JS: improve prototype pollution tests

Author: Esben Sparre Andreasen

javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected

@@ -1,15 +1,17 @@
 nodes
-| PrototypePollution.js:7:17:7:29 | req.query.foo |
-| PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } |
-| PrototypePollution.js:11:16:11:30 | req.query.value |
-| PrototypePollution.js:15:14:15:28 | req.query.value |
-| PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } |
-| PrototypePollution.js:18:16:18:25 | opts.thing |
+| src-non-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo |
+| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo |
+| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } |
+| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value |
+| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value |
+| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
+| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
 edges
-| PrototypePollution.js:11:16:11:30 | req.query.value | PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } |
-| PrototypePollution.js:15:14:15:28 | req.query.value | PrototypePollution.js:18:16:18:25 | opts.thing |
-| PrototypePollution.js:18:16:18:25 | opts.thing | PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } |
+| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } |
+| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
+| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 #select
-| PrototypePollution.js:7:17:7:29 | req.query.foo | PrototypePollution.js:7:17:7:29 | req.query.foo | PrototypePollution.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a user-controlled value from $@. | PrototypePollution.js:7:17:7:29 | req.query.foo | here |
-| PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } | PrototypePollution.js:11:16:11:30 | req.query.value | PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a user-controlled value from $@. | PrototypePollution.js:11:16:11:30 | req.query.value | here |
-| PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } | PrototypePollution.js:15:14:15:28 | req.query.value | PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a user-controlled value from $@. | PrototypePollution.js:15:14:15:28 | req.query.value | here |
+| src-non-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-non-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-non-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a user-controlled value from $@. | src-non-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | here |
+| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a user-controlled value from $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | here |
+| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a user-controlled value from $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | here |
+| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a user-controlled value from $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | here |

javascript/ql/test/query-tests/Security/CWE-400/src-non-vulnerable-lodash/package.json

@@ -0,0 +1,5 @@
+{
+    "dependencies": {
+        "lodash": "4.17.12"
+    }
+}

javascript/ql/test/query-tests/Security/CWE-400/src-non-vulnerable-lodash/tst.js

@@ -0,0 +1,8 @@
+let express = require('express');
+let _ = require('lodash');
+
+let app = express();
+
+app.get('/hello', function(req, res) {
+    _.merge({}, req.query.foo); // OK
+});

javascript/ql/test/query-tests/Security/CWE-400/src-vulnerable-lodash/package.json

@@ -0,0 +1,5 @@
+{
+    "dependencies": {
+        "lodash": "4.17.4"
+    }
+}

…s/Security/CWE-400/PrototypePollution.js …ity/CWE-400/src-vulnerable-lodash/tst.jsjavascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.js renamed to javascript/ql/test/query-tests/Security/CWE-400/src-vulnerable-lodash/tst.js javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.js renamed to javascript/ql/test/query-tests/Security/CWE-400/src-vulnerable-lodash/tst.js

@@ -6,16 +6,15 @@ let app = express();
 app.get('/hello', function(req, res) {
     _.merge({}, req.query.foo); // NOT OK
     _.merge({}, req.query); // NOT OK - but not flagged
-    
+
     _.merge({}, {
         value: req.query.value // NOT OK
     });
-    
+
     let opts = {
       thing: req.query.value // wrapped and unwrapped value
     };
     _.merge({}, {
         value: opts.thing // NOT OK
     });
 });
-