From 76e56cdac7518e6100095d7101b73b0ba8c7ad65 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 9 Oct 2023 12:52:09 -0700 Subject: [PATCH 1/2] Adjust query severities --- javascript/ql/src/Security/CWE-079/ReflectedXss.ql | 2 +- javascript/ql/src/Security/CWE-079/StoredXss.ql | 2 +- javascript/ql/src/Security/CWE-079/Xss.ql | 2 +- javascript/ql/src/Security/CWE-079/XssThroughDom.ql | 2 +- javascript/ql/src/Security/CWE-117/LogInjection.ql | 2 +- .../2023-10-09-adjust-xss-and-log-injection-severity.md | 6 ++++++ 6 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 javascript/ql/src/change-notes/2023-10-09-adjust-xss-and-log-injection-severity.md diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql index a95a7aec205b..9bed0516d189 100644 --- a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql +++ b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql @@ -4,7 +4,7 @@ * a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id js/reflected-xss * @tags security diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql index d5f28b28e557..0c7402b3b687 100644 --- a/javascript/ql/src/Security/CWE-079/StoredXss.ql +++ b/javascript/ql/src/Security/CWE-079/StoredXss.ql @@ -4,7 +4,7 @@ * a stored cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id js/stored-xss * @tags security diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql index 63a56b2a3b3f..8e67d249fa94 100644 --- a/javascript/ql/src/Security/CWE-079/Xss.ql +++ b/javascript/ql/src/Security/CWE-079/Xss.ql @@ -4,7 +4,7 @@ * a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id js/xss * @tags security diff --git a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql index 87a76d822277..c23ddf168b02 100644 --- a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql +++ b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql @@ -4,7 +4,7 @@ * can lead to a cross-site scripting vulnerability. * @kind path-problem * @problem.severity warning - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id js/xss-through-dom * @tags security diff --git a/javascript/ql/src/Security/CWE-117/LogInjection.ql b/javascript/ql/src/Security/CWE-117/LogInjection.ql index d80c3214e74b..6a2176a9e9f8 100644 --- a/javascript/ql/src/Security/CWE-117/LogInjection.ql +++ b/javascript/ql/src/Security/CWE-117/LogInjection.ql @@ -4,7 +4,7 @@ * insertion of forged log entries by a malicious user. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision medium * @id js/log-injection * @tags security diff --git a/javascript/ql/src/change-notes/2023-10-09-adjust-xss-and-log-injection-severity.md b/javascript/ql/src/change-notes/2023-10-09-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..997edbf7981a --- /dev/null +++ b/javascript/ql/src/change-notes/2023-10-09-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,6 @@ +--- +category: queryMetadata +--- + +* Lower the severity of log-injection to medium. +* Increase the severity of XSS to high. \ No newline at end of file From 6bd7047e415915ea6d50db3a1212e145192dda53 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 14 Nov 2023 11:20:51 -0800 Subject: [PATCH 2/2] Restore XssThroughDom.ql's severity --- javascript/ql/src/Security/CWE-079/XssThroughDom.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql index c23ddf168b02..87a76d822277 100644 --- a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql +++ b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql @@ -4,7 +4,7 @@ * can lead to a cross-site scripting vulnerability. * @kind path-problem * @problem.severity warning - * @security-severity 7.8 + * @security-severity 6.1 * @precision high * @id js/xss-through-dom * @tags security