update expected output of TaintedPath tests

erik-krogh · erik-krogh · commit d8a30c48a3ed · 2020-02-06T09:47:15.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -1,6 +1,3 @@
 | normalizedPaths.js:208:38:208:63 | // OK - ...  anyway | Spurious alert |
-| tainted-string-steps.js:13:41:13:72 | // NOT  ... flagged | Missing alert |
-| tainted-string-steps.js:14:41:14:72 | // NOT  ... flagged | Missing alert |
-| tainted-string-steps.js:15:50:15:81 | // NOT  ... flagged | Missing alert |
 | tainted-string-steps.js:25:43:25:74 | // NOT  ... flagged | Missing alert |
 | tainted-string-steps.js:26:49:26:74 | // OK - ... flagged | Spurious alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1412,6 +1412,73 @@ nodes
 | tainted-string-steps.js:11:18:11:30 | path.slice(4) |
 | tainted-string-steps.js:11:18:11:30 | path.slice(4) |
 | tainted-string-steps.js:11:18:11:30 | path.slice(4) |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:15:42:15:45 | path |
 | tainted-string-steps.js:17:18:17:21 | path |
 | tainted-string-steps.js:17:18:17:21 | path |
 | tainted-string-steps.js:17:18:17:21 | path |
@@ -3456,6 +3523,46 @@ edges
 | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:11:18:11:21 | path |
 | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:11:18:11:21 | path |
 | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:11:18:11:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:13:18:13:21 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:14:33:14:36 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
+| tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:15:42:15:45 | path |
 | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:17:18:17:21 | path |
 | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:17:18:17:21 | path |
 | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:17:18:17:21 | path |
@@ -3744,6 +3851,86 @@ edges
 | tainted-string-steps.js:11:18:11:21 | path | tainted-string-steps.js:11:18:11:30 | path.slice(4) |
 | tainted-string-steps.js:11:18:11:21 | path | tainted-string-steps.js:11:18:11:30 | path.slice(4) |
 | tainted-string-steps.js:11:18:11:21 | path | tainted-string-steps.js:11:18:11:30 | path.slice(4) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:13:18:13:21 | path | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:14:33:14:36 | path | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
+| tainted-string-steps.js:15:42:15:45 | path | tainted-string-steps.js:15:18:15:46 | unknown ... , path) |
 | tainted-string-steps.js:17:18:17:21 | path | tainted-string-steps.js:17:18:17:28 | path.trim() |
 | tainted-string-steps.js:17:18:17:21 | path | tainted-string-steps.js:17:18:17:28 | path.trim() |
 | tainted-string-steps.js:17:18:17:21 | path | tainted-string-steps.js:17:18:17:28 | path.trim() |
@@ -4035,6 +4222,9 @@ edges
 | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:11:18:11:30 | path.slice(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:11:18:11:30 | path.slice(4) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
+| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
+| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
+| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:15:18:15:46 | unknown ... , path) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:17:18:17:28 | path.trim() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:17:18:17:28 | path.trim() | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js
