Skip to content

JS: Add Permissive CORS query (CWE-942) #14342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
erik-krogh merged 31 commits into from
Jun 28, 2024
Merged

JS: Add Permissive CORS query (CWE-942) #14342

Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
e171123
Add initial query for CWE-942
maikypedia Sep 29, 2023
142ab01
Remove comment line
maikypedia Sep 29, 2023
816eebb
Add `.qhelp` and apply some review changes
maikypedia Oct 2, 2023
ed06628
Add documentation string for `CorsPermissiveConfiguration`
maikypedia Oct 6, 2023
c0e6d7c
Merge branch 'github:main' into maikypedia/javascript-cors
maikypedia Oct 11, 2023
07ad596
Add coverage for `express`
maikypedia Oct 16, 2023
acac534
Forgot `.js`
maikypedia Oct 16, 2023
d661f7f
Add Flow Labels
maikypedia Nov 22, 2023
413c111
Move to `/experimental`
maikypedia Nov 23, 2023
abd53e9
Fix minor issues
maikypedia Nov 23, 2023
4ef4c92
Move Customizations and Query
maikypedia Nov 23, 2023
aa24ce5
Apply suggestions from code review
maikypedia Nov 27, 2023
bb6ef72
`getArgument` returns `Cors::Cors`
maikypedia Nov 27, 2023
f623db4
Change qldoc
maikypedia Nov 27, 2023
3bcb411
Using `Express::RouteSetup`
maikypedia Nov 27, 2023
6a3cdc9
Add `change-node`
maikypedia Nov 27, 2023
e6c7fc0
Fixes CI
maikypedia Nov 29, 2023
83cbbd7
Apply docstring changes
maikypedia Dec 5, 2023
87cac2a
Express Argument has to be Cors
maikypedia Dec 7, 2023
4f68f60
Apply review
maikypedia Dec 18, 2023
191766a
Use `config.getCorsConfiguration().getOrigin())`
maikypedia Dec 18, 2023
7662b2b
format
maikypedia Dec 19, 2023
78e7793
Move to experimental
maikypedia Jan 9, 2024
699d8d4
x
maikypedia Mar 7, 2024
c1fd7a6
autoformat
erik-krogh Mar 12, 2024
f2d6640
fix ambiguous import. It could refer both to a module or a file
erik-krogh Mar 12, 2024
cfd7c7a
move change-note to `javascript/ql/src/change-notes`
maikypedia May 27, 2024
e96c3a3
Move `Apollo` to experimental
maikypedia May 27, 2024
4be5cf4
Update javascript/ql/src/experimental/Security/CWE-942/CorsPermissive…
maikypedia Jun 12, 2024
8ba7ac6
Update javascript/ql/src/experimental/Security/CWE-942/CorsPermissive…
maikypedia Jun 12, 2024
d0cf2a9
Merge branch 'main' into maikypedia/javascript-cors
maikypedia Jun 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Use config.getCorsConfiguration().getOrigin()) 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
  • Loading branch information
@maikypedia @erik-krogh
maikypedia and erik-krogh authored Dec 18, 2023
commit 191766a47bf16653231f3dd843568d897878bdb2
4 changes: 3 additions & 1 deletion ...script/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ module CorsPermissiveConfiguration {
* The value of cors origin when initializing the application.
*/
class ExpressCors extends Sink, DataFlow::ValueNode {
ExpressCors() { exists(Express::CorsConfiguration config | this = config.getOrigin()) }
ExpressCors() {
exists(Express::CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
}
}
Comment thread
maikypedia marked this conversation as resolved.
}