Added test case for fastify.all

Napalys · Napalys · commit 6d617663662a · 2025-04-30T14:50:35.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js
@@ -101,3 +101,10 @@ fastify.get('/flow-through-reply', async (request, reply) => {
   }
   return { result: null };
 });
+
+fastify.all('/eval', async (request, reply) => {
+  const userInput = request.query.code; // $ MISSING: Source[js/code-injection]
+  const result = eval(userInput); // $ MISSING: Alert[js/code-injection]
+  const replyResult = eval(reply.locals.nestedCode); // $ MISSING: Alert[js/code-injection]
+  return { method: request.method, result };
+});
