Skip to content

Commit d077d68

Browse files
Napalysasgerf
Napalys
and
asgerf
committed
Applied changes from comments
Co-authored-by: Asgerf <[email protected]>
1 parent c12c12c commit d077d68

File tree

3 files changed

+49
-52
lines changed

3 files changed

+49
-52
lines changed

javascript/ql/lib/ext/react-relay-threat.model.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@ extensions:
77
- ["react-relay", "Member[useLazyLoadQuery].ReturnValue", "response"]
88
- ["react-relay", "Member[usePreloadedQuery].ReturnValue", "response"]
99
- ["react-relay", "Member[useClientQuery].ReturnValue", "response"]
10-
- ["react-relay", "Member[useRefetchableFragment].ReturnValue", "response"]
11-
- ["react-relay", "Member[usePaginationFragment].ReturnValue", "response"]
12-
- ["react-relay", "Member[useMutation].ReturnValue.Member[0].Argument[0].Member[onCompleted].Argument[0]", "response"]
13-
- ["react-relay", "Member[useSubscription].Argument[0].Member[onNext].Argument[0]", "response"]
14-
- ["react-relay", "Member[fetchQuery].ReturnValue.Member[subscribe].Argument[0].Member[next].Argument[0]", "response"]
10+
- ["react-relay", "Member[useRefetchableFragment].ReturnValue.Member[0]", "response"]
11+
- ["react-relay", "Member[usePaginationFragment].ReturnValue.Member[data]", "response"]
12+
- ["react-relay", "Member[useMutation].ReturnValue.Member[0].Argument[0].Member[onCompleted].Parameter[0]", "response"]
13+
- ["react-relay", "Member[useSubscription].Argument[0].Member[onNext].Parameter[0]", "response"]
14+
- ["react-relay", "Member[fetchQuery].ReturnValue.Member[subscribe].Argument[0].Member[next].Parameter[0]", "response"]
1515
- ["relay-runtime", "Member[readFragment].ReturnValue", "response"]

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected

Lines changed: 41 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,12 @@
44
| testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | user-provided value |
55
| testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | user-provided value |
66
| testReactRelay.tsx:38:49:38:52 | data | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | testReactRelay.tsx:38:49:38:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | user-provided value |
7-
| testReactRelay.tsx:47:46:47:49 | data | testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | testReactRelay.tsx:47:46:47:49 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | user-provided value |
8-
| testReactRelay.tsx:70:49:70:52 | data | testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | testReactRelay.tsx:70:49:70:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | user-provided value |
9-
| testReactRelay.tsx:87:50:87:61 | feedbackText | testReactRelay.tsx:82:17:82:20 | data | testReactRelay.tsx:87:50:87:61 | feedbackText | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:82:17:82:20 | data | user-provided value |
10-
| testReactRelay.tsx:112:48:112:58 | fragmentRef | testReactRelay.tsx:99:14:99:16 | res | testReactRelay.tsx:112:48:112:58 | fragmentRef | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:99:14:99:16 | res | user-provided value |
11-
| testReactRelay.tsx:126:35:126:43 | data.user | testReactRelay.tsx:123:12:123:15 | data | testReactRelay.tsx:126:35:126:43 | data.user | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:123:12:123:15 | data | user-provided value |
12-
| testReactRelay.tsx:136:50:136:53 | data | testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | testReactRelay.tsx:136:50:136:53 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | user-provided value |
7+
| testReactRelay.tsx:47:46:47:49 | data | testReactRelay.tsx:44:10:44:13 | data | testReactRelay.tsx:47:46:47:49 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:44:10:44:13 | data | user-provided value |
8+
| testReactRelay.tsx:71:49:71:52 | data | testReactRelay.tsx:62:5:62:8 | data | testReactRelay.tsx:71:49:71:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:62:5:62:8 | data | user-provided value |
9+
| testReactRelay.tsx:88:50:88:61 | feedbackText | testReactRelay.tsx:83:17:83:20 | data | testReactRelay.tsx:88:50:88:61 | feedbackText | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:83:17:83:20 | data | user-provided value |
10+
| testReactRelay.tsx:113:48:113:58 | fragmentRef | testReactRelay.tsx:100:14:100:16 | res | testReactRelay.tsx:113:48:113:58 | fragmentRef | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:100:14:100:16 | res | user-provided value |
11+
| testReactRelay.tsx:127:35:127:43 | data.user | testReactRelay.tsx:124:12:124:15 | data | testReactRelay.tsx:127:35:127:43 | data.user | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:124:12:124:15 | data | user-provided value |
12+
| testReactRelay.tsx:137:50:137:53 | data | testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | testReactRelay.tsx:137:50:137:53 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | user-provided value |
1313
edges
1414
| test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance | |
1515
| test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance | |
@@ -29,24 +29,22 @@ edges
2929
| testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | provenance | |
3030
| testReactRelay.tsx:37:9:37:40 | data | testReactRelay.tsx:38:49:38:52 | data | provenance | |
3131
| testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | testReactRelay.tsx:37:9:37:40 | data | provenance | |
32-
| testReactRelay.tsx:44:9:44:23 | [data, refetch] | testReactRelay.tsx:44:9:44:70 | data | provenance | |
3332
| testReactRelay.tsx:44:9:44:70 | data | testReactRelay.tsx:47:46:47:49 | data | provenance | |
34-
| testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | testReactRelay.tsx:44:9:44:23 | [data, refetch] | provenance | |
35-
| testReactRelay.tsx:60:9:69:3 | {\\n d ... ch,\\n } | testReactRelay.tsx:60:9:69:38 | data | provenance | |
36-
| testReactRelay.tsx:60:9:69:38 | data | testReactRelay.tsx:70:49:70:52 | data | provenance | |
37-
| testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | testReactRelay.tsx:60:9:69:3 | {\\n d ... ch,\\n } | provenance | |
38-
| testReactRelay.tsx:79:9:79:54 | feedbackText | testReactRelay.tsx:87:50:87:61 | feedbackText | provenance | |
39-
| testReactRelay.tsx:79:10:79:21 | feedbackText | testReactRelay.tsx:79:9:79:54 | feedbackText | provenance | |
40-
| testReactRelay.tsx:82:17:82:20 | data | testReactRelay.tsx:83:23:83:26 | data | provenance | |
41-
| testReactRelay.tsx:83:23:83:26 | data | testReactRelay.tsx:79:10:79:21 | feedbackText | provenance | |
42-
| testReactRelay.tsx:94:9:94:50 | fragmentRef | testReactRelay.tsx:112:48:112:58 | fragmentRef | provenance | |
43-
| testReactRelay.tsx:94:10:94:20 | fragmentRef | testReactRelay.tsx:94:9:94:50 | fragmentRef | provenance | |
44-
| testReactRelay.tsx:99:14:99:16 | res | testReactRelay.tsx:100:22:100:24 | res | provenance | |
45-
| testReactRelay.tsx:100:22:100:24 | res | testReactRelay.tsx:94:10:94:20 | fragmentRef | provenance | |
46-
| testReactRelay.tsx:123:12:123:15 | data | testReactRelay.tsx:126:35:126:38 | data | provenance | |
47-
| testReactRelay.tsx:126:35:126:38 | data | testReactRelay.tsx:126:35:126:43 | data.user | provenance | |
48-
| testReactRelay.tsx:135:9:135:39 | data | testReactRelay.tsx:136:50:136:53 | data | provenance | |
49-
| testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | testReactRelay.tsx:135:9:135:39 | data | provenance | |
33+
| testReactRelay.tsx:44:10:44:13 | data | testReactRelay.tsx:44:9:44:70 | data | provenance | |
34+
| testReactRelay.tsx:61:9:70:38 | data | testReactRelay.tsx:71:49:71:52 | data | provenance | |
35+
| testReactRelay.tsx:62:5:62:8 | data | testReactRelay.tsx:61:9:70:38 | data | provenance | |
36+
| testReactRelay.tsx:80:9:80:54 | feedbackText | testReactRelay.tsx:88:50:88:61 | feedbackText | provenance | |
37+
| testReactRelay.tsx:80:10:80:21 | feedbackText | testReactRelay.tsx:80:9:80:54 | feedbackText | provenance | |
38+
| testReactRelay.tsx:83:17:83:20 | data | testReactRelay.tsx:84:23:84:26 | data | provenance | |
39+
| testReactRelay.tsx:84:23:84:26 | data | testReactRelay.tsx:80:10:80:21 | feedbackText | provenance | |
40+
| testReactRelay.tsx:95:9:95:50 | fragmentRef | testReactRelay.tsx:113:48:113:58 | fragmentRef | provenance | |
41+
| testReactRelay.tsx:95:10:95:20 | fragmentRef | testReactRelay.tsx:95:9:95:50 | fragmentRef | provenance | |
42+
| testReactRelay.tsx:100:14:100:16 | res | testReactRelay.tsx:101:22:101:24 | res | provenance | |
43+
| testReactRelay.tsx:101:22:101:24 | res | testReactRelay.tsx:95:10:95:20 | fragmentRef | provenance | |
44+
| testReactRelay.tsx:124:12:124:15 | data | testReactRelay.tsx:127:35:127:38 | data | provenance | |
45+
| testReactRelay.tsx:127:35:127:38 | data | testReactRelay.tsx:127:35:127:43 | data.user | provenance | |
46+
| testReactRelay.tsx:136:9:136:39 | data | testReactRelay.tsx:137:50:137:53 | data | provenance | |
47+
| testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | testReactRelay.tsx:136:9:136:39 | data | provenance | |
5048
nodes
5149
| test.jsx:5:11:5:63 | response | semmle.label | response |
5250
| test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -71,28 +69,26 @@ nodes
7169
| testReactRelay.tsx:37:9:37:40 | data | semmle.label | data |
7270
| testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | semmle.label | useClie ... ry, {}) |
7371
| testReactRelay.tsx:38:49:38:52 | data | semmle.label | data |
74-
| testReactRelay.tsx:44:9:44:23 | [data, refetch] | semmle.label | [data, refetch] |
7572
| testReactRelay.tsx:44:9:44:70 | data | semmle.label | data |
76-
| testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | semmle.label | useRefe ... omment) |
73+
| testReactRelay.tsx:44:10:44:13 | data | semmle.label | data |
7774
| testReactRelay.tsx:47:46:47:49 | data | semmle.label | data |
78-
| testReactRelay.tsx:60:9:69:3 | {\\n d ... ch,\\n } | semmle.label | {\\n d ... ch,\\n } |
79-
| testReactRelay.tsx:60:9:69:38 | data | semmle.label | data |
80-
| testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | semmle.label | usePagi ... ry, {}) |
81-
| testReactRelay.tsx:70:49:70:52 | data | semmle.label | data |
82-
| testReactRelay.tsx:79:9:79:54 | feedbackText | semmle.label | feedbackText |
83-
| testReactRelay.tsx:79:10:79:21 | feedbackText | semmle.label | feedbackText |
84-
| testReactRelay.tsx:82:17:82:20 | data | semmle.label | data |
85-
| testReactRelay.tsx:83:23:83:26 | data | semmle.label | data |
86-
| testReactRelay.tsx:87:50:87:61 | feedbackText | semmle.label | feedbackText |
87-
| testReactRelay.tsx:94:9:94:50 | fragmentRef | semmle.label | fragmentRef |
88-
| testReactRelay.tsx:94:10:94:20 | fragmentRef | semmle.label | fragmentRef |
89-
| testReactRelay.tsx:99:14:99:16 | res | semmle.label | res |
90-
| testReactRelay.tsx:100:22:100:24 | res | semmle.label | res |
91-
| testReactRelay.tsx:112:48:112:58 | fragmentRef | semmle.label | fragmentRef |
92-
| testReactRelay.tsx:123:12:123:15 | data | semmle.label | data |
93-
| testReactRelay.tsx:126:35:126:38 | data | semmle.label | data |
94-
| testReactRelay.tsx:126:35:126:43 | data.user | semmle.label | data.user |
95-
| testReactRelay.tsx:135:9:135:39 | data | semmle.label | data |
96-
| testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | semmle.label | readFra ... y, key) |
97-
| testReactRelay.tsx:136:50:136:53 | data | semmle.label | data |
75+
| testReactRelay.tsx:61:9:70:38 | data | semmle.label | data |
76+
| testReactRelay.tsx:62:5:62:8 | data | semmle.label | data |
77+
| testReactRelay.tsx:71:49:71:52 | data | semmle.label | data |
78+
| testReactRelay.tsx:80:9:80:54 | feedbackText | semmle.label | feedbackText |
79+
| testReactRelay.tsx:80:10:80:21 | feedbackText | semmle.label | feedbackText |
80+
| testReactRelay.tsx:83:17:83:20 | data | semmle.label | data |
81+
| testReactRelay.tsx:84:23:84:26 | data | semmle.label | data |
82+
| testReactRelay.tsx:88:50:88:61 | feedbackText | semmle.label | feedbackText |
83+
| testReactRelay.tsx:95:9:95:50 | fragmentRef | semmle.label | fragmentRef |
84+
| testReactRelay.tsx:95:10:95:20 | fragmentRef | semmle.label | fragmentRef |
85+
| testReactRelay.tsx:100:14:100:16 | res | semmle.label | res |
86+
| testReactRelay.tsx:101:22:101:24 | res | semmle.label | res |
87+
| testReactRelay.tsx:113:48:113:58 | fragmentRef | semmle.label | fragmentRef |
88+
| testReactRelay.tsx:124:12:124:15 | data | semmle.label | data |
89+
| testReactRelay.tsx:127:35:127:38 | data | semmle.label | data |
90+
| testReactRelay.tsx:127:35:127:43 | data.user | semmle.label | data.user |
91+
| testReactRelay.tsx:136:9:136:39 | data | semmle.label | data |
92+
| testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | semmle.label | readFra ... y, key) |
93+
| testReactRelay.tsx:137:50:137:53 | data | semmle.label | data |
9894
subpaths

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ function func5({ query, props }) {
4545
return (
4646
<>
4747
<h1 dangerouslySetInnerHTML={{ __html: data }} /> // $ Alert
48+
<h1 dangerouslySetInnerHTML={{ __html: refetch }} />
4849
<Button
4950
onClick={() => {
5051
refetch({ lang: "SPANISH" }, { fetchPolicy: "store-or-network" });
@@ -58,15 +59,15 @@ import { usePaginationFragment } from "react-relay";
5859

5960
function func6({ query }) {
6061
const {
61-
data,
62+
data, // $ Source
6263
loadNext,
6364
loadPrevious,
6465
hasNext,
6566
hasPrevious,
6667
isLoadingNext,
6768
isLoadingPrevious,
6869
refetch,
69-
} = usePaginationFragment(query, {}); // $ Source
70+
} = usePaginationFragment(query, {});
7071
return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Alert
7172
}
7273

0 commit comments

Comments
 (0)