JS: Add test with typeof on value

asger-semmle · asgerf · commit a447645c1046 · 2020-01-14T10:52:59.000Z
diff --git a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected
@@ -743,6 +743,42 @@ nodes
 | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
 | PrototypePollutionUtility/tests.js:293:41:293:43 | key |
 | PrototypePollutionUtility/tests.js:293:41:293:43 | key |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst |
+| PrototypePollutionUtility/tests.js:301:32:301:34 | src |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:25:304:27 | src |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:304:29:304:31 | key |
+| PrototypePollutionUtility/tests.js:304:29:304:31 | key |
+| PrototypePollutionUtility/tests.js:306:34:306:36 | dst |
+| PrototypePollutionUtility/tests.js:306:34:306:36 | dst |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:38:306:40 | key |
+| PrototypePollutionUtility/tests.js:306:38:306:40 | key |
+| PrototypePollutionUtility/tests.js:306:44:306:48 | value |
+| PrototypePollutionUtility/tests.js:306:44:306:48 | value |
+| PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:308:28:308:32 | value |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
 | examples/PrototypePollutionUtility.js:1:21:1:23 | src |
@@ -1782,6 +1818,54 @@ edges
 | PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
 | PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
 | PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst | PrototypePollutionUtility/tests.js:306:34:306:36 | dst |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst | PrototypePollutionUtility/tests.js:306:34:306:36 | dst |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst | PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst | PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst | PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:301:27:301:29 | dst | PrototypePollutionUtility/tests.js:308:17:308:19 | dst |
+| PrototypePollutionUtility/tests.js:301:32:301:34 | src | PrototypePollutionUtility/tests.js:304:25:304:27 | src |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:304:29:304:31 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:304:29:304:31 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:304:29:304:31 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:304:29:304:31 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:306:38:306:40 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:306:38:306:40 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:306:38:306:40 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:306:38:306:40 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:21:308:23 | key |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:306:44:306:48 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:306:44:306:48 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:304:17:304:32 | value | PrototypePollutionUtility/tests.js:308:28:308:32 | value |
+| PrototypePollutionUtility/tests.js:304:25:304:27 | src | PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] | PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] | PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] | PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] | PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] | PrototypePollutionUtility/tests.js:304:17:304:32 | value |
+| PrototypePollutionUtility/tests.js:304:29:304:31 | key | PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:304:29:304:31 | key | PrototypePollutionUtility/tests.js:304:25:304:32 | src[key] |
+| PrototypePollutionUtility/tests.js:306:34:306:36 | dst | PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:34:306:36 | dst | PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] | PrototypePollutionUtility/tests.js:301:27:301:29 | dst |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] | PrototypePollutionUtility/tests.js:301:27:301:29 | dst |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] | PrototypePollutionUtility/tests.js:301:27:301:29 | dst |
+| PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] | PrototypePollutionUtility/tests.js:301:27:301:29 | dst |
+| PrototypePollutionUtility/tests.js:306:38:306:40 | key | PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:38:306:40 | key | PrototypePollutionUtility/tests.js:306:34:306:41 | dst[key] |
+| PrototypePollutionUtility/tests.js:306:44:306:48 | value | PrototypePollutionUtility/tests.js:301:32:301:34 | src |
+| PrototypePollutionUtility/tests.js:306:44:306:48 | value | PrototypePollutionUtility/tests.js:301:32:301:34 | src |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:7:13:7:15 | dst |
@@ -1899,4 +1983,5 @@ edges
 | PrototypePollutionUtility/tests.js:233:5:233:13 | map[key1] | PrototypePollutionUtility/tests.js:238:14:238:16 | key | PrototypePollutionUtility/tests.js:233:5:233:13 | map[key1] | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:238:21:238:24 | data | data | PrototypePollutionUtility/tests.js:233:5:233:13 | map[key1] | this object |
 | PrototypePollutionUtility/tests.js:270:13:270:15 | dst | PrototypePollutionUtility/tests.js:265:19:265:26 | entry[0] | PrototypePollutionUtility/tests.js:270:13:270:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:264:20:264:22 | src | src | PrototypePollutionUtility/tests.js:270:13:270:15 | dst | dst |
 | PrototypePollutionUtility/tests.js:280:13:280:15 | dst | PrototypePollutionUtility/tests.js:276:34:276:36 | key | PrototypePollutionUtility/tests.js:280:13:280:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:276:21:276:23 | src | src | PrototypePollutionUtility/tests.js:280:13:280:15 | dst | dst |
+| PrototypePollutionUtility/tests.js:308:17:308:19 | dst | PrototypePollutionUtility/tests.js:302:14:302:16 | key | PrototypePollutionUtility/tests.js:308:17:308:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | PrototypePollutionUtility/tests.js:302:21:302:23 | src | src | PrototypePollutionUtility/tests.js:308:17:308:19 | dst | dst |
 | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | examples/PrototypePollutionUtility.js:2:14:2:16 | key | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | examples/PrototypePollutionUtility.js:2:21:2:23 | src | src | examples/PrototypePollutionUtility.js:7:13:7:15 | dst | dst |
diff --git a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js
@@ -297,3 +297,16 @@ function copyWithPath(dst, src, path) {
     }
     return dst;
 }
+
+function typeofObjectTest(dst, src) {
+    for (let key in src) {
+        if (src.hasOwnProperty(key)) {
+            let value = src[key];
+            if (dst[key] && typeof value === 'object') {
+                typeofObjectTest(dst[key], value);
+            } else {
+                dst[key] = value; // NOT OK
+            }
+        }
+    }
+}
