codeql/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js at 00661b62dc489e08716e6c713ce2ca7dac66a07c · asgerf/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
const fastify = require('fastify')({ logger: true });

fastify.addHook('onRequest', async (request, reply) => {
  const userInput = request.query.onRequest; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.addHook('onSend', async (request, reply, payload) => {
  const userInput = request.query.onSend; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
  return JSON.stringify({ ...JSON.parse(payload), onSend: request.evalResult });
});

fastify.addHook('preParsing', async (request, reply, payload) => {
  const userInput = request.query.preParsing; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
  return payload;
});

fastify.addHook('preValidation', async (request, reply) => {
  const userInput = request.query.preValidation; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.addHook('preHandler', async (request, reply) => {
  const userInput = request.query.preHandler; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.addHook('preSerialization', async (request, reply, payload) => {
  const userInput = request.query.preSerialization; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
  return payload;
});

fastify.addHook('onResponse', async (request, reply) => {
  const userInput = request.query.onResponse; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.addHook('onError', async (request, reply, error) => {
  const userInput = request.query.onError; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.addHook('onTimeout', async (request, reply) => {
  const userInput = request.query.onTimeout; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.addHook('onRequestAbort', (request, done) => {
    const userInput = request.query.onRequestAbort; // $ Source[js/code-injection]
    if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});

fastify.get('/dangerous', async (request, reply) => {
  const userInput = request.query.input; // $ Source[js/code-injection]
  if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
  const result = eval(userInput); // $ Alert[js/code-injection]
  return { result };
});


// Store user input in request object
fastify.addHook('preHandler', async (request, reply) => {
  request.storedCode = request.query.storedCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-request', async (request, reply) => {
  // Use the stored code from previous hook
  if (request.storedCode) {
    const evaluatedResult = eval(request.storedCode); // $ Alert[js/code-injection]
    return { result: evaluatedResult };
  }
  return { result: null };
});

// Store user input in reply object
fastify.addHook('onRequest', async (request, reply) => {
  reply.userCode = request.query.replyCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-reply', async (request, reply) => {
  // Use the code stored in reply object
  if (reply.userCode) {
    const replyResult = eval(reply.userCode); // $ Alert[js/code-injection]
    return { result: replyResult };
  }
  return { result: null };
});


// Store user input in reply object
fastify.addHook('onRequest', async (request, reply) => {
  reply.locals = reply.locals || {};
  reply.locals.nestedCode = request.query.replyCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-reply', async (request, reply) => {
  // Use the code stored in reply object
  if (reply.locals && reply.locals.nestedCode) {
    const replyResult = eval(reply.locals.nestedCode); // $ Alert[js/code-injection]
    return { result: replyResult };
  }
  return { result: null };
});