codeql/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js at 2a4d6830ec5d7fae5f499c066d25bde6dc1c383a · asgerf/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
const webpack = require("webpack");


var plugin = new webpack.DefinePlugin({
    "process.env": JSON.stringify(process.env) // $ Source[js/build-artifact-leak]
}); // $ Alert[js/build-artifact-leak]


new webpack.DefinePlugin({ 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG }) })


function getEnv(env) {
    const raw = Object.keys(process.env)
        .reduce((env, key) => {
            env[key] = process.env[key] // $ Source[js/build-artifact-leak]
            return env
        }, {
            NODE_ENV: process.env.NODE_ENV || env || 'development'
        })

    const stringifed = {
        'process.env': Object.keys(raw).reduce((env, key) => {
            env[key] = JSON.stringify(raw[key])
            return env
        }, {})
    }

    return {
        raw: raw,
        stringified: stringifed
    }
}

new webpack.DefinePlugin(getEnv('production').stringified); // $ Alert[js/build-artifact-leak]

var https = require('https');
var url = require('url');

var server = https.createServer(function (req, res) {
    let pw = url.parse(req.url, true).query.current_password; // $ Source[js/build-artifact-leak]
    var plugin = new webpack.DefinePlugin({ "process.env.secret": JSON.stringify(pw) }); // $ Alert[js/build-artifact-leak]
});

(function () {
    const REACT_APP = /^REACT_APP_/i;

    function getOnlyReactVariables() {
        const raw = Object.keys(process.env)
            .filter(key => REACT_APP.test(key)) // This filters makes it safe.
            .reduce(
                (env, key) => {
                    env[key] = process.env[key];
                    return env;
                },
                {}
            );
        return raw;
    }

    new webpack.DefinePlugin(getOnlyReactVariables());

    function getOnlyReactVariables2() {
        const raw = Object.keys(process.env)
            .reduce(
                (env, key) => {
                    if (REACT_APP.test(key)) {
                        env[key] = process.env[key];
                    }
                    return env;
                },
                {}
            );
        return raw;
    }

    new webpack.DefinePlugin(getOnlyReactVariables2());

    function getOnlyReactVariables3() {
        const raw = Object.keys(process.env)
            .reduce(
                (env, key) => {
                    if (key == ["1", "2", "3"]) {
                        env[key] = process.env[key];
                    }
                    return env;
                },
                {}
            );
        return raw;
    }

    new webpack.DefinePlugin(getOnlyReactVariables3());

    function getFilteredEnv4() {
        return ["FOO", "BAR", "BAZ"]
            .reduce((env, key) => {
                env[key] = JSON.stringify(process.env[key]);
                return env;
            }, {});
    }

    new webpack.DefinePlugin(getFilteredEnv4());
})();