Skip to content
This repository was archived by the owner on Nov 19, 2025. It is now read-only.

[NEW QUERY] Add DemoJsCodeInjection query for detecting JavaScript code injection vulnerabilities#2

Closed
Copilot wants to merge 3 commits intomainfrom
copilot/add-code-injection-detection
Closed

[NEW QUERY] Add DemoJsCodeInjection query for detecting JavaScript code injection vulnerabilities#2
Copilot wants to merge 3 commits intomainfrom
copilot/add-code-injection-detection

Conversation

Copy link
Copy Markdown

Copilot AI commented Nov 18, 2025
edited
Loading

📝 Query Information

  • Language: javascript
  • Query ID: js/demo-code-injection
  • Category: security
  • Severity: error (security-severity 9.3)
  • CWE/CVE (if applicable): CWE-094

🎯 Description

What This Query Detects

Tracks taint flow from user-controlled input to code execution sinks (eval(), Function(), setTimeout()/setInterval() with strings). Leverages CodeQL's standard CodeInjectionQuery library for precision.

Example Vulnerable Code

// Code injection via eval
app.get('/calc', (req, res) => {
  const expr = req.query.expression;
  const result = eval(expr); // User input flows to eval()
  res.send(result.toString());
});

// Code injection via Function constructor
app.get('/execute', (req, res) => {
  const code = req.body.code;
  const fn = new Function(code); // Dynamic function from user input
  fn();
});

// Code injection via setTimeout
app.get('/delayed', (req, res) => {
  const action = req.query.action;
  setTimeout(action, 1000); // String-based timer execution
});

Example Safe Code

// Safe calculation without eval
app.get('/safe-calc', (req, res) => {
  const a = parseInt(req.query.a, 10);
  const b = parseInt(req.query.b, 10);
  const result = a + b; // No code execution
  res.send(result.toString());
});

🧪 Testing

  • Positive test cases included
  • Negative test cases included
  • Edge cases covered
  • All tests pass

📋 Checklist

  • Query compiles without errors
  • Documentation complete (.md and .qhelp)
  • Metadata properly set (@name, @id, @kind, etc.)
  • Tests validate query behavior
  • No false positives in test cases

🔗 References

Note: This query was developed using Test-Driven Development methodology.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Query Create]: Detect code injection vulnerability in juice-shop/juice-shop app</issue_title>
<issue_description>### Target Language

javascript

Query Name (Optional)

DemoJsCodeInjection

Query Type

Security

Query Description

https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-094/CodeInjection.inc.qhelp

Expected Severity

Critical

Code Examples

https://github.com/juice-shop/juice-shop/blob/master/routes/showProductReviews.ts

https://github.com/juice-shop/juice-shop/blob/master/lib/utils.ts

CWE/CVE Reference (Optional)

CWE-094

References (Optional)

Expected query test results

Code of Conduct

  • I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: QL Test Driven Developer Agent
Develops a new and/or improved CodeQL query by following test-driven-development (TDD) best practices for ql code.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits November 18, 2025 16:48
@data-douser
Add DemoJsCodeInjection query with tests
a759fe1 
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
@data-douser
Add trailing newlines to fix formatting
ac8c6b5 
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Copilot AI changed the title [WIP] Add query to detect code injection vulnerability [NEW QUERY] Add DemoJsCodeInjection query for detecting JavaScript code injection vulnerabilities Nov 18, 2025
Copilot AI requested a review from data-douser November 18, 2025 16:54
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@data-douser data-douser Awaiting requested review from data-douser data-douser is a code owner

Assignees

@data-douser data-douser

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Query Create]: Detect code injection vulnerability in juice-shop/juice-shop app

2 participants

@data-douser