codeql/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection/tst.js at 8fc81f4263ea67d0d3411a02998e82a9767f4432 · Napalys/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
var express = require('express');

var app = express();
var myObj = {}

app.get('/user/:id', function(req, res) {
	myCoolLocalFct(req.query.userControlled);
	var prop = myCoolLocalFct(req.query.userControlled); // $ Source
	myObj[prop] = 23; // $ Alert
	myObj.prop = 23;
	var x = myObj[prop]; // OK - flagged by different query
	x(23);
	delete myObj[prop]; // $ Alert
	Object.defineProperty(myObj, prop, {value: 24}); // $ Alert
	var headers = {};
	headers[prop] = 42; // $ Alert
	res.set(headers);
	myCoolLocalFct[req.query.x](); // OK - flagged by method name injection

	Object.keys(req.body).forEach( // $ Source
		key => {
			myObj[key] = 42; // $ Alert
		}
	);
});

function myCoolLocalFct(x) {
	var result = x;
	return result.substring(0, result.length);
}