CodeQL raises js/remote-property-injection finding

[MiikaKarkkainen]

Describe the bug
CodeQL javascript-security-extended-qls finds js/remote-property-injection vulnerability from tus-js-client dist/tus.js file.

To Reproduce
Prerequisites:

• have CodeQL installed, ensure that queries are at least on version 2.1.2.
• have a way to view SARIF content, e.g. Visual Studio Code's SARIF extension.

1. Build tus-js-client library.
2. Create CodeQL database from dist folder content: codeql database create ./codeql-db-dist --language=javascript --source-root=./dist/ --overwrite
3. Run javascript-security-extended suite: codeql database analyze ./codeql-db-dist codeql/javascript-queries:codeql-suites/javascript-security-extended.qls --format=sarifv2.1.0 --output=codeql-results-dist.sarif
4. Examine codeql-results-dist.sarif, it contains the mentioned vulnerability.

Expected behavior
A clear and concise description of what you expected to happen.

Setup details
Please provide following details, if applicable to your situation:

• Runtime environment: Browser
• Used tus-js-client version: 4.3.1

[Acconut]

Can you share more details on what CodeQL is reporting here?

[MiikaKarkkainen]

CodeQL raised findings in the tus.js and browser-test-bundle.js files, and in both, the lolcation function appeared to be the source of the discovery. Apparently finaldestination[key] = loc[key]; is where a property injection might occur.

Here CodeQL's analysis steps of tus.js:

And here CodeQL analysis steps of browser-test-bundle.js:

[Acconut]

Ok, thanks for the context. The referenced code actually belongs to url-parse, a dependency we use in tus-js-client. See https://github.com/unshiftio/url-parse/blob/master/index.js#L99. Maybe it's helpful to report this issue over there.

[MiikaKarkkainen]

Thank you for investigating the issue and pointing out the actual source of the finding!

I have now reported the issue to url-parse: unshiftio/url-parse#239