JS: Remove same-line Source expectations

asgerf · asgerf · commit c5545f0717e8 · 2025-01-31T14:10:18.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -51,9 +51,9 @@ var server = http.createServer(function(req, res) {
 
 var server = http.createServer(function(req, res) {
     // tests for a few uri-libraries
-    res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert Source
-    res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert Source
-    res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert Source
+    res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert
+    res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert
+    res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert
 });
 
 (function(){
@@ -173,10 +173,10 @@ import normalizeUrl from 'normalize-url';
 var server = http.createServer(function(req, res) {
   // tests for a few more uri-libraries
   const qs = require("qs");
-  res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert Source
-  res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert Source
+  res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert
+  res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert
   const parseqs = require("parseqs");
-  res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert Source
+  res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert
 });
 
 const cp = require("child_process");
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -404,8 +404,8 @@ app.get('/dotdot-regexp', (req, res) => {
 });
 
 app.get('/join-spread', (req, res) => {
-  fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert Source
-  fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert Source
+  fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert
+  fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert
 });
 
 app.get('/dotdot-matchAll-regexp', (req, res) => {
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js
@@ -18,8 +18,8 @@ app.get('/some/path/:x', function(req, res) {
   res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../
   res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../
 
-  res.sendFile(path.resolve('data', req.params.x)); // $ Alert Source
-  res.sendfile(path.join('data', req.params.x)); // $ Alert Source
+  res.sendFile(path.resolve('data', req.params.x)); // $ Alert
+  res.sendfile(path.join('data', req.params.x)); // $ Alert
 
   res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/'
 });
