Merge pull request #11547 from mattrothenberg/main

erik-krogh · web-flow · commit 1c7cae462044 · 2022-12-02T16:00:13.000+01:00
fix: use WHATWG URL for JS examples
diff --git a/javascript/ql/src/Security/CWE-918/examples/RequestForgeryBad.js b/javascript/ql/src/Security/CWE-918/examples/RequestForgeryBad.js
@@ -1,8 +1,7 @@
 import http from 'http';
-import url from 'url';
 
-var server = http.createServer(function(req, res) {
-    var target = url.parse(req.url, true).query.target;
+const server = http.createServer(function(req, res) {
+    const target = new URL(req.url, "http://example.com").searchParams.get("target");
 
     // BAD: `target` is controlled by the attacker
     http.get('https://' + target + ".example.com/data/", res => {
diff --git a/javascript/ql/src/Security/CWE-918/examples/RequestForgeryGood.js b/javascript/ql/src/Security/CWE-918/examples/RequestForgeryGood.js
@@ -1,10 +1,9 @@
 import http from 'http';
-import url from 'url';
 
-var server = http.createServer(function(req, res) {
-    var target = url.parse(req.url, true).query.target;
+const server = http.createServer(function(req, res) {
+    const target = new URL(req.url, "http://example.com").searchParams.get("target");
 
-    var subdomain;
+    let subdomain;
     if (target === 'EU') {
         subdomain = "europe"
     } else {
