update expected output of tests

erik-krogh · erik-krogh · commit bf56797ad782 · 2019-12-17T16:27:55.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
@@ -76,10 +76,6 @@ nodes
 | exception-xss.js:154:11:154:11 | e |
 | exception-xss.js:155:18:155:18 | e |
 | exception-xss.js:155:18:155:18 | e |
-| exception-xss.js:159:13:159:15 | foo |
-| exception-xss.js:160:11:160:11 | e |
-| exception-xss.js:161:18:161:18 | e |
-| exception-xss.js:161:18:161:18 | e |
 | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) |
 | exception-xss.js:174:31:174:33 | foo |
 | exception-xss.js:174:53:174:53 | e |
@@ -164,7 +160,6 @@ edges
 | exception-xss.js:136:26:136:30 | error | exception-xss.js:138:19:138:23 | error |
 | exception-xss.js:146:6:146:35 | foo | exception-xss.js:148:33:148:35 | foo |
 | exception-xss.js:146:6:146:35 | foo | exception-xss.js:153:8:153:10 | foo |
-| exception-xss.js:146:6:146:35 | foo | exception-xss.js:159:13:159:15 | foo |
 | exception-xss.js:146:6:146:35 | foo | exception-xss.js:174:31:174:33 | foo |
 | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:146:12:146:35 | documen ... .search |
 | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:146:12:146:35 | documen ... .search |
@@ -175,9 +170,6 @@ edges
 | exception-xss.js:153:8:153:10 | foo | exception-xss.js:154:11:154:11 | e |
 | exception-xss.js:154:11:154:11 | e | exception-xss.js:155:18:155:18 | e |
 | exception-xss.js:154:11:154:11 | e | exception-xss.js:155:18:155:18 | e |
-| exception-xss.js:159:13:159:15 | foo | exception-xss.js:160:11:160:11 | e |
-| exception-xss.js:160:11:160:11 | e | exception-xss.js:161:18:161:18 | e |
-| exception-xss.js:160:11:160:11 | e | exception-xss.js:161:18:161:18 | e |
 | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | exception-xss.js:174:53:174:53 | e |
 | exception-xss.js:174:31:174:33 | foo | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) |
 | exception-xss.js:174:53:174:53 | e | exception-xss.js:175:18:175:18 | e |
@@ -209,7 +201,6 @@ edges
 | exception-xss.js:138:19:138:23 | error | exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:138:19:138:23 | error | Cross-site scripting vulnerability due to $@. | exception-xss.js:136:10:136:22 | req.params.id | user-provided value |
 | exception-xss.js:149:18:149:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:149:18:149:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
 | exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:155:18:155:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
-| exception-xss.js:161:18:161:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:161:18:161:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
 | exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:175:18:175:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
 | exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | Cross-site scripting vulnerability due to $@. | exception-xss.js:180:10:180:22 | req.params.id | user-provided value |
 | tst.js:306:20:306:20 | e | tst.js:304:9:304:16 | location | tst.js:306:20:306:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:304:9:304:16 | location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -15,9 +15,9 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location |
-| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location |
+| exception-xss.js:2:12:2:28 | document.location |
 | exception-xss.js:86:17:86:19 | foo |
 | exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
@@ -368,10 +368,10 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
@@ -665,7 +665,7 @@ edges
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
 | addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
-| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
@@ -15,9 +15,9 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location |
-| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location |
+| exception-xss.js:2:12:2:28 | document.location |
 | exception-xss.js:86:17:86:19 | foo |
 | exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
@@ -372,10 +372,10 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
@@ -158,7 +158,7 @@ app.get('/user/:id', function (req, res) {
 	try {
 		unknown()[foo];
 	} catch (e) {
-		$('myId').html(e); // NOT OK
+		$('myId').html(e); // OK. We are not sure that `unknown()` is null-ish. 
 	}
 
 	try {

Original file line number	Diff line number	Diff line change
`@@ -158,7 +158,7 @@ app.get('/user/:id', function (req, res) {`
`158`	`158`	`try {`
`159`	`159`	`unknown()[foo];`
`160`	`160`	`} catch (e) {`
`161`		`- $('myId').html(e); // NOT OK`
	`161`	+ $('myId').html(e); // OK. We are not sure that `unknown()` is null-ish.
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`try {`