Skip to content

CodeQL raises js/remote-property-injection finding #239

Description

@MiikaKarkkainen

Describe the bug

CodeQL javascript-security-extended-qls finds js/remote-property-injection vulnerability.

To Reproduce

Prerequisites:
Have CodeQL installed, ensure that queries are at least on version 2.1.2.
Have a way to view SARIF content, e.g. Visual Studio Code's SARIF extension.

Steps:

  • Create CodeQL database from dist folder content: codeql database create ./codeql-db --language=javascript --overwrite
  • Run javascript-security-extended suite: codeql database analyze ./codeql-db codeql/javascript-queries:codeql-suites/javascript-security-extended.qls --format=sarifv2.1.0 --output=codeql-results.sarif
  • Examine codeql-results.sarif, it contains the mentioned vulnerability.
Image Image

Expected behavior

CodeQL doesn't raise any findings.

Setup details

The scanned version of url-parse was 1.5.10.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions