30 | ev.data | | tainted-array-steps.js:9:7:9:48 | path | | tainted-array-steps.js:9:14:9:37 | url.par ... , true) | | tainted-array-steps.js:9:14:9:43 | url.par ... ).query | @@ -143,6 +146,9 @@ edges | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | | TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | +| TaintedPath.js:103:24:103:25 | ev | TaintedPath.js:103:24:103:30 | ev.data | +| TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | tainted-array-steps.js:9:7:9:48 | path | tainted-array-steps.js:11:40:11:43 | path | | tainted-array-steps.js:9:7:9:48 | path | tainted-array-steps.js:13:26:13:29 | path | | tainted-array-steps.js:9:14:9:37 | url.par ... , true) | tainted-array-steps.js:9:14:9:43 | url.par ... ).query | @@ -178,7 +184,7 @@ edges | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:78:26:78:40 | document.cookie | TaintedPath.js:78:26:78:40 | document.cookie | TaintedPath.js:78:26:78:40 | document.cookie | This path depends on $@. | TaintedPath.js:78:26:78:40 | document.cookie | a user-provided value | +| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | This path depends on $@. | TaintedPath.js:102:30:102:31 | ev | a user-provided value | | TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | | TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | | TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.js index 2938a655b0f4..f1baffc2448c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.js @@ -75,7 +75,7 @@ angular.module('myApp', []) }) .directive('myCustomer', function() { return { - templateUrl: document.cookie // NOT OK + templateUrl: Cookie.get("unsafe") // NOT OK } }) @@ -98,3 +98,7 @@ var server = http.createServer(function(req, res) { application.get('/views/*', views_imported); })(); + +addEventListener('message', (ev) => { + Cookie.set("unsafe", ev.data); +}); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 3abab2036520..7bcc540ca4b1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -1,18 +1,32 @@ nodes -| angularjs.js:10:22:10:36 | document.cookie | -| angularjs.js:13:23:13:37 | document.cookie | -| angularjs.js:16:28:16:42 | document.cookie | -| angularjs.js:19:22:19:36 | document.cookie | -| angularjs.js:22:27:22:41 | document.cookie | -| angularjs.js:25:23:25:37 | document.cookie | -| angularjs.js:28:33:28:47 | document.cookie | -| angularjs.js:31:28:31:42 | document.cookie | -| angularjs.js:34:18:34:32 | document.cookie | -| angularjs.js:40:18:40:32 | document.cookie | -| angularjs.js:44:17:44:31 | document.cookie | -| angularjs.js:47:16:47:30 | document.cookie | -| angularjs.js:50:22:50:36 | document.cookie | -| angularjs.js:53:32:53:46 | document.cookie | +| angularjs.js:10:22:10:29 | location | +| angularjs.js:10:22:10:36 | location.search | +| angularjs.js:13:23:13:30 | location | +| angularjs.js:13:23:13:37 | location.search | +| angularjs.js:16:28:16:35 | location | +| angularjs.js:16:28:16:42 | location.search | +| angularjs.js:19:22:19:29 | location | +| angularjs.js:19:22:19:36 | location.search | +| angularjs.js:22:27:22:34 | location | +| angularjs.js:22:27:22:41 | location.search | +| angularjs.js:25:23:25:30 | location | +| angularjs.js:25:23:25:37 | location.search | +| angularjs.js:28:33:28:40 | location | +| angularjs.js:28:33:28:47 | location.search | +| angularjs.js:31:28:31:35 | location | +| angularjs.js:31:28:31:42 | location.search | +| angularjs.js:34:18:34:25 | location | +| angularjs.js:34:18:34:32 | location.search | +| angularjs.js:40:18:40:25 | location | +| angularjs.js:40:18:40:32 | location.search | +| angularjs.js:44:17:44:24 | location | +| angularjs.js:44:17:44:31 | location.search | +| angularjs.js:47:16:47:23 | location | +| angularjs.js:47:16:47:30 | location.search | +| angularjs.js:50:22:50:29 | location | +| angularjs.js:50:22:50:36 | location.search | +| angularjs.js:53:32:53:39 | location | +| angularjs.js:53:32:53:46 | location.search | | eslint-escope-build.js:20:22:20:22 | c | | eslint-escope-build.js:21:16:21:16 | c | | express.js:7:24:7:62 | "return ... obble") | @@ -33,13 +47,28 @@ nodes | tst.js:2:6:2:83 | documen ... t=")+8) | | tst.js:5:12:5:28 | document.location | | tst.js:5:12:5:33 | documen ... on.hash | -| tst.js:14:10:14:24 | document.cookie | -| tst.js:14:10:14:65 | documen ... , "$1") | +| tst.js:14:10:14:26 | document.location | +| tst.js:14:10:14:33 | documen ... .search | +| tst.js:14:10:14:74 | documen ... , "$1") | | tst.js:17:21:17:37 | document.location | | tst.js:17:21:17:42 | documen ... on.hash | | tst.js:20:30:20:46 | document.location | | tst.js:20:30:20:51 | documen ... on.hash | edges +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | | express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" | | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") | @@ -53,24 +82,25 @@ edges | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | -| tst.js:14:10:14:24 | document.cookie | tst.js:14:10:14:65 | documen ... , "$1") | +| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search | +| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | #select -| angularjs.js:10:22:10:36 | document.cookie | angularjs.js:10:22:10:36 | document.cookie | angularjs.js:10:22:10:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:36 | document.cookie | User-provided value | -| angularjs.js:13:23:13:37 | document.cookie | angularjs.js:13:23:13:37 | document.cookie | angularjs.js:13:23:13:37 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:37 | document.cookie | User-provided value | -| angularjs.js:16:28:16:42 | document.cookie | angularjs.js:16:28:16:42 | document.cookie | angularjs.js:16:28:16:42 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:42 | document.cookie | User-provided value | -| angularjs.js:19:22:19:36 | document.cookie | angularjs.js:19:22:19:36 | document.cookie | angularjs.js:19:22:19:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:19:22:19:36 | document.cookie | User-provided value | -| angularjs.js:22:27:22:41 | document.cookie | angularjs.js:22:27:22:41 | document.cookie | angularjs.js:22:27:22:41 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:22:27:22:41 | document.cookie | User-provided value | -| angularjs.js:25:23:25:37 | document.cookie | angularjs.js:25:23:25:37 | document.cookie | angularjs.js:25:23:25:37 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:25:23:25:37 | document.cookie | User-provided value | -| angularjs.js:28:33:28:47 | document.cookie | angularjs.js:28:33:28:47 | document.cookie | angularjs.js:28:33:28:47 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:28:33:28:47 | document.cookie | User-provided value | -| angularjs.js:31:28:31:42 | document.cookie | angularjs.js:31:28:31:42 | document.cookie | angularjs.js:31:28:31:42 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:31:28:31:42 | document.cookie | User-provided value | -| angularjs.js:34:18:34:32 | document.cookie | angularjs.js:34:18:34:32 | document.cookie | angularjs.js:34:18:34:32 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:34:18:34:32 | document.cookie | User-provided value | -| angularjs.js:40:18:40:32 | document.cookie | angularjs.js:40:18:40:32 | document.cookie | angularjs.js:40:18:40:32 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:40:18:40:32 | document.cookie | User-provided value | -| angularjs.js:44:17:44:31 | document.cookie | angularjs.js:44:17:44:31 | document.cookie | angularjs.js:44:17:44:31 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:44:17:44:31 | document.cookie | User-provided value | -| angularjs.js:47:16:47:30 | document.cookie | angularjs.js:47:16:47:30 | document.cookie | angularjs.js:47:16:47:30 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:30 | document.cookie | User-provided value | -| angularjs.js:50:22:50:36 | document.cookie | angularjs.js:50:22:50:36 | document.cookie | angularjs.js:50:22:50:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:36 | document.cookie | User-provided value | -| angularjs.js:53:32:53:46 | document.cookie | angularjs.js:53:32:53:46 | document.cookie | angularjs.js:53:32:53:46 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:46 | document.cookie | User-provided value | +| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:29 | location | User-provided value | +| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:30 | location | User-provided value | +| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:35 | location | User-provided value | +| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:19:22:19:29 | location | User-provided value | +| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:22:27:22:34 | location | User-provided value | +| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:25:23:25:30 | location | User-provided value | +| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:28:33:28:40 | location | User-provided value | +| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:31:28:31:35 | location | User-provided value | +| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:34:18:34:25 | location | User-provided value | +| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:40:18:40:25 | location | User-provided value | +| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:44:17:44:24 | location | User-provided value | +| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value | +| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value | +| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value | | eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value | | express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value | | express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value | @@ -79,6 +109,6 @@ edges | react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | $@ flows to here and is interpreted as code. | react-native.js:7:17:7:33 | req.param("code") | User-provided value | | tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:83 | documen ... t=")+8) | $@ flows to here and is interpreted as code. | tst.js:2:6:2:22 | document.location | User-provided value | | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:5:12:5:28 | document.location | User-provided value | -| tst.js:14:10:14:65 | documen ... , "$1") | tst.js:14:10:14:24 | document.cookie | tst.js:14:10:14:65 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:24 | document.cookie | User-provided value | +| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:26 | document.location | tst.js:14:10:14:74 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:26 | document.location | User-provided value | | tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:17:21:17:37 | document.location | User-provided value | | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:46 | document.location | User-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/angularjs.js b/javascript/ql/test/query-tests/Security/CWE-094/angularjs.js index 67932c540650..658d71e4c879 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/angularjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/angularjs.js @@ -1,66 +1,66 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on(document.cookie); // OK + $scope.$on(location.search); // OK }) .controller('MyController', function($scope) { $scope.$apply('hello'); // OK }) .controller('MyController', function($scope) { var scope = $scope; - scope.$apply(document.cookie); // BAD + scope.$apply(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$apply(document.cookie); // BAD + $scope.$apply(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$applyAsync(document.cookie); // BAD + $scope.$applyAsync(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$eval(document.cookie); // BAD + $scope.$eval(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$evalAsync(document.cookie); // BAD + $scope.$evalAsync(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$watch(document.cookie); // BAD + $scope.$watch(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$watchCollection(document.cookie); // BAD + $scope.$watchCollection(location.search); // BAD }) .controller('MyController', function($scope) { - $scope.$watchGroup(document.cookie); // BAD + $scope.$watchGroup(location.search); // BAD }) .controller('MyController', function($compile) { - $compile(document.cookie); // BAD + $compile(location.search); // BAD }) .controller('MyController', function($compile) { $compile('hello'); // OK }) .controller('MyController', function($compile) { - $compile(document.cookie); // BAD + $compile(location.search); // BAD }) .controller('MyController', function($compile) { var compile = $compile; - compile(document.cookie); // BAD + compile(location.search); // BAD }) .controller('MyController', function($parse) { - $parse(document.cookie); // BAD + $parse(location.search); // BAD }) .controller('MyController', function($interpolate) { - $interpolate(document.cookie); // BAD + $interpolate(location.search); // BAD }) .controller('MyController', function($filter) { - $filter('orderBy')([], document.cookie); // BAD + $filter('orderBy')([], location.search); // BAD }) .controller('MyController', function($filter) { $filter('orderBy')([], 'hello'); // OK }) .controller('MyController', function($filter) { - $filter('random')([], document.cookie); // OK + $filter('random')([], location.search); // OK }) .controller('MyController', function($someService) { - $someService('orderBy')([], document.cookie); // OK + $someService('orderBy')([], location.search); // OK }) .controller('MyController', function($someService) { - $someService(document.cookie); // OK - }) + $someService(location.search); // OK + }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/tst.js index 7275275cc381..fa2b795897ba 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/tst.js @@ -11,7 +11,7 @@ setTimeout(document.location.protocol); $('. ' + document.location.hostname); // NOT OK -Function(document.cookie.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); +Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // NOT OK WebAssembly.compile(document.location.hash);