JS: Fix some mistranslated OK-style comments and match actual query output

asgerf · asgerf · commit cd99d6a5b59b · 2025-02-25T17:29:15.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst15.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst15.js
@@ -1,6 +1,6 @@
 function foo() {
     var url = document.location.toString();
-    window.location = url.substring(0).substring(1); // OK [INCONSISTENCY] - but not important
+    window.location = url.substring(0).substring(1); // $ SPURIOUS: Alert - but not important
     window.location = url.substring(0, 10).substring(1); // $ SPURIOUS: Alert
     window.location = url.substring(0, url.indexOf('/', 10)).substring(1); // $ SPURIOUS: Alert
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/koa.js b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/koa.js
@@ -17,7 +17,7 @@ app.use(async ctx => {
 	if(!url || isCrossDomainRedirect || url.match(VALID)) {
 		ctx.redirect('/');
 	} else {
-		ctx.redirect(url); // possibly OK - flagged anyway
+		ctx.redirect(url); // $ Alert - possibly OK but flagged anyway
 	}
 
 	if(!url || isCrossDomainRedirect || url.match(/[^\w/-]/)) {

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ app.use(async ctx => {`
`17`	`17`	`if(!url \|\| isCrossDomainRedirect \|\| url.match(VALID)) {`
`18`	`18`	`ctx.redirect('/');`
`19`	`19`	`} else {`
`20`		`- ctx.redirect(url); // possibly OK - flagged anyway`
	`20`	`+ ctx.redirect(url); // $ Alert - possibly OK but flagged anyway`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`if(!url \|\| isCrossDomainRedirect \|\| url.match(/[^\w/-]/)) {`