Update javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.ql

dellalibera · esbena · web-flow · commit 68b2a6c8482f · 2020-06-16T18:27:21.000+02:00
Co-authored-by: Esben Sparre Andreasen &lt;esbena@github.com&gt;
diff --git a/javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.ql b/javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.ql
@@ -65,5 +65,5 @@ class PostMessageEvent extends DataFlow::SourceNode {
 }
 
 from PostMessageEvent event
-where not event.hasOriginChecked()
+where not event.hasOriginChecked() or event.hasOriginInsufficientlyChecked()
 select event, "Missing or unsafe origin verification"

Original file line number	Diff line number	Diff line change
`@@ -65,5 +65,5 @@ class PostMessageEvent extends DataFlow::SourceNode {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`from PostMessageEvent event`
`68`		`-where not event.hasOriginChecked()`
	`68`	`+where not event.hasOriginChecked() or event.hasOriginInsufficientlyChecked()`
`69`	`69`	`select event, "Missing or unsafe origin verification"`