JS: Add missing Alert expectations

asgerf · asgerf · commit 0f33bf173598 · 2025-01-31T14:01:36.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -61,7 +61,7 @@ var server = http.createServer(function(req, res) {
     var express = require('express');
     var application = express();
 
-    var views_local = (req, res) => res.render(req.params[0]);
+    var views_local = (req, res) => res.render(req.params[0]); // $ Alert
     application.get('/views/*', views_local);
 
     var views_imported = require("./views");
@@ -72,10 +72,10 @@ var server = http.createServer(function(req, res) {
 var server = http.createServer(function(req, res) {
 	let path = url.parse(req.url, true).query.path;
 
-	res.write(fs.readFileSync(fs.realpathSync(path)));
+	res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert
 	fs.realpath(path,
 	                function(err, realpath){
-		                res.write(fs.readFileSync(realpath));
+		                res.write(fs.readFileSync(realpath)); // $ Alert
 	                }
 	               );
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js
@@ -5,5 +5,5 @@ let app = express();
 app.use(fileUpload());
 
 app.get("/some/path", function (req, res) {
-  req.files.foo.mv(req.query.bar);
+  req.files.foo.mv(req.query.bar); // $ Alert
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js
@@ -6,11 +6,11 @@ const parseTorrent = require('parse-torrent');
 
     const browser = await puppeteer.launch();
     const page = await browser.newPage();
-    await page.pdf({ path: tainted, format: 'a4' });
+    await page.pdf({ path: tainted, format: 'a4' }); // $ Alert
 
     const pages = await browser.pages();
     for (let i = 0; i < something(); i++) {
-        pages[i].screenshot({ path: tainted });
+        pages[i].screenshot({ path: tainted }); // $ Alert
     }
 
     await browser.close();
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js
@@ -1 +1 @@
-module.exports = (req, res) => res.render(req.params[0]);
+module.exports = (req, res) => res.render(req.params[0]); // $ Alert

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-module.exports = (req, res) => res.render(req.params[0]);`
	`1`	`+module.exports = (req, res) => res.render(req.params[0]); // $ Alert`