Added additional test cases for firebase-admin

Napalys · Napalys · commit 0ed3758a1e53 · 2025-04-16T12:15:21.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/firebase-client.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/firebase-client.js
@@ -44,3 +44,12 @@ firebase.database().ref("users/12345/profile").once("value", (snapshot) => {
       document.getElementById("userData").innerHTML = parentSnapshot.val(); // $ Alert
     });
 });
+
+function fun2(category){
+    dbPath = 'users/' + firebase.auth().currentUser.uid;
+    dbRef = firebase.database().ref(dbPath);
+    dbRef.set({'test': randomString}).then(function() {return dbRef.once('value');}).then(function(snapshot) {
+        document.getElementById("userData").innerHTML = snapshot.val(); // $ MISSING: Alert
+        return dbRef.remove();
+    }); 
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/firebase-server.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/firebase-server.js
@@ -17,3 +17,40 @@ functions.database.ref('x').onUpdate(x => {
         eval(grandParentSnapshot.val()); // $ Alert[js/code-injection]
     });
 });
+functions.database.ref('/messages/{messageId}').onWrite((change, context) => {
+    eval(change.after.val()); // $ MISSING: Alert[js/code-injection]
+    eval(change.before.val()); // $ MISSING: Alert[js/code-injection]
+});
+
+functions.database.ref('/messages/{messageId}').onDelete((change, context) => {
+    eval(change.val()); // $ MISSING: Alert[js/code-injection]
+    eval(change.val()); // $ MISSING: Alert[js/code-injection]
+});
+
+functions.database.ref('/status/{uid}').onUpdate(async (change, context) => {
+    const eventStatus = change.after.val();
+    const statusSnapshot = await change.after.ref.once('value');
+    const status = eval(statusSnapshot.val()); // $ MISSING: Alert[js/code-injection]
+    return null;
+});
+  
+function fun(category){
+    let query = admin.database().ref(`/users/messages`);
+    query = query.orderByChild('category').equalTo(category);
+    const snapshot = query.once('value');
+    let messages = [];
+    snapshot.forEach((childSnapshot) => {
+      messages.push({key: childSnapshot.key, message: childSnapshot.val().message});
+      eval(childSnapshot.val()); // $ MISSING: Alert[js/code-injection]
+    });
+}
+  
+async function fun3(uid, postId, size) {
+    let app;
+    const config = JSON.parse(process.env.FIREBASE_CONFIG);
+    config.databaseAuthVariableOverride = {uid: uid};
+    app = admin.initializeApp(config, uid);
+    const imageUrlRef = app.database().ref(`/posts`);
+    const snap = await imageUrlRef.once('value');
+    eval(snap.val()); // $ MISSING: Alert[js/code-injection]
+}
