diff --git a/example/README.md b/example/README.md index ee1d90d..d9f76ea 100644 --- a/example/README.md +++ b/example/README.md @@ -178,9 +178,9 @@ module.exports = function f(source) { return exec(source); }; -let esl_symbolic = require("esl_symbolic"); +var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection -let source = [ esl_symbolic.string("source0") ]; +var source = [ esl_symbolic.string("source0") ]; module.exports(source); ``` diff --git a/src/instrumentation/vuln_literal.ml b/src/instrumentation/vuln_literal.ml index 27482e6..4d58361 100644 --- a/src/instrumentation/vuln_literal.ml +++ b/src/instrumentation/vuln_literal.ml @@ -71,7 +71,7 @@ and pp_obj_props map fmt props = and pp_params_as_decl map fmt (params : (string * param_type) list) = pp_print_list ~pp_sep:(fun fmt () -> fprintf fmt ";@\n") - (pp_param map "@[let %s =@ %a@]") + (pp_param map "@[var %s =@ %a@]") fmt params let pp_params_as_args fmt (args : (string * 'a) list) = diff --git a/src/instrumentation/vuln_symbolic.ml b/src/instrumentation/vuln_symbolic.ml index da7854b..b20abdc 100644 --- a/src/instrumentation/vuln_symbolic.ml +++ b/src/instrumentation/vuln_symbolic.ml @@ -2,13 +2,13 @@ open Format open Vuln_intf let template0 : ('a, Format.formatter, unit) format = - "let esl_symbolic = require(\"esl_symbolic\");@\n\ + "var esl_symbolic = require(\"esl_symbolic\");@\n\ esl_symbolic.sealProperties(Object.prototype);@\n\ // Vuln: %a@\n\ %a" let template1 : ('a, Format.formatter, unit) format = - "let esl_symbolic = require(\"esl_symbolic\");@\n\ + "var esl_symbolic = require(\"esl_symbolic\");@\n\ // Vuln: %a@\n\ %a@\n\ if (({}).toString == \"polluted\") { throw Error(\"I pollute.\"); }" @@ -69,7 +69,7 @@ and pp_obj_props fmt props = and pp_params_as_decl fmt (params : (string * param_type) list) = pp_print_list ~pp_sep:(fun fmt () -> fprintf fmt ";@\n") - (pp_param "@[let %s =@ %a@]") + (pp_param "@[var %s =@ %a@]") fmt params let pp_params_as_args fmt (args : (string * 'a) list) = diff --git a/test/instrumentation/test_literal.t b/test/instrumentation/test_literal.t index 78d3eb4..14a3740 100644 --- a/test/instrumentation/test_literal.t +++ b/test/instrumentation/test_literal.t @@ -5,5 +5,5 @@ } // Vuln: command-injection - let some_arg = "sou um valor concreto!"; + var some_arg = "sou um valor concreto!"; module.exports(some_arg); diff --git a/test/instrumentation/test_toy.t b/test/instrumentation/test_toy.t index 868ad28..ea8b47b 100644 --- a/test/instrumentation/test_toy.t +++ b/test/instrumentation/test_toy.t @@ -7,10 +7,10 @@ Test toy examples: return exec(x); }; - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let x = esl_symbolic.string("x"); + var x = esl_symbolic.string("x"); module.exports(x); $ instrumentation2 symbolic toy/vfunretbyexport.json -o - Genrating - @@ -23,12 +23,12 @@ Test toy examples: }; }; - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: code-injection - let a = esl_symbolic.string("a"); + var a = esl_symbolic.string("a"); var ret_f1 = f1(a); - let b = esl_symbolic.number("b"); + var b = esl_symbolic.number("b"); ret_f1(b); function f1(a) { return function f2(b) { @@ -38,12 +38,12 @@ Test toy examples: }; }; - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: code-injection - let a = esl_symbolic.string("a"); + var a = esl_symbolic.string("a"); var ret_f1 = f1(a); - let b = esl_symbolic.number("b"); + var b = esl_symbolic.number("b"); ret_f1(b); $ instrumentation2 symbolic toy/vfunpropofexportedobj.json toy/vfunpropofexportedobj.js -o - Genrating - @@ -61,12 +61,12 @@ Test toy examples: module.exports.Obj = Obj; - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: code-injection - let source = esl_symbolic.string("source"); + var source = esl_symbolic.string("source"); var ret_module_exports_Obj = module.exports.Obj(source); - let obj = { cond: esl_symbolic.number("cond") }; + var obj = { cond: esl_symbolic.number("cond") }; ret_module_exports_Obj.f(obj); $ instrumentation2 symbolic toy/example-20.json toy/example-20.js -o - Genrating - @@ -80,9 +80,9 @@ Test toy examples: return eval(target); } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: code-injection - let x = esl_symbolic.string("x"); + var x = esl_symbolic.string("x"); f(x); eval_target(); diff --git a/test/instrumentation/test_unit.t b/test/instrumentation/test_unit.t index 6f51e48..a0c3bb5 100644 --- a/test/instrumentation/test_unit.t +++ b/test/instrumentation/test_unit.t @@ -5,10 +5,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.any("some_arg"); + var some_arg = esl_symbolic.any("some_arg"); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/array.json unit/identity.js Genrating - @@ -16,10 +16,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = [ esl_symbolic.string("some_arg0") ]; + var some_arg = [ esl_symbolic.string("some_arg0") ]; module.exports(some_arg); $ instrumentation2 symbolic -o - unit/array2.json unit/identity.js Genrating - @@ -27,10 +27,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = + var some_arg = [ esl_symbolic.string("some_arg0"), esl_symbolic.boolean("some_arg1"), esl_symbolic.number("some_arg2") ]; module.exports(some_arg); $ instrumentation2 symbolic -o - unit/bool.json unit/identity.js @@ -39,10 +39,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.boolean("some_arg"); + var some_arg = esl_symbolic.boolean("some_arg"); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/function.json unit/identity.js Genrating - @@ -50,10 +50,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.function("some_arg"); + var some_arg = esl_symbolic.function("some_arg"); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/lazy_object.json unit/identity.js Genrating - @@ -61,10 +61,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: path-traversal - let some_arg = esl_symbolic.lazy_object(); + var some_arg = esl_symbolic.lazy_object(); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/number.json unit/identity.js Genrating - @@ -72,10 +72,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.number("some_arg"); + var some_arg = esl_symbolic.number("some_arg"); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/object.json unit/identity.js Genrating - @@ -83,10 +83,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = { }; + var some_arg = { }; module.exports(some_arg); $ instrumentation2 symbolic -o - unit/polluted_object2.json unit/identity.js Genrating - @@ -94,9 +94,9 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); // Vuln: prototype-pollution - let some_arg = esl_symbolic.polluted_object(2); + var some_arg = esl_symbolic.polluted_object(2); module.exports(some_arg); if (({}).toString == "polluted") { throw Error("I pollute."); } $ instrumentation2 symbolic -o - unit/polluted_object3.json unit/identity.js @@ -105,9 +105,9 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); // Vuln: prototype-pollution - let some_arg = esl_symbolic.polluted_object(3); + var some_arg = esl_symbolic.polluted_object(3); module.exports(some_arg); if (({}).toString == "polluted") { throw Error("I pollute."); } $ instrumentation2 symbolic -o - unit/string.json unit/identity.js @@ -116,10 +116,10 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.string("some_arg"); + var some_arg = esl_symbolic.string("some_arg"); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/union.json unit/identity.js Genrating - @@ -129,28 +129,28 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.string("some_arg"); + var some_arg = esl_symbolic.string("some_arg"); module.exports(some_arg); module.exports = function identity(some_arg) { return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.boolean("some_arg"); + var some_arg = esl_symbolic.boolean("some_arg"); module.exports(some_arg); module.exports = function identity(some_arg) { return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let some_arg = esl_symbolic.number("some_arg"); + var some_arg = esl_symbolic.number("some_arg"); module.exports(some_arg); $ instrumentation2 symbolic -o - unit/dynamic.json unit/identity.js Genrating - @@ -158,8 +158,8 @@ Test unit: return some_arg } - let esl_symbolic = require("esl_symbolic"); + var esl_symbolic = require("esl_symbolic"); esl_symbolic.sealProperties(Object.prototype); // Vuln: command-injection - let obj = { dp0: esl_symbolic.any("dp0") }; + var obj = { dp0: esl_symbolic.any("dp0") }; module.exports(obj);