Skip to content

Commit 0ea8246

Browse files
knewbury01knewbury01
committed
Add extra test cases to ui5 webcomponents for react and arrange modelling to filter some results for out of the box xss query and improve test for it
1 parent 1951360 commit 0ea8246

File tree

7 files changed

+647
-32
lines changed

7 files changed

+647
-32
lines changed

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.expected

Lines changed: 110 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,114 @@
11
edges
2-
| src/App.tsx:7:10:7:13 | todo | src/App.tsx:7:10:7:13 | todo | provenance | |
3-
| src/App.tsx:7:10:7:13 | todo | src/App.tsx:27:46:27:49 | todo | provenance | |
4-
| src/App.tsx:12:22:12:45 | todoInp ... ?.value | src/App.tsx:12:22:12:51 | todoInp ... e \|\| "" | provenance | |
5-
| src/App.tsx:12:22:12:51 | todoInp ... e \|\| "" | src/App.tsx:7:10:7:13 | todo | provenance | |
2+
| src/App.tsx:7:10:7:19 | inputValue | src/App.tsx:7:10:7:19 | inputValue | provenance | |
3+
| src/App.tsx:7:10:7:19 | inputValue | src/App.tsx:435:46:435:55 | inputValue | provenance | |
4+
| src/App.tsx:11:28:11:50 | inputRe ... ?.value | src/App.tsx:11:28:11:56 | inputRe ... e \|\| "" | provenance | |
5+
| src/App.tsx:11:28:11:56 | inputRe ... e \|\| "" | src/App.tsx:7:10:7:19 | inputValue | provenance | |
6+
| src/App.tsx:23:10:23:22 | textAreaValue | src/App.tsx:23:10:23:22 | textAreaValue | provenance | |
7+
| src/App.tsx:23:10:23:22 | textAreaValue | src/App.tsx:436:46:436:58 | textAreaValue | provenance | |
8+
| src/App.tsx:27:31:27:56 | textAre ... ?.value | src/App.tsx:27:31:27:62 | textAre ... e \|\| "" | provenance | |
9+
| src/App.tsx:27:31:27:62 | textAre ... e \|\| "" | src/App.tsx:23:10:23:22 | textAreaValue | provenance | |
10+
| src/App.tsx:39:10:39:20 | searchValue | src/App.tsx:39:10:39:20 | searchValue | provenance | |
11+
| src/App.tsx:39:10:39:20 | searchValue | src/App.tsx:437:46:437:56 | searchValue | provenance | |
12+
| src/App.tsx:43:29:43:52 | searchR ... ?.value | src/App.tsx:43:29:43:58 | searchR ... e \|\| "" | provenance | |
13+
| src/App.tsx:43:29:43:58 | searchR ... e \|\| "" | src/App.tsx:39:10:39:20 | searchValue | provenance | |
14+
| src/App.tsx:55:10:55:28 | shellBarSearchValue | src/App.tsx:55:10:55:28 | shellBarSearchValue | provenance | |
15+
| src/App.tsx:55:10:55:28 | shellBarSearchValue | src/App.tsx:438:46:438:64 | shellBarSearchValue | provenance | |
16+
| src/App.tsx:59:37:59:68 | shellBa ... ?.value | src/App.tsx:59:37:59:74 | shellBa ... e \|\| "" | provenance | |
17+
| src/App.tsx:59:37:59:74 | shellBa ... e \|\| "" | src/App.tsx:55:10:55:28 | shellBarSearchValue | provenance | |
18+
| src/App.tsx:71:10:71:22 | comboBoxValue | src/App.tsx:71:10:71:22 | comboBoxValue | provenance | |
19+
| src/App.tsx:71:10:71:22 | comboBoxValue | src/App.tsx:439:46:439:58 | comboBoxValue | provenance | |
20+
| src/App.tsx:75:31:75:56 | comboBo ... ?.value | src/App.tsx:75:31:75:62 | comboBo ... e \|\| "" | provenance | |
21+
| src/App.tsx:75:31:75:62 | comboBo ... e \|\| "" | src/App.tsx:71:10:71:22 | comboBoxValue | provenance | |
22+
| src/App.tsx:119:10:119:24 | datePickerValue | src/App.tsx:119:10:119:24 | datePickerValue | provenance | |
23+
| src/App.tsx:119:10:119:24 | datePickerValue | src/App.tsx:442:46:442:60 | datePickerValue | provenance | |
24+
| src/App.tsx:123:33:123:60 | datePic ... ?.value | src/App.tsx:123:33:123:66 | datePic ... e \|\| "" | provenance | |
25+
| src/App.tsx:123:33:123:66 | datePic ... e \|\| "" | src/App.tsx:119:10:119:24 | datePickerValue | provenance | |
26+
| src/App.tsx:135:10:135:29 | dateRangePickerValue | src/App.tsx:135:10:135:29 | dateRangePickerValue | provenance | |
27+
| src/App.tsx:135:10:135:29 | dateRangePickerValue | src/App.tsx:443:46:443:65 | dateRangePickerValue | provenance | |
28+
| src/App.tsx:139:38:139:70 | dateRan ... ?.value | src/App.tsx:139:38:139:76 | dateRan ... e \|\| "" | provenance | |
29+
| src/App.tsx:139:38:139:76 | dateRan ... e \|\| "" | src/App.tsx:135:10:135:29 | dateRangePickerValue | provenance | |
30+
| src/App.tsx:151:10:151:28 | dateTimePickerValue | src/App.tsx:151:10:151:28 | dateTimePickerValue | provenance | |
31+
| src/App.tsx:151:10:151:28 | dateTimePickerValue | src/App.tsx:444:46:444:64 | dateTimePickerValue | provenance | |
32+
| src/App.tsx:155:37:155:68 | dateTim ... ?.value | src/App.tsx:155:37:155:74 | dateTim ... e \|\| "" | provenance | |
33+
| src/App.tsx:155:37:155:74 | dateTim ... e \|\| "" | src/App.tsx:151:10:151:28 | dateTimePickerValue | provenance | |
34+
| src/App.tsx:167:10:167:24 | timePickerValue | src/App.tsx:167:10:167:24 | timePickerValue | provenance | |
35+
| src/App.tsx:167:10:167:24 | timePickerValue | src/App.tsx:445:46:445:60 | timePickerValue | provenance | |
36+
| src/App.tsx:171:33:171:60 | timePic ... ?.value | src/App.tsx:171:33:171:66 | timePic ... e \|\| "" | provenance | |
37+
| src/App.tsx:171:33:171:66 | timePic ... e \|\| "" | src/App.tsx:167:10:167:24 | timePickerValue | provenance | |
38+
| src/App.tsx:295:10:295:20 | optionValue | src/App.tsx:295:10:295:20 | optionValue | provenance | |
39+
| src/App.tsx:295:10:295:20 | optionValue | src/App.tsx:453:46:453:56 | optionValue | provenance | |
40+
| src/App.tsx:299:29:299:52 | optionR ... ?.value | src/App.tsx:299:29:299:58 | optionR ... e \|\| "" | provenance | |
41+
| src/App.tsx:299:29:299:58 | optionR ... e \|\| "" | src/App.tsx:295:10:295:20 | optionValue | provenance | |
42+
| src/App.tsx:311:10:311:26 | optionCustomValue | src/App.tsx:311:10:311:26 | optionCustomValue | provenance | |
43+
| src/App.tsx:311:10:311:26 | optionCustomValue | src/App.tsx:454:46:454:62 | optionCustomValue | provenance | |
44+
| src/App.tsx:315:35:315:64 | optionC ... ?.value | src/App.tsx:315:35:315:70 | optionC ... e \|\| "" | provenance | |
45+
| src/App.tsx:315:35:315:70 | optionC ... e \|\| "" | src/App.tsx:311:10:311:26 | optionCustomValue | provenance | |
646
nodes
7-
| src/App.tsx:7:10:7:13 | todo | semmle.label | todo |
8-
| src/App.tsx:7:10:7:13 | todo | semmle.label | todo |
9-
| src/App.tsx:12:22:12:45 | todoInp ... ?.value | semmle.label | todoInp ... ?.value |
10-
| src/App.tsx:12:22:12:51 | todoInp ... e \|\| "" | semmle.label | todoInp ... e \|\| "" |
11-
| src/App.tsx:27:46:27:49 | todo | semmle.label | todo |
47+
| src/App.tsx:7:10:7:19 | inputValue | semmle.label | inputValue |
48+
| src/App.tsx:7:10:7:19 | inputValue | semmle.label | inputValue |
49+
| src/App.tsx:11:28:11:50 | inputRe ... ?.value | semmle.label | inputRe ... ?.value |
50+
| src/App.tsx:11:28:11:56 | inputRe ... e \|\| "" | semmle.label | inputRe ... e \|\| "" |
51+
| src/App.tsx:23:10:23:22 | textAreaValue | semmle.label | textAreaValue |
52+
| src/App.tsx:23:10:23:22 | textAreaValue | semmle.label | textAreaValue |
53+
| src/App.tsx:27:31:27:56 | textAre ... ?.value | semmle.label | textAre ... ?.value |
54+
| src/App.tsx:27:31:27:62 | textAre ... e \|\| "" | semmle.label | textAre ... e \|\| "" |
55+
| src/App.tsx:39:10:39:20 | searchValue | semmle.label | searchValue |
56+
| src/App.tsx:39:10:39:20 | searchValue | semmle.label | searchValue |
57+
| src/App.tsx:43:29:43:52 | searchR ... ?.value | semmle.label | searchR ... ?.value |
58+
| src/App.tsx:43:29:43:58 | searchR ... e \|\| "" | semmle.label | searchR ... e \|\| "" |
59+
| src/App.tsx:55:10:55:28 | shellBarSearchValue | semmle.label | shellBarSearchValue |
60+
| src/App.tsx:55:10:55:28 | shellBarSearchValue | semmle.label | shellBarSearchValue |
61+
| src/App.tsx:59:37:59:68 | shellBa ... ?.value | semmle.label | shellBa ... ?.value |
62+
| src/App.tsx:59:37:59:74 | shellBa ... e \|\| "" | semmle.label | shellBa ... e \|\| "" |
63+
| src/App.tsx:71:10:71:22 | comboBoxValue | semmle.label | comboBoxValue |
64+
| src/App.tsx:71:10:71:22 | comboBoxValue | semmle.label | comboBoxValue |
65+
| src/App.tsx:75:31:75:56 | comboBo ... ?.value | semmle.label | comboBo ... ?.value |
66+
| src/App.tsx:75:31:75:62 | comboBo ... e \|\| "" | semmle.label | comboBo ... e \|\| "" |
67+
| src/App.tsx:119:10:119:24 | datePickerValue | semmle.label | datePickerValue |
68+
| src/App.tsx:119:10:119:24 | datePickerValue | semmle.label | datePickerValue |
69+
| src/App.tsx:123:33:123:60 | datePic ... ?.value | semmle.label | datePic ... ?.value |
70+
| src/App.tsx:123:33:123:66 | datePic ... e \|\| "" | semmle.label | datePic ... e \|\| "" |
71+
| src/App.tsx:135:10:135:29 | dateRangePickerValue | semmle.label | dateRangePickerValue |
72+
| src/App.tsx:135:10:135:29 | dateRangePickerValue | semmle.label | dateRangePickerValue |
73+
| src/App.tsx:139:38:139:70 | dateRan ... ?.value | semmle.label | dateRan ... ?.value |
74+
| src/App.tsx:139:38:139:76 | dateRan ... e \|\| "" | semmle.label | dateRan ... e \|\| "" |
75+
| src/App.tsx:151:10:151:28 | dateTimePickerValue | semmle.label | dateTimePickerValue |
76+
| src/App.tsx:151:10:151:28 | dateTimePickerValue | semmle.label | dateTimePickerValue |
77+
| src/App.tsx:155:37:155:68 | dateTim ... ?.value | semmle.label | dateTim ... ?.value |
78+
| src/App.tsx:155:37:155:74 | dateTim ... e \|\| "" | semmle.label | dateTim ... e \|\| "" |
79+
| src/App.tsx:167:10:167:24 | timePickerValue | semmle.label | timePickerValue |
80+
| src/App.tsx:167:10:167:24 | timePickerValue | semmle.label | timePickerValue |
81+
| src/App.tsx:171:33:171:60 | timePic ... ?.value | semmle.label | timePic ... ?.value |
82+
| src/App.tsx:171:33:171:66 | timePic ... e \|\| "" | semmle.label | timePic ... e \|\| "" |
83+
| src/App.tsx:295:10:295:20 | optionValue | semmle.label | optionValue |
84+
| src/App.tsx:295:10:295:20 | optionValue | semmle.label | optionValue |
85+
| src/App.tsx:299:29:299:52 | optionR ... ?.value | semmle.label | optionR ... ?.value |
86+
| src/App.tsx:299:29:299:58 | optionR ... e \|\| "" | semmle.label | optionR ... e \|\| "" |
87+
| src/App.tsx:311:10:311:26 | optionCustomValue | semmle.label | optionCustomValue |
88+
| src/App.tsx:311:10:311:26 | optionCustomValue | semmle.label | optionCustomValue |
89+
| src/App.tsx:315:35:315:64 | optionC ... ?.value | semmle.label | optionC ... ?.value |
90+
| src/App.tsx:315:35:315:70 | optionC ... e \|\| "" | semmle.label | optionC ... e \|\| "" |
91+
| src/App.tsx:435:46:435:55 | inputValue | semmle.label | inputValue |
92+
| src/App.tsx:436:46:436:58 | textAreaValue | semmle.label | textAreaValue |
93+
| src/App.tsx:437:46:437:56 | searchValue | semmle.label | searchValue |
94+
| src/App.tsx:438:46:438:64 | shellBarSearchValue | semmle.label | shellBarSearchValue |
95+
| src/App.tsx:439:46:439:58 | comboBoxValue | semmle.label | comboBoxValue |
96+
| src/App.tsx:442:46:442:60 | datePickerValue | semmle.label | datePickerValue |
97+
| src/App.tsx:443:46:443:65 | dateRangePickerValue | semmle.label | dateRangePickerValue |
98+
| src/App.tsx:444:46:444:64 | dateTimePickerValue | semmle.label | dateTimePickerValue |
99+
| src/App.tsx:445:46:445:60 | timePickerValue | semmle.label | timePickerValue |
100+
| src/App.tsx:453:46:453:56 | optionValue | semmle.label | optionValue |
101+
| src/App.tsx:454:46:454:62 | optionCustomValue | semmle.label | optionCustomValue |
12102
subpaths
13103
#select
14-
| src/App.tsx:27:46:27:49 | todo | src/App.tsx:12:22:12:45 | todoInp ... ?.value | src/App.tsx:27:46:27:49 | todo | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:12:22:12:45 | todoInp ... ?.value | DOM text |
104+
| src/App.tsx:435:46:435:55 | inputValue | src/App.tsx:11:28:11:50 | inputRe ... ?.value | src/App.tsx:435:46:435:55 | inputValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:11:28:11:50 | inputRe ... ?.value | DOM text |
105+
| src/App.tsx:436:46:436:58 | textAreaValue | src/App.tsx:27:31:27:56 | textAre ... ?.value | src/App.tsx:436:46:436:58 | textAreaValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:27:31:27:56 | textAre ... ?.value | DOM text |
106+
| src/App.tsx:437:46:437:56 | searchValue | src/App.tsx:43:29:43:52 | searchR ... ?.value | src/App.tsx:437:46:437:56 | searchValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:43:29:43:52 | searchR ... ?.value | DOM text |
107+
| src/App.tsx:438:46:438:64 | shellBarSearchValue | src/App.tsx:59:37:59:68 | shellBa ... ?.value | src/App.tsx:438:46:438:64 | shellBarSearchValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:59:37:59:68 | shellBa ... ?.value | DOM text |
108+
| src/App.tsx:439:46:439:58 | comboBoxValue | src/App.tsx:75:31:75:56 | comboBo ... ?.value | src/App.tsx:439:46:439:58 | comboBoxValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:75:31:75:56 | comboBo ... ?.value | DOM text |
109+
| src/App.tsx:442:46:442:60 | datePickerValue | src/App.tsx:123:33:123:60 | datePic ... ?.value | src/App.tsx:442:46:442:60 | datePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:123:33:123:60 | datePic ... ?.value | DOM text |
110+
| src/App.tsx:443:46:443:65 | dateRangePickerValue | src/App.tsx:139:38:139:70 | dateRan ... ?.value | src/App.tsx:443:46:443:65 | dateRangePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:139:38:139:70 | dateRan ... ?.value | DOM text |
111+
| src/App.tsx:444:46:444:64 | dateTimePickerValue | src/App.tsx:155:37:155:68 | dateTim ... ?.value | src/App.tsx:444:46:444:64 | dateTimePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:155:37:155:68 | dateTim ... ?.value | DOM text |
112+
| src/App.tsx:445:46:445:60 | timePickerValue | src/App.tsx:171:33:171:60 | timePic ... ?.value | src/App.tsx:445:46:445:60 | timePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:171:33:171:60 | timePic ... ?.value | DOM text |
113+
| src/App.tsx:453:46:453:56 | optionValue | src/App.tsx:299:29:299:52 | optionR ... ?.value | src/App.tsx:453:46:453:56 | optionValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:299:29:299:52 | optionR ... ?.value | DOM text |
114+
| src/App.tsx:454:46:454:62 | optionCustomValue | src/App.tsx:315:35:315:64 | optionC ... ?.value | src/App.tsx:454:46:454:62 | optionCustomValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:315:35:315:64 | optionC ... ?.value | DOM text |

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.ql

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,16 +12,17 @@
1212
* external/cwe/cwe-116
1313
*/
1414

15-
//an exact copy of - https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
15+
//a exact copy of - https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
1616
//included for testing purposes only
17-
17+
//tests the use of customizations to filter results via sanitizer
1818
import javascript
1919
import semmle.javascript.security.dataflow.XssThroughDomQuery
2020
import XssThroughDomFlow::PathGraph
21+
import advanced_security.javascript_sap_ui5_all.Customizations
2122

2223
from XssThroughDomFlow::PathNode source, XssThroughDomFlow::PathNode sink
2324
where
2425
XssThroughDomFlow::flowPath(source, sink) and
2526
not isIgnoredSourceSinkPair(source.getNode(), sink.getNode())
2627
select sink.getNode(), source, sink,
27-
"$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(), "DOM text"
28+
"$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(), "DOM text"

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/qlpack.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@ version: 2.3.0
33
extractor: javascript
44
dependencies:
55
codeql/javascript-all: "^2.4.0"
6+
advanced-security/javascript-sap-ui5-all: "^2.3.0"

0 commit comments

Comments
 (0)