From d20dd752693ac202068ad93aed8f66bff28f80b1 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 13:17:58 +0100 Subject: [PATCH 01/11] JS: Convert TaintedPath to post-processed inline test --- .../Security/CWE-022/TaintedPath/Consistency.expected | 0 .../Security/CWE-022/TaintedPath/Consistency.ql | 9 --------- .../Security/CWE-022/TaintedPath/TaintedPath.qlref | 3 ++- 3 files changed, 2 insertions(+), 10 deletions(-) delete mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql deleted file mode 100644 index 0183ac6ade66..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TaintedPathQuery -deprecated import utils.test.ConsistencyChecking - -deprecated class TaintedPathConsistency extends ConsistencyConfiguration { - TaintedPathConsistency() { this = "TaintedPathConsistency" } - - override DataFlow::Node getAnAlert() { TaintedPathFlow::flowTo(result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref index 53d53cb8dc54..ff3d54b0cd56 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref @@ -1 +1,2 @@ -Security/CWE-022/TaintedPath.ql +query: Security/CWE-022/TaintedPath.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql From 2f5de5cf55195755fcca5b5db67e7445b7aefe87 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 13:20:29 +0100 Subject: [PATCH 02/11] JS: Convert OK-style comments to $-style Simply converts the comments as they are, regardless of actual query output --- .../CWE-022/TaintedPath/TaintedPath-es6.js | 3 +- .../CWE-022/TaintedPath/TaintedPath.js | 147 ++++++------- .../TaintedPath/examples/TaintedPath.js | 3 +- .../TaintedPath/examples/TaintedPathGood.js | 2 +- .../CWE-022/TaintedPath/handlebars.js | 10 +- .../CWE-022/TaintedPath/normalizedPaths.js | 208 +++++++++--------- .../CWE-022/TaintedPath/other-fs-libraries.js | 48 ++-- .../Security/CWE-022/TaintedPath/prettier.js | 4 +- .../CWE-022/TaintedPath/sharedlib-repro.js | 2 +- .../TaintedPath/tainted-access-paths.js | 20 +- .../TaintedPath/tainted-array-steps.js | 4 +- .../TaintedPath/tainted-promise-steps.js | 4 +- .../CWE-022/TaintedPath/tainted-require.js | 7 +- .../CWE-022/TaintedPath/tainted-sendFile.js | 21 +- .../TaintedPath/tainted-string-steps.js | 38 ++-- .../Security/CWE-022/TaintedPath/torrents.js | 2 +- .../CWE-022/TaintedPath/typescript.ts | 15 +- 17 files changed, 260 insertions(+), 278 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index f7c6d172ead2..2c915a920b16 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -6,6 +6,5 @@ import { join } from 'path'; var server = createServer(function(req, res) { let path = parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(readFileSync(join("public", path))); + res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index fd768fecfff8..b598cbee74bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -8,63 +8,52 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system - // BAD: This could still read any file on the file system - res.write(fs.readFileSync("/home/user/" + path)); + res.write(fs.readFileSync("/home/user/" + path)); // $ Alert - This could still read any file on the file system if (path.startsWith("/home/user/")) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path.indexOf("secret") == -1) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (fs.existsSync(path)) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition()) - res.write(fs.readFileSync(path)); // BAD: Path is incompletely compared to white-list + res.write(fs.readFileSync(path)); // $ Alert - Path is incompletely compared to white-list path = sanitize(path); - res.write(fs.readFileSync(path)); // GOOD: Path is sanitized + res.write(fs.readFileSync(path)); // OK - Path is sanitized path = url.parse(req.url, true).query.path; - // GOOD: basename is safe + // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.dirname(path))); - // GOOD: extname is safe + res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved + // OK - extname is safe res.write(fs.readFileSync(pathModule.extname(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.normalize(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(x, path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(path, x))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); + res.write(fs.readFileSync(pathModule.join(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.join(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.normalize(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(x, path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(path, x))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); // $ Alert - taint is preserved }); var server = http.createServer(function(req, res) { // tests for a few uri-libraries - res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // NOT OK + res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert }); (function(){ @@ -100,7 +89,7 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { @@ -113,36 +102,36 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - require('send')(req, path); // NOT OK + require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var split = path.split("/"); - fs.readFileSync(split.join("/")); // NOT OK + fs.readFileSync(split.join("/")); // $ Alert - fs.readFileSync(prefix + split[split.length - 1]) // OK + fs.readFileSync(prefix + split[split.length - 1]) - fs.readFileSync(split[x]) // NOT OK - fs.readFileSync(prefix + split[x]) // NOT OK + fs.readFileSync(split[x]) // $ Alert + fs.readFileSync(prefix + split[x]) // $ Alert var concatted = prefix.concat(split); - fs.readFileSync(concatted.join("/")); // NOT OK + fs.readFileSync(concatted.join("/")); // $ Alert var concatted2 = split.concat(prefix); - fs.readFileSync(concatted2.join("/")); // NOT OK + fs.readFileSync(concatted2.join("/")); // $ Alert - fs.readFileSync(split.pop()); // NOT OK + fs.readFileSync(split.pop()); // $ Alert }); @@ -150,33 +139,33 @@ var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK. - res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK - res.write(fs.readFileSync(path.replace(/[./]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); // OK - - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\./g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); + res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // $ Alert + res.write(fs.readFileSync(path.replace(/[./]/g, ''))); + res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); + res.write(fs.readFileSync(path.replace(/\//g, ''))); + res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); + + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\./g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // OK + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); + res.write(fs.readFileSync(path.replace(/\./g, ''))); + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); } // removing of "../" from prefix. - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); // OK + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); - res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // NOT OK - not normalized - res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - not normalized + res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - can be absolute }); import normalizeUrl from 'normalize-url'; @@ -184,38 +173,38 @@ import normalizeUrl from 'normalize-url'; var server = http.createServer(function(req, res) { // tests for a few more uri-libraries const qs = require("qs"); - res.write(fs.readFileSync(qs.parse(req.url).foo)); // NOT OK - res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // NOT OK + res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert + res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert const parseqs = require("parseqs"); - res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // NOT OK + res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert }); const cp = require("child_process"); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - cp.execSync("foobar", {cwd: path}); // NOT OK - cp.execFileSync("foobar", ["args"], {cwd: path}); // NOT OK - cp.execFileSync("foobar", {cwd: path}); // NOT OK + cp.execSync("foobar", {cwd: path}); // $ Alert + cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert + cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to. + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK - Might be okay depending on what unknownFlags evaluates to. }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // NOT OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); // OK + res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index 1fdbef68c47e..a3e4028b0daa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -7,6 +7,5 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // BAD: This function uses unsanitized input that can read any file on the file system. - res.write(fs.readFileSync(ROOT + filePath, 'utf8')); + res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js index ac8dd4fb9ba8..5b497cfddccb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js @@ -8,7 +8,7 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // GOOD: Verify that the file path is under the root directory + // OK - Verify that the file path is under the root directory filePath = fs.realpathSync(path.resolve(ROOT, filePath)); if (!filePath.startsWith(ROOT)) { res.statusCode = 403; diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js index 512b851592aa..93255a7ab518 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js @@ -26,27 +26,27 @@ function init() { init(); app.get('/some/path1', function (req, res) { - res.send(data.compiledFileAccess({ path: req.params.path })); // NOT ALLOWED (template uses vulnerable catFile) + res.send(data.compiledFileAccess({ path: req.params.path })); // $ Alert - template uses vulnerable catFile }); app.get('/some/path2', function (req, res) { - res.send(data.compiledBenign({ name: req.params.name })); // ALLOWED (this template does not use catFile) + res.send(data.compiledBenign({ name: req.params.name })); // OK - this template does not use catFile }); app.get('/some/path3', function (req, res) { - res.send(data.compiledUnknown({ name: req.params.name })); // ALLOWED (could be using a vulnerable helper, but we'll assume it's ok) + res.send(data.compiledUnknown({ name: req.params.name })); // OK - could be using a vulnerable helper, but we'll assume it's ok }); app.get('/some/path4', function (req, res) { res.send(data.compiledMixed({ prefix: ">>> ", - path: req.params.path // NOT ALLOWED (template uses vulnerable helper) + path: req.params.path // $ Alert - template uses vulnerable helper })); }); app.get('/some/path5', function (req, res) { res.send(data.compiledMixed({ - prefix: req.params.prefix, // ALLOWED (this parameter is safe) + prefix: req.params.prefix, // OK - this parameter is safe path: "data/path-5.txt" })); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 4fa6b3f50d54..2c251b8de379 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -10,21 +10,21 @@ let app = express(); app.get('/basic', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize', (req, res) => { let path = pathModule.normalize(req.query.path); - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize-notAbsolute', (req, res) => { @@ -33,21 +33,21 @@ app.get('/normalize-notAbsolute', (req, res) => { if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.startsWith(".")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith("../")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith(".." + pathModule.sep)) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/normalize-noInitialDotDot', (req, res) => { @@ -56,16 +56,16 @@ app.get('/normalize-noInitialDotDot', (req, res) => { if (path.startsWith("..")) return; - fs.readFileSync(path); // NOT OK - could be absolute + fs.readFileSync(path); // $ Alert - could be absolute fs.readFileSync("./" + path); // OK - coerced to relative - fs.readFileSync(path + "/index.html"); // NOT OK - not coerced + fs.readFileSync(path + "/index.html"); // $ Alert - not coerced if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/prepend-normalize', (req, res) => { @@ -73,9 +73,9 @@ app.get('/prepend-normalize', (req, res) => { let path = pathModule.normalize('./' + req.query.path); if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/absolute', (req, res) => { @@ -84,10 +84,10 @@ app.get('/absolute', (req, res) => { if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // NOT OK - can still contain '../' + res.write(fs.readFileSync(path)); // $ Alert - can still contain '../' }); app.get('/normalized-absolute', (req, res) => { @@ -96,10 +96,10 @@ app.get('/normalized-absolute', (req, res) => { if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // OK + res.write(fs.readFileSync(path)); }); app.get('/combined-check', (req, res) => { @@ -107,53 +107,53 @@ app.get('/combined-check', (req, res) => { // Combined absoluteness and folder check in one startsWith call if (path.startsWith("/home/user/www")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (path[0] !== "/" && path[0] !== ".") - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/realpath', (req, res) => { let path = fs.realpathSync(req.query.path); - fs.readFileSync(path); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert if (path.startsWith("/home/user/www")) fs.readFileSync(path); // OK - both absolute and normalized before check fs.readFileSync(pathModule.join('.', path)); // OK - normalized and coerced to relative - fs.readFileSync(pathModule.join('/home/user/www', path)); // OK + fs.readFileSync(pathModule.join('/home/user/www', path)); }); app.get('/coerce-relative', (req, res) => { let path = pathModule.join('.', req.query.path); if (!path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/coerce-absolute', (req, res) => { let path = pathModule.join('/home/user/www', req.query.path); if (path.startsWith('/home/user/www')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/concat-after-normalization', (req, res) => { let path = 'foo/' + pathModule.normalize(req.query.path); if (!path.startsWith('..')) - fs.readFileSync(path); // NOT OK - prefixing foo/ invalidates check + fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/noDotDot', (req, res) => { @@ -162,12 +162,12 @@ app.get('/noDotDot', (req, res) => { if (path.includes('..')) return; - fs.readFileSync(path); // NOT OK - can still be absolute + fs.readFileSync(path); // $ Alert - can still be absolute if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/join-regression', (req, res) => { @@ -181,119 +181,119 @@ app.get('/join-regression', (req, res) => { if (path.startsWith('/x')) {path;} else {path;} if (path.startsWith('.')) {path;} else {path;} - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (pathModule.isAbsolute(path)) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (path.includes('..')) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..') && !pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert let normalizedPath = pathModule.normalize(path); if (normalizedPath.startsWith('/home/user/www')) - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public')) - fs.readFileSync(normalizedPath); // OK - but flagged anyway [INCONSISTENCY] + fs.readFileSync(normalizedPath); // $ SPURIOUS: Alert else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert }); app.get('/decode-after-normalization', (req, res) => { let path = pathModule.normalize(req.query.path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); path = decodeURIComponent(path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // NOT OK - not normalized + fs.readFileSync(path); // $ Alert - not normalized }); app.get('/replace', (req, res) => { let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); if (!pathModule.isAbsolute(path)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert path = path.replace(/\.\./g, ''); - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/resolve-path', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); if (path.substring(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (path.slice(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity }); app.get('/relative-startswith', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); var relative = pathModule.relative(self.webroot, path); if(relative.startsWith(".." + pathModule.sep) || relative == "..") { - fs.readFileSync(path); // NOT OK! + fs.readFileSync(path); // $ Alert } else { - fs.readFileSync(path); // OK! + fs.readFileSync(path); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('..' + pathModule.sep) === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../')) { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } else { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } }); @@ -301,35 +301,35 @@ var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (pathIsInside(path, SAFE)) { - fs.readFileSync(path); // NOT OK - can be of the form 'safe/directory/../../../etc/passwd' + fs.readFileSync(path); // $ Alert - can be of the form 'safe/directory/../../../etc/passwd' return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } let normalizedPath = pathModule.join(SAFE, path); if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } @@ -338,34 +338,34 @@ app.get('/pseudo-normalizations', (req, res) => { app.get('/yet-another-prefix', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var abs = pathModule.resolve(path); if (abs.indexOf(root) !== 0) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert return; } - fs.readFileSync(path); // OK + fs.readFileSync(path); }); var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var requestPath = pathModule.join(rootPath, path); var targetPath; if (!allowPath(requestPath, rootPath)) { targetPath = rootPath; - fs.readFileSync(requestPath); // NOT OK + fs.readFileSync(requestPath); // $ Alert } else { targetPath = requestPath; - fs.readFileSync(requestPath); // OK + fs.readFileSync(requestPath); } - fs.readFileSync(targetPath); // OK + fs.readFileSync(targetPath); function allowPath(requestPath, rootPath) { return requestPath.indexOf(rootPath) === 0; @@ -376,56 +376,56 @@ import slash from 'slash'; app.get('/slash-stuff', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert - fs.readFileSync(slash(path)); // NOT OK + fs.readFileSync(slash(path)); // $ Alert }); app.get('/dotdot-regexp', (req, res) => { let path = pathModule.normalize(req.query.x); if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.match(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.match(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/join-spread', (req, res) => { - fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // NOT OK - fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // NOT OK + fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert + fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert }); app.get('/dotdot-matchAll-regexp', (req, res) => { let path = pathModule.normalize(req.query.x); if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.matchAll(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.matchAll(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 1dac13246c6f..8d2bfe11feb7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -8,20 +8,20 @@ var http = require("http"), var server = http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - gracefulFs.readFileSync(path); // NOT OK - fsExtra.readFileSync(path); // NOT OK - originalFs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + gracefulFs.readFileSync(path); // $ Alert + fsExtra.readFileSync(path); // $ Alert + originalFs.readFileSync(path); // $ Alert - getFsModule(true).readFileSync(path); // NOT OK - getFsModule(false).readFileSync(path); // NOT OK + getFsModule(true).readFileSync(path); // $ Alert + getFsModule(false).readFileSync(path); // $ Alert - require("./my-fs-module").require(true).readFileSync(path); // NOT OK + require("./my-fs-module").require(true).readFileSync(path); // $ Alert let flexibleModuleName = require(process.versions["electron"] ? "original-fs" : "fs"); - flexibleModuleName.readFileSync(path); // NOT OK + flexibleModuleName.readFileSync(path); // $ Alert }); function getFsModule(special) { @@ -37,9 +37,9 @@ var util = require("util"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - util.promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK + util.promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisifyAll(fs).readFileSync(path); // $ Alert }); @@ -48,37 +48,37 @@ const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - asyncFS.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + asyncFS.readFileSync(path); // $ Alert - require("pify")(fs.readFileSync)(path); // NOT OK - require("pify")(fs).readFileSync(path); // NOT OK + require("pify")(fs.readFileSync)(path); // $ Alert + require("pify")(fs).readFileSync(path); // $ Alert - require('util.promisify')(fs.readFileSync)(path); // NOT OK + require('util.promisify')(fs.readFileSync)(path); // $ Alert - require("thenify")(fs.readFileSync)(path); // NOT OK + require("thenify")(fs.readFileSync)(path); // $ Alert const readPkg = require('read-pkg'); - var pkg = readPkg.readPackageSync({cwd: path}); // NOT OK - var pkgPromise = readPkg.readPackageAsync({cwd: path}); // NOT OK + var pkg = readPkg.readPackageSync({cwd: path}); // $ Alert + var pkgPromise = readPkg.readPackageAsync({cwd: path}); // $ Alert }); const mkdirp = require("mkdirp"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - mkdirp(path); // NOT OK - mkdirp.sync(path); // NOT OK + fs.readFileSync(path); // $ Alert + mkdirp(path); // $ Alert + mkdirp.sync(path); // $ Alert func(path); }); function func(x) { - fs.readFileSync(x); // NOT OK + fs.readFileSync(x); // $ Alert } const fsp = require("fs/promises"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fsp.readFile(path); // NOT OK + fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index 7546bb2c2938..d3ee99d4974b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -4,11 +4,11 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { const { p } = req.params; - prettier.resolveConfig(p).then((options) => { // NOT OK + prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); - prettier.resolveConfig("foo", {config: p}).then((options) => { // NOT OK + prettier.resolveConfig("foo", {config: p}).then((options) => { // $ Alert const formatted = prettier.format("bar", options); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index eebc95348ba6..fa19da302606 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -19,7 +19,7 @@ function getfileRoot(workspaceId) { } function withStatsAndETag(filepath, callback) { - fs.readFileSync(filepath); // NOT OK + fs.readFileSync(filepath); // $ Alert }; function decodeUserIdFromWorkspaceId(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index 465b5b70b690..aaa6cfdc2407 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -5,30 +5,30 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var obj = bla ? something() : path; - fs.readFileSync(obj.sub); // NOT OK + fs.readFileSync(obj.sub); // $ Alert obj.sub = "safe"; - fs.readFileSync(obj.sub); // OK + fs.readFileSync(obj.sub); obj.sub2 = "safe"; if (random()) { - fs.readFileSync(obj.sub2); // OK + fs.readFileSync(obj.sub2); } if (random()) { obj.sub3 = "safe" } - fs.readFileSync(obj.sub3); // NOT OK + fs.readFileSync(obj.sub3); // $ Alert obj.sub4 = - fs.readFileSync(obj.sub4) ? // NOT OK - fs.readFileSync(obj.sub4) : // NOT OK - fs.readFileSync(obj.sub4); // NOT OK + fs.readFileSync(obj.sub4) ? // $ Alert + fs.readFileSync(obj.sub4) : // $ Alert + fs.readFileSync(obj.sub4); // $ Alert }); server.listen(); @@ -37,7 +37,7 @@ var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - nodefs.readFileSync(path); // NOT OK + nodefs.readFileSync(path); // $ Alert }); server2.listen(); @@ -46,5 +46,5 @@ const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { let path = url.parse(req.url, true).query.path; - chownr(path, "someuid", "somegid", function (err) {}); // NOT OK + chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js index 061dec18a908..b37ebc2926ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js @@ -7,11 +7,11 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(['public', path].join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(['public', path].join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps let parts = ['public', path]; parts = parts.map(x => x.toLowerCase()); - res.write(fs.readFileSync(parts.join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(parts.join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index 49c5fa78fe8d..e18e3c7e8bb1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -8,8 +8,8 @@ var server = http.createServer(function(req, res) { }); async function doRead(pathPromise) { - fs.readFileSync(await pathPromise); // NOT OK - pathPromise.then(path => fs.readFileSync(path)); // NO TOK + fs.readFileSync(await pathPromise); // $ Alert + pathPromise.then(path => fs.readFileSync(path)); // $ Alert } server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js index 23f89c55c39f..d9c07feb26b6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js @@ -3,15 +3,14 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // BAD: loading a module based on un-sanitized query parameters - var m = require(req.param("module")); + var m = require(req.param("module")); // $ Alert - loading a module based on un-sanitized query parameters }); const resolve = require("resolve"); app.get('/some/path', function(req, res) { - var module = resolve.sync(req.param("module")); // NOT OK - resolving module based on query parameters + var module = resolve.sync(req.param("module")); // $ Alert - resolving module based on query parameters - resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // NOT OK - resolving module based on query parameters + resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // $ Alert - resolving module based on query parameters var module = res; }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index 50e4152e5bf2..21ae39b8b731 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -4,25 +4,22 @@ let path = require('path'); var app = express(); app.get('/some/path/:x', function(req, res) { - // BAD: sending a file based on un-sanitized query parameters - res.sendFile(req.param("gimme")); - // BAD: same as above - res.sendfile(req.param("gimme")); + res.sendFile(req.param("gimme")); // $ Alert - sending a file based on un-sanitized query parameters + res.sendfile(req.param("gimme")); // $ Alert - same as above - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendFile(req.param("gimme"), { root: process.cwd() }); - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendfile(req.param("gimme"), { root: process.cwd() }); - // BAD: doesn't help if user controls root - res.sendFile(req.param("file"), { root: req.param("dir") }); + res.sendFile(req.param("file"), { root: req.param("dir") }); // $ Alert - doesn't help if user controls root let homeDir = path.resolve('.'); - res.sendFile(homeDir + '/data/' + req.params.x); // OK: sendFile disallows ../ - res.sendfile('data/' + req.params.x); // OK: sendfile disallows ../ + res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../ + res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../ - res.sendFile(path.resolve('data', req.params.x)); // NOT OK - res.sendfile(path.join('data', req.params.x)); // NOT OK + res.sendFile(path.resolve('data', req.params.x)); // $ Alert + res.sendfile(path.join('data', req.params.x)); // $ Alert res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index 1b1e87b9a76a..d705be16b317 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -4,28 +4,28 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path.substring(i, j)); // OK - fs.readFileSync(path.substring(4)); // NOT OK - fs.readFileSync(path.substring(0, i)); // NOT OK - fs.readFileSync(path.substr(4)); // NOT OK - fs.readFileSync(path.slice(4)); // NOT OK + fs.readFileSync(path.substring(i, j)); + fs.readFileSync(path.substring(4)); // $ Alert + fs.readFileSync(path.substring(0, i)); // $ Alert + fs.readFileSync(path.substr(4)); // $ Alert + fs.readFileSync(path.slice(4)); // $ Alert - fs.readFileSync(path.concat(unknown)); // NOT OK - fs.readFileSync(unknown.concat(path)); // NOT OK - fs.readFileSync(unknown.concat(unknown, path)); // NOT OK + fs.readFileSync(path.concat(unknown)); // $ Alert + fs.readFileSync(unknown.concat(path)); // $ Alert + fs.readFileSync(unknown.concat(unknown, path)); // $ Alert - fs.readFileSync(path.trim()); // NOT OK - fs.readFileSync(path.toLowerCase()); // NOT OK + fs.readFileSync(path.trim()); // $ Alert + fs.readFileSync(path.toLowerCase()); // $ Alert - fs.readFileSync(path.split('/')); // OK (readFile throws an exception when the filename is an array) - fs.readFileSync(path.split('/')[0]); // OK -- for now - fs.readFileSync(path.split('/')[i]); // NOT OK - fs.readFileSync(path.split(/\//)[i]); // NOT OK - fs.readFileSync(path.split("?")[0]); // NOT OK - fs.readFileSync(path.split(unknown)[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown).whatever); // OK -- but still flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown)); // NOT OK - fs.readFileSync(path.split("?")[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] + fs.readFileSync(path.split('/')); // OK - readFile throws an exception when the filename is an array + fs.readFileSync(path.split('/')[0]); // OK - for now + fs.readFileSync(path.split('/')[i]); // $ Alert + fs.readFileSync(path.split(/\//)[i]); // $ Alert + fs.readFileSync(path.split("?")[0]); // $ Alert + fs.readFileSync(path.split(unknown)[i]); // $ MISSING: Alert + fs.readFileSync(path.split(unknown).whatever); // $ SPURIOUS: Alert + fs.readFileSync(path.split(unknown)); // $ Alert + fs.readFileSync(path.split("?")[i]); // $ MISSING: Alert }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 1e95cf84ec76..097bcc1fa117 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -4,5 +4,5 @@ const parseTorrent = require('parse-torrent'), function getTorrentData(dir, torrent){ let name = parseTorrent(torrent).name, loc = dir + "/" + name + ".torrent.data"; - return fs.readFileSync(loc); // NOT OK + return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index f5fd62b2ee00..51549ea75658 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -8,27 +8,26 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list let path2 = path; - path2 ||= res.write(fs.readFileSync(path2)); // GOOD: path is falsy + path2 ||= res.write(fs.readFileSync(path2)); // OK - path is falsy let path3 = path; - path3 &&= res.write(fs.readFileSync(path3)); // BAD: path is truthy + path3 &&= res.write(fs.readFileSync(path3)); // $ Alert - path is truthy let path4 = path; - path4 ??= res.write(fs.readFileSync(path4)); // GOOD - path is null or undefined - but we don't capture that. [INCONSISTENCY] + path4 ??= res.write(fs.readFileSync(path4)); // $ SPURIOUS: Alert - path is null or undefined - but we don't capture that. let path5 = path; path5 &&= "clean"; - res.write(fs.readFileSync(path5)); // GOOD: path is either falsy or "clean"; + res.write(fs.readFileSync(path5)); // OK - path is either falsy or "clean"; let path6 = path; path6 ||= "clean"; - res.write(fs.readFileSync(path6)); // BAD: path can still be tainted + res.write(fs.readFileSync(path6)); // $ Alert - path can still be tainted }); From 928d9623c1b56f0bb6c2e44b00321f9a8da1833a Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 13:22:44 +0100 Subject: [PATCH 03/11] JS: Raw update of test output Unfortunately this also triggers a reordering of result sets in the output. --- .../CWE-022/TaintedPath/TaintedPath.expected | 1741 +++++++++-------- 1 file changed, 907 insertions(+), 834 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index c1985970e3b0..bbae08085eb9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -1,655 +1,327 @@ -nodes -| TaintedPath-es6.js:7:7:7:44 | path | semmle.label | path | -| TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | semmle.label | parse(req.url, true) | -| TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | semmle.label | parse(r ... ).query | -| TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | semmle.label | parse(r ... ry.path | -| TaintedPath-es6.js:7:20:7:26 | req.url | semmle.label | req.url | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | semmle.label | join("public", path) | -| TaintedPath-es6.js:10:41:10:44 | path | semmle.label | path | -| TaintedPath.js:9:7:9:48 | path | semmle.label | path | -| TaintedPath.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:9:24:9:30 | req.url | semmle.label | req.url | -| TaintedPath.js:12:29:12:32 | path | semmle.label | path | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | -| TaintedPath.js:15:45:15:48 | path | semmle.label | path | -| TaintedPath.js:18:33:18:36 | path | semmle.label | path | -| TaintedPath.js:21:33:21:36 | path | semmle.label | path | -| TaintedPath.js:24:33:24:36 | path | semmle.label | path | -| TaintedPath.js:33:31:33:34 | path | semmle.label | path | -| TaintedPath.js:38:3:38:44 | path | semmle.label | path | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:38:20:38:26 | req.url | semmle.label | req.url | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:42:48:42:51 | path | semmle.label | path | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | -| TaintedPath.js:46:45:46:48 | path | semmle.label | path | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:48:51:48:54 | path | semmle.label | path | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:50:50:50:53 | path | semmle.label | path | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| TaintedPath.js:52:52:52:55 | path | semmle.label | path | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | -| TaintedPath.js:54:49:54:52 | path | semmle.label | path | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:56:48:56:51 | path | semmle.label | path | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:58:54:58:57 | path | semmle.label | path | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | -| TaintedPath.js:60:57:60:60 | path | semmle.label | path | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:65:31:65:76 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:65:63:65:69 | req.url | semmle.label | req.url | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:66:31:66:74 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:66:61:66:67 | req.url | semmle.label | req.url | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:67:31:67:73 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:67:60:67:66 | req.url | semmle.label | req.url | -| TaintedPath.js:75:48:75:60 | req.params[0] | semmle.label | req.params[0] | -| TaintedPath.js:84:6:84:47 | path | semmle.label | path | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:84:23:84:29 | req.url | semmle.label | req.url | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | -| TaintedPath.js:86:44:86:47 | path | semmle.label | path | -| TaintedPath.js:87:14:87:17 | path | semmle.label | path | -| TaintedPath.js:88:32:88:39 | realpath | semmle.label | realpath | -| TaintedPath.js:89:45:89:52 | realpath | semmle.label | realpath | -| TaintedPath.js:120:6:120:47 | path | semmle.label | path | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:120:23:120:29 | req.url | semmle.label | req.url | -| TaintedPath.js:122:23:122:26 | path | semmle.label | path | -| TaintedPath.js:126:7:126:48 | path | semmle.label | path | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:126:24:126:30 | req.url | semmle.label | req.url | -| TaintedPath.js:128:19:128:22 | path | semmle.label | path | -| TaintedPath.js:130:7:130:29 | split | semmle.label | split | -| TaintedPath.js:130:15:130:18 | path | semmle.label | path | -| TaintedPath.js:130:15:130:29 | path.split("/") | semmle.label | path.split("/") | -| TaintedPath.js:132:19:132:23 | split | semmle.label | split | -| TaintedPath.js:132:19:132:33 | split.join("/") | semmle.label | split.join("/") | -| TaintedPath.js:136:19:136:23 | split | semmle.label | split | -| TaintedPath.js:136:19:136:26 | split[x] | semmle.label | split[x] | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | semmle.label | prefix + split[x] | -| TaintedPath.js:137:28:137:32 | split | semmle.label | split | -| TaintedPath.js:137:28:137:35 | split[x] | semmle.label | split[x] | -| TaintedPath.js:139:7:139:38 | concatted | semmle.label | concatted | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | -| TaintedPath.js:139:33:139:37 | split | semmle.label | split | -| TaintedPath.js:140:19:140:27 | concatted | semmle.label | concatted | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | semmle.label | concatted.join("/") | -| TaintedPath.js:142:7:142:39 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:142:20:142:24 | split | semmle.label | split | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | -| TaintedPath.js:143:19:143:28 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | -| TaintedPath.js:145:19:145:23 | split | semmle.label | split | -| TaintedPath.js:145:19:145:29 | split.pop() | semmle.label | split.pop() | -| TaintedPath.js:150:7:150:48 | path | semmle.label | path | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:150:24:150:30 | req.url | semmle.label | req.url | -| TaintedPath.js:154:29:154:32 | path | semmle.label | path | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:160:29:160:32 | path | semmle.label | path | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:161:29:161:32 | path | semmle.label | path | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:162:29:162:32 | path | semmle.label | path | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:163:29:163:32 | path | semmle.label | path | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | -| TaintedPath.js:178:40:178:43 | path | semmle.label | path | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | -| TaintedPath.js:179:50:179:53 | path | semmle.label | path | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | -| TaintedPath.js:187:38:187:44 | req.url | semmle.label | req.url | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | -| TaintedPath.js:188:51:188:57 | req.url | semmle.label | req.url | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | -| TaintedPath.js:190:44:190:50 | req.url | semmle.label | req.url | -| TaintedPath.js:195:7:195:48 | path | semmle.label | path | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:195:24:195:30 | req.url | semmle.label | req.url | -| TaintedPath.js:196:31:196:34 | path | semmle.label | path | -| TaintedPath.js:197:45:197:48 | path | semmle.label | path | -| TaintedPath.js:198:35:198:38 | path | semmle.label | path | -| TaintedPath.js:202:7:202:48 | path | semmle.label | path | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:202:24:202:30 | req.url | semmle.label | req.url | -| TaintedPath.js:206:29:206:32 | path | semmle.label | path | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:211:7:211:48 | path | semmle.label | path | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:211:24:211:30 | req.url | semmle.label | req.url | -| TaintedPath.js:213:29:213:32 | path | semmle.label | path | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:216:31:216:34 | path | semmle.label | path | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | -| examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | -| examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | -| examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | semmle.label | ROOT + filePath | -| examples/TaintedPath.js:11:36:11:43 | filePath | semmle.label | filePath | -| express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar | -| handlebars.js:10:51:10:58 | filePath | semmle.label | filePath | -| handlebars.js:11:32:11:39 | filePath | semmle.label | filePath | -| handlebars.js:13:73:13:80 | filePath | semmle.label | filePath | -| handlebars.js:15:25:15:32 | filePath | semmle.label | filePath | -| handlebars.js:29:46:29:60 | req.params.path | semmle.label | req.params.path | -| handlebars.js:43:15:43:29 | req.params.path | semmle.label | req.params.path | -| normalizedPaths.js:11:7:11:27 | path | semmle.label | path | -| normalizedPaths.js:11:14:11:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:13:19:13:22 | path | semmle.label | path | -| normalizedPaths.js:14:19:14:29 | './' + path | semmle.label | './' + path | -| normalizedPaths.js:14:26:14:29 | path | semmle.label | path | -| normalizedPaths.js:15:19:15:22 | path | semmle.label | path | -| normalizedPaths.js:15:19:15:38 | path + '/index.html' | semmle.label | path + '/index.html' | -| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | -| normalizedPaths.js:16:35:16:38 | path | semmle.label | path | -| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:17:53:17:56 | path | semmle.label | path | -| normalizedPaths.js:21:7:21:49 | path | semmle.label | path | -| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:21:35:21:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:23:19:23:22 | path | semmle.label | path | -| normalizedPaths.js:24:19:24:29 | './' + path | semmle.label | './' + path | -| normalizedPaths.js:24:26:24:29 | path | semmle.label | path | -| normalizedPaths.js:25:19:25:22 | path | semmle.label | path | -| normalizedPaths.js:25:19:25:38 | path + '/index.html' | semmle.label | path + '/index.html' | -| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | -| normalizedPaths.js:26:35:26:38 | path | semmle.label | path | -| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:27:53:27:56 | path | semmle.label | path | -| normalizedPaths.js:31:7:31:49 | path | semmle.label | path | -| normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:31:35:31:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:36:19:36:22 | path | semmle.label | path | -| normalizedPaths.js:41:21:41:24 | path | semmle.label | path | -| normalizedPaths.js:54:7:54:49 | path | semmle.label | path | -| normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:54:35:54:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:59:19:59:22 | path | semmle.label | path | -| normalizedPaths.js:63:19:63:22 | path | semmle.label | path | -| normalizedPaths.js:63:19:63:38 | path + "/index.html" | semmle.label | path + "/index.html" | -| normalizedPaths.js:68:21:68:24 | path | semmle.label | path | -| normalizedPaths.js:73:7:73:56 | path | semmle.label | path | -| normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:73:35:73:55 | './' + ... ry.path | semmle.label | './' + ... ry.path | -| normalizedPaths.js:73:42:73:55 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:78:22:78:25 | path | semmle.label | path | -| normalizedPaths.js:82:7:82:27 | path | semmle.label | path | -| normalizedPaths.js:82:14:82:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:87:29:87:32 | path | semmle.label | path | -| normalizedPaths.js:90:31:90:34 | path | semmle.label | path | -| normalizedPaths.js:94:7:94:49 | path | semmle.label | path | -| normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:94:35:94:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:99:29:99:32 | path | semmle.label | path | -| normalizedPaths.js:117:7:117:44 | path | semmle.label | path | -| normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | semmle.label | fs.real ... y.path) | -| normalizedPaths.js:117:30:117:43 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:119:19:119:22 | path | semmle.label | path | -| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | -| normalizedPaths.js:120:35:120:38 | path | semmle.label | path | -| normalizedPaths.js:130:7:130:49 | path | semmle.label | path | -| normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:130:35:130:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:135:21:135:24 | path | semmle.label | path | -| normalizedPaths.js:139:7:139:62 | path | semmle.label | path | -| normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:139:48:139:61 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:144:21:144:24 | path | semmle.label | path | -| normalizedPaths.js:148:7:148:58 | path | semmle.label | path | -| normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | semmle.label | 'foo/' ... y.path) | -| normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:148:44:148:57 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:151:21:151:24 | path | semmle.label | path | -| normalizedPaths.js:153:21:153:24 | path | semmle.label | path | -| normalizedPaths.js:160:7:160:49 | path | semmle.label | path | -| normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:160:35:160:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:165:19:165:22 | path | semmle.label | path | -| normalizedPaths.js:170:21:170:24 | path | semmle.label | path | -| normalizedPaths.js:174:7:174:27 | path | semmle.label | path | -| normalizedPaths.js:174:14:174:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:184:19:184:22 | path | semmle.label | path | -| normalizedPaths.js:187:21:187:24 | path | semmle.label | path | -| normalizedPaths.js:189:21:189:24 | path | semmle.label | path | -| normalizedPaths.js:192:21:192:24 | path | semmle.label | path | -| normalizedPaths.js:194:21:194:24 | path | semmle.label | path | -| normalizedPaths.js:199:21:199:24 | path | semmle.label | path | -| normalizedPaths.js:201:7:201:49 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:201:45:201:48 | path | semmle.label | path | -| normalizedPaths.js:205:21:205:34 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:208:21:208:34 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:210:21:210:34 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:214:7:214:49 | path | semmle.label | path | -| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:214:35:214:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:219:3:219:33 | path | semmle.label | path | -| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | semmle.label | decodeU ... t(path) | -| normalizedPaths.js:219:29:219:32 | path | semmle.label | path | -| normalizedPaths.js:222:21:222:24 | path | semmle.label | path | -| normalizedPaths.js:226:7:226:70 | path | semmle.label | path | -| normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | semmle.label | pathMod ... g, ' ') | -| normalizedPaths.js:226:35:226:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:228:21:228:24 | path | semmle.label | path | -| normalizedPaths.js:236:7:236:47 | path | semmle.label | path | -| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:236:33:236:46 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:238:19:238:22 | path | semmle.label | path | -| normalizedPaths.js:245:21:245:24 | path | semmle.label | path | -| normalizedPaths.js:250:21:250:24 | path | semmle.label | path | -| normalizedPaths.js:254:7:254:47 | path | semmle.label | path | -| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:254:33:254:46 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:256:19:256:22 | path | semmle.label | path | -| normalizedPaths.js:262:21:262:24 | path | semmle.label | path | -| normalizedPaths.js:267:7:267:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:267:17:267:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:267:38:267:41 | path | semmle.label | path | -| normalizedPaths.js:270:21:270:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:275:7:275:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:275:17:275:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:275:38:275:41 | path | semmle.label | path | -| normalizedPaths.js:278:21:278:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:283:7:283:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:283:38:283:41 | path | semmle.label | path | -| normalizedPaths.js:286:21:286:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:291:7:291:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:291:17:291:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:291:38:291:41 | path | semmle.label | path | -| normalizedPaths.js:296:21:296:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:303:6:303:26 | path | semmle.label | path | -| normalizedPaths.js:303:13:303:26 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:304:18:304:21 | path | semmle.label | path | -| normalizedPaths.js:309:19:309:22 | path | semmle.label | path | -| normalizedPaths.js:313:19:313:22 | path | semmle.label | path | -| normalizedPaths.js:316:19:316:22 | path | semmle.label | path | -| normalizedPaths.js:320:6:320:49 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:320:23:320:49 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:320:45:320:48 | path | semmle.label | path | -| normalizedPaths.js:325:19:325:32 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:332:19:332:32 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:339:6:339:46 | path | semmle.label | path | -| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:339:32:339:45 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:341:18:341:21 | path | semmle.label | path | -| normalizedPaths.js:346:19:346:22 | path | semmle.label | path | -| normalizedPaths.js:354:7:354:27 | path | semmle.label | path | -| normalizedPaths.js:354:14:354:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:356:19:356:22 | path | semmle.label | path | -| normalizedPaths.js:358:7:358:51 | requestPath | semmle.label | requestPath | -| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:358:47:358:50 | path | semmle.label | path | -| normalizedPaths.js:363:21:363:31 | requestPath | semmle.label | requestPath | -| normalizedPaths.js:377:7:377:27 | path | semmle.label | path | -| normalizedPaths.js:377:14:377:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:379:19:379:22 | path | semmle.label | path | -| normalizedPaths.js:381:19:381:29 | slash(path) | semmle.label | slash(path) | -| normalizedPaths.js:381:25:381:28 | path | semmle.label | path | -| normalizedPaths.js:385:7:385:46 | path | semmle.label | path | -| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | -| normalizedPaths.js:385:35:385:45 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:388:19:388:22 | path | semmle.label | path | -| normalizedPaths.js:399:21:399:24 | path | semmle.label | path | -| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | -| normalizedPaths.js:407:45:407:55 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:407:45:407:66 | req.que ... it('/') | semmle.label | req.que ... it('/') | -| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | -| normalizedPaths.js:408:38:408:48 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:408:38:408:59 | req.que ... it('/') | semmle.label | req.que ... it('/') | -| normalizedPaths.js:412:7:412:46 | path | semmle.label | path | -| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | -| normalizedPaths.js:412:35:412:45 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:415:19:415:22 | path | semmle.label | path | -| normalizedPaths.js:426:21:426:24 | path | semmle.label | path | -| other-fs-libraries.js:9:7:9:48 | path | semmle.label | path | -| other-fs-libraries.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:9:24:9:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:11:19:11:22 | path | semmle.label | path | -| other-fs-libraries.js:12:27:12:30 | path | semmle.label | path | -| other-fs-libraries.js:13:24:13:27 | path | semmle.label | path | -| other-fs-libraries.js:14:27:14:30 | path | semmle.label | path | -| other-fs-libraries.js:16:34:16:37 | path | semmle.label | path | -| other-fs-libraries.js:17:35:17:38 | path | semmle.label | path | -| other-fs-libraries.js:19:56:19:59 | path | semmle.label | path | -| other-fs-libraries.js:24:35:24:38 | path | semmle.label | path | -| other-fs-libraries.js:38:7:38:48 | path | semmle.label | path | -| other-fs-libraries.js:38:14:38:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:38:14:38:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:38:14:38:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:38:24:38:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:40:35:40:38 | path | semmle.label | path | -| other-fs-libraries.js:41:50:41:53 | path | semmle.label | path | -| other-fs-libraries.js:42:53:42:56 | path | semmle.label | path | -| other-fs-libraries.js:49:7:49:48 | path | semmle.label | path | -| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:49:14:49:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:49:14:49:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:49:24:49:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:51:19:51:22 | path | semmle.label | path | -| other-fs-libraries.js:52:24:52:27 | path | semmle.label | path | -| other-fs-libraries.js:54:36:54:39 | path | semmle.label | path | -| other-fs-libraries.js:55:36:55:39 | path | semmle.label | path | -| other-fs-libraries.js:57:46:57:49 | path | semmle.label | path | -| other-fs-libraries.js:59:39:59:42 | path | semmle.label | path | -| other-fs-libraries.js:62:43:62:46 | path | semmle.label | path | -| other-fs-libraries.js:63:51:63:54 | path | semmle.label | path | -| other-fs-libraries.js:68:7:68:48 | path | semmle.label | path | -| other-fs-libraries.js:68:14:68:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:68:14:68:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:68:14:68:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:68:24:68:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:70:19:70:22 | path | semmle.label | path | -| other-fs-libraries.js:71:10:71:13 | path | semmle.label | path | -| other-fs-libraries.js:72:15:72:18 | path | semmle.label | path | -| other-fs-libraries.js:73:8:73:11 | path | semmle.label | path | -| other-fs-libraries.js:75:15:75:15 | x | semmle.label | x | -| other-fs-libraries.js:76:19:76:19 | x | semmle.label | x | -| other-fs-libraries.js:81:7:81:48 | path | semmle.label | path | -| other-fs-libraries.js:81:14:81:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:81:14:81:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:81:14:81:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:81:24:81:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:83:16:83:19 | path | semmle.label | path | -| prettier.js:6:11:6:28 | p | semmle.label | p | -| prettier.js:6:13:6:13 | p | semmle.label | p | -| prettier.js:7:28:7:28 | p | semmle.label | p | -| prettier.js:11:44:11:44 | p | semmle.label | p | -| pupeteer.js:5:9:5:71 | tainted | semmle.label | tainted | -| pupeteer.js:5:19:5:71 | "dir/" ... t.data" | semmle.label | "dir/" ... t.data" | -| pupeteer.js:5:28:5:53 | parseTo ... t).name | semmle.label | parseTo ... t).name | -| pupeteer.js:9:28:9:34 | tainted | semmle.label | tainted | -| pupeteer.js:13:37:13:43 | tainted | semmle.label | tainted | -| sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | semmle.label | req.par ... spaceId | -| sharedlib-repro.js:21:27:21:34 | filepath | semmle.label | filepath | -| sharedlib-repro.js:22:18:22:25 | filepath | semmle.label | filepath | -| tainted-access-paths.js:6:7:6:48 | path | semmle.label | path | -| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-access-paths.js:6:24:6:30 | req.url | semmle.label | req.url | -| tainted-access-paths.js:8:19:8:22 | path | semmle.label | path | -| tainted-access-paths.js:10:7:10:36 | obj | semmle.label | obj | -| tainted-access-paths.js:10:33:10:36 | path | semmle.label | path | -| tainted-access-paths.js:12:19:12:21 | obj | semmle.label | obj | -| tainted-access-paths.js:12:19:12:25 | obj.sub | semmle.label | obj.sub | -| tainted-access-paths.js:26:19:26:21 | obj | semmle.label | obj | -| tainted-access-paths.js:26:19:26:26 | obj.sub3 | semmle.label | obj.sub3 | -| tainted-access-paths.js:29:21:29:23 | obj | semmle.label | obj | -| tainted-access-paths.js:29:21:29:28 | obj.sub4 | semmle.label | obj.sub4 | -| tainted-access-paths.js:30:23:30:25 | obj | semmle.label | obj | -| tainted-access-paths.js:30:23:30:30 | obj.sub4 | semmle.label | obj.sub4 | -| tainted-access-paths.js:31:23:31:25 | obj | semmle.label | obj | -| tainted-access-paths.js:31:23:31:30 | obj.sub4 | semmle.label | obj.sub4 | -| tainted-access-paths.js:39:7:39:48 | path | semmle.label | path | -| tainted-access-paths.js:39:14:39:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-access-paths.js:39:14:39:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-access-paths.js:39:14:39:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-access-paths.js:39:24:39:30 | req.url | semmle.label | req.url | -| tainted-access-paths.js:40:23:40:26 | path | semmle.label | path | -| tainted-access-paths.js:48:7:48:48 | path | semmle.label | path | -| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-access-paths.js:48:24:48:30 | req.url | semmle.label | req.url | -| tainted-access-paths.js:49:10:49:13 | path | semmle.label | path | -| tainted-promise-steps.js:6:7:6:48 | path | semmle.label | path | -| tainted-promise-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-promise-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-promise-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-promise-steps.js:6:24:6:30 | req.url | semmle.label | req.url | -| tainted-promise-steps.js:7:10:7:30 | Promise ... e(path) [PromiseValue] | semmle.label | Promise ... e(path) [PromiseValue] | -| tainted-promise-steps.js:7:26:7:29 | path | semmle.label | path | -| tainted-promise-steps.js:10:23:10:33 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | -| tainted-promise-steps.js:11:19:11:35 | await pathPromise | semmle.label | await pathPromise | -| tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | -| tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | -| tainted-promise-steps.js:12:20:12:23 | path | semmle.label | path | -| tainted-promise-steps.js:12:44:12:47 | path | semmle.label | path | -| tainted-require.js:7:19:7:37 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:12:29:12:47 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:14:11:14:29 | req.param("module") | semmle.label | req.param("module") | -| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | semmle.label | req.param("dir") | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | -| tainted-sendFile.js:24:37:24:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:25:34:25:45 | req.params.x | semmle.label | req.params.x | -| tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | -| tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-string-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-string-steps.js:6:24:6:30 | req.url | semmle.label | req.url | -| tainted-string-steps.js:8:18:8:21 | path | semmle.label | path | -| tainted-string-steps.js:8:18:8:34 | path.substring(4) | semmle.label | path.substring(4) | -| tainted-string-steps.js:9:18:9:21 | path | semmle.label | path | -| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | semmle.label | path.substring(0, i) | -| tainted-string-steps.js:10:18:10:21 | path | semmle.label | path | -| tainted-string-steps.js:10:18:10:31 | path.substr(4) | semmle.label | path.substr(4) | -| tainted-string-steps.js:11:18:11:21 | path | semmle.label | path | -| tainted-string-steps.js:11:18:11:30 | path.slice(4) | semmle.label | path.slice(4) | -| tainted-string-steps.js:13:18:13:21 | path | semmle.label | path | -| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | semmle.label | path.concat(unknown) | -| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | semmle.label | unknown.concat(path) | -| tainted-string-steps.js:14:33:14:36 | path | semmle.label | path | -| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | semmle.label | unknown ... , path) | -| tainted-string-steps.js:15:42:15:45 | path | semmle.label | path | -| tainted-string-steps.js:17:18:17:21 | path | semmle.label | path | -| tainted-string-steps.js:17:18:17:28 | path.trim() | semmle.label | path.trim() | -| tainted-string-steps.js:18:18:18:21 | path | semmle.label | path | -| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | semmle.label | path.toLowerCase() | -| tainted-string-steps.js:22:18:22:21 | path | semmle.label | path | -| tainted-string-steps.js:22:18:22:32 | path.split('/') | semmle.label | path.split('/') | -| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | semmle.label | path.split('/')[i] | -| tainted-string-steps.js:23:18:23:21 | path | semmle.label | path | -| tainted-string-steps.js:23:18:23:33 | path.split(/\\//) | semmle.label | path.split(/\\//) | -| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | semmle.label | path.split(/\\//)[i] | -| tainted-string-steps.js:24:18:24:21 | path | semmle.label | path | -| tainted-string-steps.js:24:18:24:32 | path.split("?") | semmle.label | path.split("?") | -| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | semmle.label | path.split("?")[0] | -| tainted-string-steps.js:26:18:26:21 | path | semmle.label | path | -| tainted-string-steps.js:26:18:26:36 | path.split(unknown) | semmle.label | path.split(unknown) | -| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | semmle.label | path.sp ... hatever | -| tainted-string-steps.js:27:18:27:21 | path | semmle.label | path | -| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | semmle.label | path.split(unknown) | -| torrents.js:5:6:5:38 | name | semmle.label | name | -| torrents.js:5:13:5:38 | parseTo ... t).name | semmle.label | parseTo ... t).name | -| torrents.js:6:6:6:45 | loc | semmle.label | loc | -| torrents.js:6:12:6:45 | dir + " ... t.data" | semmle.label | dir + " ... t.data" | -| torrents.js:6:24:6:27 | name | semmle.label | name | -| torrents.js:7:25:7:27 | loc | semmle.label | loc | -| typescript.ts:9:7:9:48 | path | semmle.label | path | -| typescript.ts:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| typescript.ts:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| typescript.ts:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| typescript.ts:9:24:9:30 | req.url | semmle.label | req.url | -| typescript.ts:12:29:12:32 | path | semmle.label | path | -| typescript.ts:20:7:20:18 | path3 | semmle.label | path3 | -| typescript.ts:20:15:20:18 | path | semmle.label | path | -| typescript.ts:21:39:21:43 | path3 | semmle.label | path3 | -| typescript.ts:23:7:23:18 | path4 | semmle.label | path4 | -| typescript.ts:23:15:23:18 | path | semmle.label | path | -| typescript.ts:24:39:24:43 | path4 | semmle.label | path4 | -| typescript.ts:30:7:30:18 | path6 | semmle.label | path6 | -| typescript.ts:30:15:30:18 | path | semmle.label | path | -| typescript.ts:32:29:32:33 | path6 | semmle.label | path6 | -| views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | +#select +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:9:26:9:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | +| TaintedPath.js:11:29:11:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:11:29:11:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:13:29:13:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:16:33:16:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:16:33:16:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:22:33:22:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:22:33:22:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:45:29:45:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:54:31:54:76 | require ... ).query | TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:54:63:54:69 | req.url | user-provided value | +| TaintedPath.js:55:31:55:74 | require ... ).query | TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:55:61:55:67 | req.url | user-provided value | +| TaintedPath.js:56:31:56:73 | require ... ).query | TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:56:60:56:66 | req.url | user-provided value | +| TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:64:48:64:60 | req.params[0] | user-provided value | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:78:45:78:52 | realpath | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:78:45:78:52 | realpath | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:111:23:111:26 | path | TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:111:23:111:26 | path | This path depends on a $@. | TaintedPath.js:109:23:109:29 | req.url | user-provided value | +| TaintedPath.js:117:19:117:22 | path | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:117:19:117:22 | path | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:121:19:121:33 | split.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:121:19:121:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:125:19:125:26 | split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:125:19:125:26 | split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:126:19:126:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:129:19:129:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:132:19:132:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:134:19:134:29 | split.pop() | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:134:19:134:29 | split.pop() | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:176:38:176:44 | req.url | user-provided value | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:177:51:177:57 | req.url | user-provided value | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:179:44:179:50 | req.url | user-provided value | +| TaintedPath.js:185:31:185:34 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:185:31:185:34 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:186:45:186:48 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:186:45:186:48 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:187:35:187:38 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:187:35:187:38 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:195:29:195:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:191:24:191:30 | req.url | user-provided value | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:202:29:202:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:205:31:205:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | +| express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | +| handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | +| handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value | +| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:23:19:23:22 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:19:23:22 | path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:24:19:24:29 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:19:24:29 | './' + path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:36:19:36:22 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:19:36:22 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | +| normalizedPaths.js:41:21:41:24 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:21:41:24 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | +| normalizedPaths.js:59:19:59:22 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:19:59:22 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | +| normalizedPaths.js:68:21:68:24 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:21:68:24 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | +| normalizedPaths.js:78:22:78:25 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:22:78:25 | path | This path depends on a $@. | normalizedPaths.js:73:42:73:55 | req.query.path | user-provided value | +| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | +| normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | +| normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on a $@. | normalizedPaths.js:94:35:94:48 | req.query.path | user-provided value | +| normalizedPaths.js:119:19:119:22 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:19:119:22 | path | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | +| normalizedPaths.js:135:21:135:24 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:21:135:24 | path | This path depends on a $@. | normalizedPaths.js:130:35:130:48 | req.query.path | user-provided value | +| normalizedPaths.js:144:21:144:24 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:21:144:24 | path | This path depends on a $@. | normalizedPaths.js:139:48:139:61 | req.query.path | user-provided value | +| normalizedPaths.js:151:21:151:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:21:151:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | +| normalizedPaths.js:153:21:153:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:21:153:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | +| normalizedPaths.js:165:19:165:22 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:19:165:22 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | +| normalizedPaths.js:170:21:170:24 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:21:170:24 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | +| normalizedPaths.js:184:19:184:22 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:19:184:22 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:187:21:187:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:21:187:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:189:21:189:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:21:189:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:192:21:192:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:21:192:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:194:21:194:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:21:194:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:199:21:199:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:21:199:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:205:21:205:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:21:205:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:208:21:208:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:21:208:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:210:21:210:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:21:210:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:222:21:222:24 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:21:222:24 | path | This path depends on a $@. | normalizedPaths.js:214:35:214:48 | req.query.path | user-provided value | +| normalizedPaths.js:228:21:228:24 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:21:228:24 | path | This path depends on a $@. | normalizedPaths.js:226:35:226:48 | req.query.path | user-provided value | +| normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | +| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | +| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | +| normalizedPaths.js:256:19:256:22 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:256:19:256:22 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:270:21:270:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:278:21:278:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:278:21:278:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:286:21:286:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:286:21:286:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:296:21:296:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:296:21:296:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:304:18:304:21 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:304:18:304:21 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:309:19:309:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:309:19:309:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:313:19:313:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:313:19:313:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:316:19:316:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:316:19:316:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:325:19:325:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:325:19:325:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | +| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | +| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | +| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | +| normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | +| normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | +| normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | +| normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | +| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | normalizedPaths.js:407:45:407:55 | req.query.x | normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:407:45:407:55 | req.query.x | user-provided value | +| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | normalizedPaths.js:408:38:408:48 | req.query.x | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:408:38:408:48 | req.query.x | user-provided value | +| normalizedPaths.js:415:19:415:22 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:415:19:415:22 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | +| normalizedPaths.js:426:21:426:24 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:426:21:426:24 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | +| other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:14:27:14:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:14:27:14:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:16:34:16:37 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:16:34:16:37 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:17:35:17:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:17:35:17:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:19:56:19:59 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:19:56:19:59 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:24:35:24:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:24:35:24:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | +| other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | +| other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | +| other-fs-libraries.js:51:19:51:22 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:51:19:51:22 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:52:24:52:27 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:52:24:52:27 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:54:36:54:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:54:36:54:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:55:36:55:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:55:36:55:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:57:46:57:49 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:57:46:57:49 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:59:39:59:42 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:59:39:59:42 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:62:43:62:46 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:62:43:62:46 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:63:51:63:54 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:63:51:63:54 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:70:19:70:22 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:70:19:70:22 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:71:10:71:13 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:71:10:71:13 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:72:15:72:18 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:72:15:72:18 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:76:19:76:19 | x | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:76:19:76:19 | x | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:83:16:83:19 | path | other-fs-libraries.js:81:24:81:30 | req.url | other-fs-libraries.js:83:16:83:19 | path | This path depends on a $@. | other-fs-libraries.js:81:24:81:30 | req.url | user-provided value | +| prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | +| prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | +| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | +| pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | +| sharedlib-repro.js:22:18:22:25 | filepath | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | sharedlib-repro.js:22:18:22:25 | filepath | This path depends on a $@. | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | user-provided value | +| tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:29:21:29:28 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:29:21:29:28 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:40:23:40:26 | path | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:40:23:40:26 | path | This path depends on a $@. | tainted-access-paths.js:39:24:39:30 | req.url | user-provided value | +| tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on a $@. | tainted-access-paths.js:48:24:48:30 | req.url | user-provided value | +| tainted-promise-steps.js:11:19:11:35 | await pathPromise | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:11:19:11:35 | await pathPromise | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-promise-steps.js:12:44:12:47 | path | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:12:44:12:47 | path | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | This path depends on a $@. | tainted-require.js:6:19:6:37 | req.param("module") | user-provided value | +| tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | This path depends on a $@. | tainted-require.js:11:29:11:47 | req.param("module") | user-provided value | +| tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | This path depends on a $@. | tainted-require.js:13:11:13:29 | req.param("module") | user-provided value | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:15:43:15:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:21:37:21:48 | req.params.x | user-provided value | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:22:34:22:45 | req.params.x | user-provided value | +| tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:11:18:11:30 | path.slice(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:11:18:11:30 | path.slice(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:15:18:15:46 | unknown ... , path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:17:18:17:28 | path.trim() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:17:18:17:28 | path.trim() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on a $@. | torrents.js:5:13:5:38 | parseTo ... t).name | user-provided value | +| typescript.ts:11:29:11:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:11:29:11:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:20:39:20:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:20:39:20:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:23:39:23:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:23:39:23:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:31:29:31:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:31:29:31:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on a $@. | views.js:1:43:1:55 | req.params[0] | user-provided value | edges -| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path | provenance | | +| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:9:41:9:44 | path | provenance | | | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | provenance | Config | | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | provenance | Config | | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | TaintedPath-es6.js:7:7:7:44 | path | provenance | | | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | provenance | Config | -| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | provenance | Config | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:18:33:18:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:21:33:21:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path | provenance | | +| TaintedPath-es6.js:9:41:9:44 | path | TaintedPath-es6.js:9:26:9:45 | join("public", path) | provenance | Config | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:11:29:11:32 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:13:45:13:48 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:16:33:16:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:22:33:22:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | provenance | | | TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query | provenance | Config | | TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path | provenance | Config | | TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path | provenance | | | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | provenance | Config | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:42:48:42:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:46:45:46:48 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:48:51:48:54 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:50:50:50:53 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:52:52:52:55 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:54:49:54:52 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:56:48:56:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:58:54:58:57 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:60:57:60:60 | path | provenance | | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | TaintedPath.js:38:10:38:39 | url.par ... ).query | provenance | Config | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | TaintedPath.js:38:10:38:44 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | TaintedPath.js:38:3:38:44 | path | provenance | | -| TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:38:10:38:33 | url.par ... , true) | provenance | Config | -| TaintedPath.js:42:48:42:51 | path | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:46:45:46:48 | path | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | provenance | Config | -| TaintedPath.js:48:51:48:54 | path | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:50:50:50:53 | path | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:52:52:52:55 | path | TaintedPath.js:52:29:52:56 | pathMod ... , path) | provenance | Config | -| TaintedPath.js:54:49:54:52 | path | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | provenance | Config | -| TaintedPath.js:56:48:56:51 | path | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:58:54:58:57 | path | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:60:57:60:60 | path | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | provenance | Config | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | TaintedPath.js:65:31:65:76 | require ... ).query | provenance | Config | -| TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:70 | require ... eq.url) | provenance | Config | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | TaintedPath.js:66:31:66:74 | require ... ).query | provenance | Config | -| TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:68 | require ... eq.url) | provenance | Config | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | TaintedPath.js:67:31:67:73 | require ... ).query | provenance | Config | -| TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:67 | require ... eq.url) | provenance | Config | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:86:44:86:47 | path | provenance | | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:87:14:87:17 | path | provenance | | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | TaintedPath.js:84:13:84:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | TaintedPath.js:84:13:84:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | TaintedPath.js:84:6:84:47 | path | provenance | | -| TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:84:13:84:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:86:44:86:47 | path | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | provenance | Config | -| TaintedPath.js:87:14:87:17 | path | TaintedPath.js:88:32:88:39 | realpath | provenance | Config | -| TaintedPath.js:88:32:88:39 | realpath | TaintedPath.js:89:45:89:52 | realpath | provenance | | -| TaintedPath.js:120:6:120:47 | path | TaintedPath.js:122:23:122:26 | path | provenance | | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | TaintedPath.js:120:13:120:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | TaintedPath.js:120:13:120:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | TaintedPath.js:120:6:120:47 | path | provenance | | -| TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:120:13:120:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:128:19:128:22 | path | provenance | | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:130:15:130:18 | path | provenance | | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | TaintedPath.js:126:14:126:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | TaintedPath.js:126:14:126:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | TaintedPath.js:126:7:126:48 | path | provenance | | -| TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:126:14:126:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:132:19:132:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:136:19:136:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:137:28:137:32 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:139:33:139:37 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:142:20:142:24 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:145:19:145:23 | split | provenance | | -| TaintedPath.js:130:15:130:18 | path | TaintedPath.js:130:15:130:29 | path.split("/") | provenance | Config | -| TaintedPath.js:130:15:130:29 | path.split("/") | TaintedPath.js:130:7:130:29 | split | provenance | | -| TaintedPath.js:132:19:132:23 | split | TaintedPath.js:132:19:132:33 | split.join("/") | provenance | Config | -| TaintedPath.js:136:19:136:23 | split | TaintedPath.js:136:19:136:26 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:32 | split | TaintedPath.js:137:28:137:35 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:35 | split[x] | TaintedPath.js:137:19:137:35 | prefix + split[x] | provenance | Config | -| TaintedPath.js:139:7:139:38 | concatted | TaintedPath.js:140:19:140:27 | concatted | provenance | | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | TaintedPath.js:139:7:139:38 | concatted | provenance | | -| TaintedPath.js:139:33:139:37 | split | TaintedPath.js:139:19:139:38 | prefix.concat(split) | provenance | Config | -| TaintedPath.js:140:19:140:27 | concatted | TaintedPath.js:140:19:140:37 | concatted.join("/") | provenance | Config | -| TaintedPath.js:142:7:142:39 | concatted2 | TaintedPath.js:143:19:143:28 | concatted2 | provenance | | -| TaintedPath.js:142:20:142:24 | split | TaintedPath.js:142:20:142:39 | split.concat(prefix) | provenance | Config | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | TaintedPath.js:142:7:142:39 | concatted2 | provenance | | -| TaintedPath.js:143:19:143:28 | concatted2 | TaintedPath.js:143:19:143:38 | concatted2.join("/") | provenance | Config | -| TaintedPath.js:145:19:145:23 | split | TaintedPath.js:145:19:145:29 | split.pop() | provenance | Config | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:154:29:154:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:160:29:160:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:161:29:161:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:162:29:162:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:163:29:163:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:178:40:178:43 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:179:50:179:53 | path | provenance | | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | TaintedPath.js:150:14:150:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | TaintedPath.js:150:14:150:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | TaintedPath.js:150:7:150:48 | path | provenance | | -| TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:150:14:150:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:154:29:154:32 | path | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:160:29:160:32 | path | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:161:29:161:32 | path | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:162:29:162:32 | path | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:163:29:163:32 | path | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:178:40:178:43 | path | TaintedPath.js:178:40:178:73 | path.re ... +/, '') | provenance | Config | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | provenance | Config | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | provenance | Config | -| TaintedPath.js:179:50:179:53 | path | TaintedPath.js:179:29:179:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | provenance | Config | -| TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:45 | qs.parse(req.url) | provenance | Config | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | provenance | Config | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | provenance | Config | -| TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:38:188:58 | normali ... eq.url) | provenance | Config | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | provenance | Config | -| TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | provenance | Config | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:196:31:196:34 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:197:45:197:48 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:198:35:198:38 | path | provenance | | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | TaintedPath.js:195:14:195:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | TaintedPath.js:195:14:195:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | TaintedPath.js:195:7:195:48 | path | provenance | | -| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path | provenance | | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path | provenance | | -| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path | provenance | | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path | provenance | | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path | provenance | | -| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') | provenance | Config | -| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath | provenance | | +| TaintedPath.js:13:45:13:48 | path | TaintedPath.js:13:29:13:48 | "/home/user/" + path | provenance | Config | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:39:48:39:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:42:45:42:48 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:43:51:43:54 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:44:50:44:53 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:45:52:45:55 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:46:49:46:52 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:47:48:47:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:48:54:48:57 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:49:57:49:60 | path | provenance | | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | TaintedPath.js:36:10:36:39 | url.par ... ).query | provenance | Config | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | TaintedPath.js:36:10:36:44 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | TaintedPath.js:36:3:36:44 | path | provenance | | +| TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:36:10:36:33 | url.par ... , true) | provenance | Config | +| TaintedPath.js:39:48:39:51 | path | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:42:45:42:48 | path | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | provenance | Config | +| TaintedPath.js:43:51:43:54 | path | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:44:50:44:53 | path | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:45:52:45:55 | path | TaintedPath.js:45:29:45:56 | pathMod ... , path) | provenance | Config | +| TaintedPath.js:46:49:46:52 | path | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | provenance | Config | +| TaintedPath.js:47:48:47:51 | path | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:48:54:48:57 | path | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:49:57:49:60 | path | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | provenance | Config | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | TaintedPath.js:54:31:54:76 | require ... ).query | provenance | Config | +| TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:70 | require ... eq.url) | provenance | Config | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | TaintedPath.js:55:31:55:74 | require ... ).query | provenance | Config | +| TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:68 | require ... eq.url) | provenance | Config | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | TaintedPath.js:56:31:56:73 | require ... ).query | provenance | Config | +| TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:67 | require ... eq.url) | provenance | Config | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:75:44:75:47 | path | provenance | | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:76:14:76:17 | path | provenance | | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | TaintedPath.js:73:13:73:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | TaintedPath.js:73:13:73:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | TaintedPath.js:73:6:73:47 | path | provenance | | +| TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:73:13:73:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:75:44:75:47 | path | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | provenance | Config | +| TaintedPath.js:76:14:76:17 | path | TaintedPath.js:77:32:77:39 | realpath | provenance | Config | +| TaintedPath.js:77:32:77:39 | realpath | TaintedPath.js:78:45:78:52 | realpath | provenance | | +| TaintedPath.js:109:6:109:47 | path | TaintedPath.js:111:23:111:26 | path | provenance | | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | TaintedPath.js:109:13:109:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | TaintedPath.js:109:13:109:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | TaintedPath.js:109:6:109:47 | path | provenance | | +| TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:109:13:109:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:117:19:117:22 | path | provenance | | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:119:15:119:18 | path | provenance | | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | TaintedPath.js:115:14:115:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | TaintedPath.js:115:14:115:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | TaintedPath.js:115:7:115:48 | path | provenance | | +| TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:115:14:115:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:121:19:121:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:125:19:125:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:126:28:126:32 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:128:33:128:37 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:131:20:131:24 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:134:19:134:23 | split | provenance | | +| TaintedPath.js:119:15:119:18 | path | TaintedPath.js:119:15:119:29 | path.split("/") | provenance | Config | +| TaintedPath.js:119:15:119:29 | path.split("/") | TaintedPath.js:119:7:119:29 | split | provenance | | +| TaintedPath.js:121:19:121:23 | split | TaintedPath.js:121:19:121:33 | split.join("/") | provenance | Config | +| TaintedPath.js:125:19:125:23 | split | TaintedPath.js:125:19:125:26 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:32 | split | TaintedPath.js:126:28:126:35 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:35 | split[x] | TaintedPath.js:126:19:126:35 | prefix + split[x] | provenance | Config | +| TaintedPath.js:128:7:128:38 | concatted | TaintedPath.js:129:19:129:27 | concatted | provenance | | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | TaintedPath.js:128:7:128:38 | concatted | provenance | | +| TaintedPath.js:128:33:128:37 | split | TaintedPath.js:128:19:128:38 | prefix.concat(split) | provenance | Config | +| TaintedPath.js:129:19:129:27 | concatted | TaintedPath.js:129:19:129:37 | concatted.join("/") | provenance | Config | +| TaintedPath.js:131:7:131:39 | concatted2 | TaintedPath.js:132:19:132:28 | concatted2 | provenance | | +| TaintedPath.js:131:20:131:24 | split | TaintedPath.js:131:20:131:39 | split.concat(prefix) | provenance | Config | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | TaintedPath.js:131:7:131:39 | concatted2 | provenance | | +| TaintedPath.js:132:19:132:28 | concatted2 | TaintedPath.js:132:19:132:38 | concatted2.join("/") | provenance | Config | +| TaintedPath.js:134:19:134:23 | split | TaintedPath.js:134:19:134:29 | split.pop() | provenance | Config | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:143:29:143:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:149:29:149:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:150:29:150:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:151:29:151:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:152:29:152:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:167:40:167:43 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:168:50:168:53 | path | provenance | | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | TaintedPath.js:139:14:139:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | TaintedPath.js:139:14:139:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | TaintedPath.js:139:7:139:48 | path | provenance | | +| TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:139:14:139:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:143:29:143:32 | path | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:149:29:149:32 | path | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:150:29:150:32 | path | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:151:29:151:32 | path | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:152:29:152:32 | path | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:167:40:167:43 | path | TaintedPath.js:167:40:167:73 | path.re ... +/, '') | provenance | Config | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | provenance | Config | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | provenance | Config | +| TaintedPath.js:168:50:168:53 | path | TaintedPath.js:168:29:168:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | provenance | Config | +| TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:45 | qs.parse(req.url) | provenance | Config | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | provenance | Config | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | provenance | Config | +| TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:38:177:58 | normali ... eq.url) | provenance | Config | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | provenance | Config | +| TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | provenance | Config | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:185:31:185:34 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:186:45:186:48 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:187:35:187:38 | path | provenance | | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | TaintedPath.js:184:14:184:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | TaintedPath.js:184:14:184:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | TaintedPath.js:184:7:184:48 | path | provenance | | +| TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:184:14:184:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:191:7:191:48 | path | TaintedPath.js:195:29:195:32 | path | provenance | | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | TaintedPath.js:191:14:191:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | TaintedPath.js:191:14:191:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | TaintedPath.js:191:7:191:48 | path | provenance | | +| TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:191:14:191:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:195:29:195:32 | path | TaintedPath.js:195:29:195:85 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:202:29:202:32 | path | provenance | | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:205:31:205:34 | path | provenance | | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | TaintedPath.js:200:14:200:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | TaintedPath.js:200:14:200:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | TaintedPath.js:200:7:200:48 | path | provenance | | +| TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:200:14:200:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:202:29:202:32 | path | TaintedPath.js:202:29:202:68 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:205:31:205:34 | path | TaintedPath.js:205:31:205:69 | path.re ... '), '') | provenance | Config | +| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:10:36:10:43 | filePath | provenance | | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config | | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | examples/TaintedPath.js:8:7:8:52 | filePath | provenance | | | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | provenance | Config | -| examples/TaintedPath.js:11:36:11:43 | filePath | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | provenance | Config | +| examples/TaintedPath.js:10:36:10:43 | filePath | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | provenance | Config | | handlebars.js:10:51:10:58 | filePath | handlebars.js:11:32:11:39 | filePath | provenance | | | handlebars.js:13:73:13:80 | filePath | handlebars.js:15:25:15:32 | filePath | provenance | | | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:10:51:10:58 | filePath | provenance | | @@ -893,8 +565,8 @@ edges | tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | tainted-promise-steps.js:11:19:11:35 | await pathPromise | provenance | | | tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | tainted-promise-steps.js:12:20:12:23 | path | provenance | | | tainted-promise-steps.js:12:20:12:23 | path | tainted-promise-steps.js:12:44:12:47 | path | provenance | | -| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | provenance | Config | -| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | provenance | Config | +| tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | provenance | Config | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:8:18:8:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:9:18:9:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:10:18:10:21 | path | provenance | | @@ -936,201 +608,602 @@ edges | torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc | provenance | | | torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc | provenance | | | torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" | provenance | Config | -| typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:20:15:20:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:23:15:23:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:30:15:30:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:11:29:11:32 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:19:15:19:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:22:15:22:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:29:15:29:18 | path | provenance | | | typescript.ts:9:14:9:37 | url.par ... , true) | typescript.ts:9:14:9:43 | url.par ... ).query | provenance | Config | | typescript.ts:9:14:9:43 | url.par ... ).query | typescript.ts:9:14:9:48 | url.par ... ry.path | provenance | Config | | typescript.ts:9:14:9:48 | url.par ... ry.path | typescript.ts:9:7:9:48 | path | provenance | | | typescript.ts:9:24:9:30 | req.url | typescript.ts:9:14:9:37 | url.par ... , true) | provenance | Config | -| typescript.ts:20:7:20:18 | path3 | typescript.ts:21:39:21:43 | path3 | provenance | | -| typescript.ts:20:15:20:18 | path | typescript.ts:20:7:20:18 | path3 | provenance | | -| typescript.ts:23:7:23:18 | path4 | typescript.ts:24:39:24:43 | path4 | provenance | | -| typescript.ts:23:15:23:18 | path | typescript.ts:23:7:23:18 | path4 | provenance | | -| typescript.ts:30:7:30:18 | path6 | typescript.ts:32:29:32:33 | path6 | provenance | | -| typescript.ts:30:15:30:18 | path | typescript.ts:30:7:30:18 | path6 | provenance | | +| typescript.ts:19:7:19:18 | path3 | typescript.ts:20:39:20:43 | path3 | provenance | | +| typescript.ts:19:15:19:18 | path | typescript.ts:19:7:19:18 | path3 | provenance | | +| typescript.ts:22:7:22:18 | path4 | typescript.ts:23:39:23:43 | path4 | provenance | | +| typescript.ts:22:15:22:18 | path | typescript.ts:22:7:22:18 | path4 | provenance | | +| typescript.ts:29:7:29:18 | path6 | typescript.ts:31:29:31:33 | path6 | provenance | | +| typescript.ts:29:15:29:18 | path | typescript.ts:29:7:29:18 | path6 | provenance | | +nodes +| TaintedPath-es6.js:7:7:7:44 | path | semmle.label | path | +| TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | semmle.label | parse(req.url, true) | +| TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | semmle.label | parse(r ... ).query | +| TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | semmle.label | parse(r ... ry.path | +| TaintedPath-es6.js:7:20:7:26 | req.url | semmle.label | req.url | +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | semmle.label | join("public", path) | +| TaintedPath-es6.js:9:41:9:44 | path | semmle.label | path | +| TaintedPath.js:9:7:9:48 | path | semmle.label | path | +| TaintedPath.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:9:24:9:30 | req.url | semmle.label | req.url | +| TaintedPath.js:11:29:11:32 | path | semmle.label | path | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | +| TaintedPath.js:13:45:13:48 | path | semmle.label | path | +| TaintedPath.js:16:33:16:36 | path | semmle.label | path | +| TaintedPath.js:19:33:19:36 | path | semmle.label | path | +| TaintedPath.js:22:33:22:36 | path | semmle.label | path | +| TaintedPath.js:31:31:31:34 | path | semmle.label | path | +| TaintedPath.js:36:3:36:44 | path | semmle.label | path | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:36:20:36:26 | req.url | semmle.label | req.url | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:39:48:39:51 | path | semmle.label | path | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | +| TaintedPath.js:42:45:42:48 | path | semmle.label | path | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:43:51:43:54 | path | semmle.label | path | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:44:50:44:53 | path | semmle.label | path | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| TaintedPath.js:45:52:45:55 | path | semmle.label | path | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | +| TaintedPath.js:46:49:46:52 | path | semmle.label | path | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:47:48:47:51 | path | semmle.label | path | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:48:54:48:57 | path | semmle.label | path | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | +| TaintedPath.js:49:57:49:60 | path | semmle.label | path | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:54:31:54:76 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:54:63:54:69 | req.url | semmle.label | req.url | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:55:31:55:74 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:55:61:55:67 | req.url | semmle.label | req.url | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:56:31:56:73 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:56:60:56:66 | req.url | semmle.label | req.url | +| TaintedPath.js:64:48:64:60 | req.params[0] | semmle.label | req.params[0] | +| TaintedPath.js:73:6:73:47 | path | semmle.label | path | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:73:23:73:29 | req.url | semmle.label | req.url | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | +| TaintedPath.js:75:44:75:47 | path | semmle.label | path | +| TaintedPath.js:76:14:76:17 | path | semmle.label | path | +| TaintedPath.js:77:32:77:39 | realpath | semmle.label | realpath | +| TaintedPath.js:78:45:78:52 | realpath | semmle.label | realpath | +| TaintedPath.js:109:6:109:47 | path | semmle.label | path | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:109:23:109:29 | req.url | semmle.label | req.url | +| TaintedPath.js:111:23:111:26 | path | semmle.label | path | +| TaintedPath.js:115:7:115:48 | path | semmle.label | path | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:115:24:115:30 | req.url | semmle.label | req.url | +| TaintedPath.js:117:19:117:22 | path | semmle.label | path | +| TaintedPath.js:119:7:119:29 | split | semmle.label | split | +| TaintedPath.js:119:15:119:18 | path | semmle.label | path | +| TaintedPath.js:119:15:119:29 | path.split("/") | semmle.label | path.split("/") | +| TaintedPath.js:121:19:121:23 | split | semmle.label | split | +| TaintedPath.js:121:19:121:33 | split.join("/") | semmle.label | split.join("/") | +| TaintedPath.js:125:19:125:23 | split | semmle.label | split | +| TaintedPath.js:125:19:125:26 | split[x] | semmle.label | split[x] | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | semmle.label | prefix + split[x] | +| TaintedPath.js:126:28:126:32 | split | semmle.label | split | +| TaintedPath.js:126:28:126:35 | split[x] | semmle.label | split[x] | +| TaintedPath.js:128:7:128:38 | concatted | semmle.label | concatted | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | +| TaintedPath.js:128:33:128:37 | split | semmle.label | split | +| TaintedPath.js:129:19:129:27 | concatted | semmle.label | concatted | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | semmle.label | concatted.join("/") | +| TaintedPath.js:131:7:131:39 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:131:20:131:24 | split | semmle.label | split | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | +| TaintedPath.js:132:19:132:28 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | +| TaintedPath.js:134:19:134:23 | split | semmle.label | split | +| TaintedPath.js:134:19:134:29 | split.pop() | semmle.label | split.pop() | +| TaintedPath.js:139:7:139:48 | path | semmle.label | path | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:139:24:139:30 | req.url | semmle.label | req.url | +| TaintedPath.js:143:29:143:32 | path | semmle.label | path | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:149:29:149:32 | path | semmle.label | path | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:150:29:150:32 | path | semmle.label | path | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:151:29:151:32 | path | semmle.label | path | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:152:29:152:32 | path | semmle.label | path | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | +| TaintedPath.js:167:40:167:43 | path | semmle.label | path | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | +| TaintedPath.js:168:50:168:53 | path | semmle.label | path | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | +| TaintedPath.js:176:38:176:44 | req.url | semmle.label | req.url | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | +| TaintedPath.js:177:51:177:57 | req.url | semmle.label | req.url | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | +| TaintedPath.js:179:44:179:50 | req.url | semmle.label | req.url | +| TaintedPath.js:184:7:184:48 | path | semmle.label | path | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:184:24:184:30 | req.url | semmle.label | req.url | +| TaintedPath.js:185:31:185:34 | path | semmle.label | path | +| TaintedPath.js:186:45:186:48 | path | semmle.label | path | +| TaintedPath.js:187:35:187:38 | path | semmle.label | path | +| TaintedPath.js:191:7:191:48 | path | semmle.label | path | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:191:24:191:30 | req.url | semmle.label | req.url | +| TaintedPath.js:195:29:195:32 | path | semmle.label | path | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:200:7:200:48 | path | semmle.label | path | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:200:24:200:30 | req.url | semmle.label | req.url | +| TaintedPath.js:202:29:202:32 | path | semmle.label | path | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:205:31:205:34 | path | semmle.label | path | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | +| examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | +| examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | +| examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | semmle.label | ROOT + filePath | +| examples/TaintedPath.js:10:36:10:43 | filePath | semmle.label | filePath | +| express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar | +| handlebars.js:10:51:10:58 | filePath | semmle.label | filePath | +| handlebars.js:11:32:11:39 | filePath | semmle.label | filePath | +| handlebars.js:13:73:13:80 | filePath | semmle.label | filePath | +| handlebars.js:15:25:15:32 | filePath | semmle.label | filePath | +| handlebars.js:29:46:29:60 | req.params.path | semmle.label | req.params.path | +| handlebars.js:43:15:43:29 | req.params.path | semmle.label | req.params.path | +| normalizedPaths.js:11:7:11:27 | path | semmle.label | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:13:19:13:22 | path | semmle.label | path | +| normalizedPaths.js:14:19:14:29 | './' + path | semmle.label | './' + path | +| normalizedPaths.js:14:26:14:29 | path | semmle.label | path | +| normalizedPaths.js:15:19:15:22 | path | semmle.label | path | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | semmle.label | path + '/index.html' | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | semmle.label | path | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | semmle.label | path | +| normalizedPaths.js:21:7:21:49 | path | semmle.label | path | +| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:21:35:21:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:23:19:23:22 | path | semmle.label | path | +| normalizedPaths.js:24:19:24:29 | './' + path | semmle.label | './' + path | +| normalizedPaths.js:24:26:24:29 | path | semmle.label | path | +| normalizedPaths.js:25:19:25:22 | path | semmle.label | path | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | semmle.label | path + '/index.html' | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | semmle.label | path | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:27:53:27:56 | path | semmle.label | path | +| normalizedPaths.js:31:7:31:49 | path | semmle.label | path | +| normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:31:35:31:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:36:19:36:22 | path | semmle.label | path | +| normalizedPaths.js:41:21:41:24 | path | semmle.label | path | +| normalizedPaths.js:54:7:54:49 | path | semmle.label | path | +| normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:54:35:54:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:59:19:59:22 | path | semmle.label | path | +| normalizedPaths.js:63:19:63:22 | path | semmle.label | path | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | semmle.label | path + "/index.html" | +| normalizedPaths.js:68:21:68:24 | path | semmle.label | path | +| normalizedPaths.js:73:7:73:56 | path | semmle.label | path | +| normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:73:35:73:55 | './' + ... ry.path | semmle.label | './' + ... ry.path | +| normalizedPaths.js:73:42:73:55 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:78:22:78:25 | path | semmle.label | path | +| normalizedPaths.js:82:7:82:27 | path | semmle.label | path | +| normalizedPaths.js:82:14:82:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:87:29:87:32 | path | semmle.label | path | +| normalizedPaths.js:90:31:90:34 | path | semmle.label | path | +| normalizedPaths.js:94:7:94:49 | path | semmle.label | path | +| normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:94:35:94:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:99:29:99:32 | path | semmle.label | path | +| normalizedPaths.js:117:7:117:44 | path | semmle.label | path | +| normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | semmle.label | fs.real ... y.path) | +| normalizedPaths.js:117:30:117:43 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:119:19:119:22 | path | semmle.label | path | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | semmle.label | path | +| normalizedPaths.js:130:7:130:49 | path | semmle.label | path | +| normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:130:35:130:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:135:21:135:24 | path | semmle.label | path | +| normalizedPaths.js:139:7:139:62 | path | semmle.label | path | +| normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:139:48:139:61 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:144:21:144:24 | path | semmle.label | path | +| normalizedPaths.js:148:7:148:58 | path | semmle.label | path | +| normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | semmle.label | 'foo/' ... y.path) | +| normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:148:44:148:57 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:151:21:151:24 | path | semmle.label | path | +| normalizedPaths.js:153:21:153:24 | path | semmle.label | path | +| normalizedPaths.js:160:7:160:49 | path | semmle.label | path | +| normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:160:35:160:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:165:19:165:22 | path | semmle.label | path | +| normalizedPaths.js:170:21:170:24 | path | semmle.label | path | +| normalizedPaths.js:174:7:174:27 | path | semmle.label | path | +| normalizedPaths.js:174:14:174:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:184:19:184:22 | path | semmle.label | path | +| normalizedPaths.js:187:21:187:24 | path | semmle.label | path | +| normalizedPaths.js:189:21:189:24 | path | semmle.label | path | +| normalizedPaths.js:192:21:192:24 | path | semmle.label | path | +| normalizedPaths.js:194:21:194:24 | path | semmle.label | path | +| normalizedPaths.js:199:21:199:24 | path | semmle.label | path | +| normalizedPaths.js:201:7:201:49 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:201:45:201:48 | path | semmle.label | path | +| normalizedPaths.js:205:21:205:34 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:214:7:214:49 | path | semmle.label | path | +| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:214:35:214:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:219:3:219:33 | path | semmle.label | path | +| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | semmle.label | decodeU ... t(path) | +| normalizedPaths.js:219:29:219:32 | path | semmle.label | path | +| normalizedPaths.js:222:21:222:24 | path | semmle.label | path | +| normalizedPaths.js:226:7:226:70 | path | semmle.label | path | +| normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | semmle.label | pathMod ... g, ' ') | +| normalizedPaths.js:226:35:226:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:228:21:228:24 | path | semmle.label | path | +| normalizedPaths.js:236:7:236:47 | path | semmle.label | path | +| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:236:33:236:46 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:238:19:238:22 | path | semmle.label | path | +| normalizedPaths.js:245:21:245:24 | path | semmle.label | path | +| normalizedPaths.js:250:21:250:24 | path | semmle.label | path | +| normalizedPaths.js:254:7:254:47 | path | semmle.label | path | +| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:254:33:254:46 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:256:19:256:22 | path | semmle.label | path | +| normalizedPaths.js:262:21:262:24 | path | semmle.label | path | +| normalizedPaths.js:267:7:267:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:267:17:267:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:267:38:267:41 | path | semmle.label | path | +| normalizedPaths.js:270:21:270:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:275:7:275:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:275:17:275:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:275:38:275:41 | path | semmle.label | path | +| normalizedPaths.js:278:21:278:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:283:7:283:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:283:38:283:41 | path | semmle.label | path | +| normalizedPaths.js:286:21:286:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:291:7:291:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:291:17:291:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:291:38:291:41 | path | semmle.label | path | +| normalizedPaths.js:296:21:296:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:303:6:303:26 | path | semmle.label | path | +| normalizedPaths.js:303:13:303:26 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:304:18:304:21 | path | semmle.label | path | +| normalizedPaths.js:309:19:309:22 | path | semmle.label | path | +| normalizedPaths.js:313:19:313:22 | path | semmle.label | path | +| normalizedPaths.js:316:19:316:22 | path | semmle.label | path | +| normalizedPaths.js:320:6:320:49 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:320:23:320:49 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:320:45:320:48 | path | semmle.label | path | +| normalizedPaths.js:325:19:325:32 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:332:19:332:32 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:339:6:339:46 | path | semmle.label | path | +| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:339:32:339:45 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:341:18:341:21 | path | semmle.label | path | +| normalizedPaths.js:346:19:346:22 | path | semmle.label | path | +| normalizedPaths.js:354:7:354:27 | path | semmle.label | path | +| normalizedPaths.js:354:14:354:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:356:19:356:22 | path | semmle.label | path | +| normalizedPaths.js:358:7:358:51 | requestPath | semmle.label | requestPath | +| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:358:47:358:50 | path | semmle.label | path | +| normalizedPaths.js:363:21:363:31 | requestPath | semmle.label | requestPath | +| normalizedPaths.js:377:7:377:27 | path | semmle.label | path | +| normalizedPaths.js:377:14:377:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:379:19:379:22 | path | semmle.label | path | +| normalizedPaths.js:381:19:381:29 | slash(path) | semmle.label | slash(path) | +| normalizedPaths.js:381:25:381:28 | path | semmle.label | path | +| normalizedPaths.js:385:7:385:46 | path | semmle.label | path | +| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | +| normalizedPaths.js:385:35:385:45 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:388:19:388:22 | path | semmle.label | path | +| normalizedPaths.js:399:21:399:24 | path | semmle.label | path | +| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | +| normalizedPaths.js:407:45:407:55 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:407:45:407:66 | req.que ... it('/') | semmle.label | req.que ... it('/') | +| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | +| normalizedPaths.js:408:38:408:48 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:408:38:408:59 | req.que ... it('/') | semmle.label | req.que ... it('/') | +| normalizedPaths.js:412:7:412:46 | path | semmle.label | path | +| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | +| normalizedPaths.js:412:35:412:45 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:415:19:415:22 | path | semmle.label | path | +| normalizedPaths.js:426:21:426:24 | path | semmle.label | path | +| other-fs-libraries.js:9:7:9:48 | path | semmle.label | path | +| other-fs-libraries.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:9:24:9:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:11:19:11:22 | path | semmle.label | path | +| other-fs-libraries.js:12:27:12:30 | path | semmle.label | path | +| other-fs-libraries.js:13:24:13:27 | path | semmle.label | path | +| other-fs-libraries.js:14:27:14:30 | path | semmle.label | path | +| other-fs-libraries.js:16:34:16:37 | path | semmle.label | path | +| other-fs-libraries.js:17:35:17:38 | path | semmle.label | path | +| other-fs-libraries.js:19:56:19:59 | path | semmle.label | path | +| other-fs-libraries.js:24:35:24:38 | path | semmle.label | path | +| other-fs-libraries.js:38:7:38:48 | path | semmle.label | path | +| other-fs-libraries.js:38:14:38:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:38:14:38:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:38:14:38:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:38:24:38:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:40:35:40:38 | path | semmle.label | path | +| other-fs-libraries.js:41:50:41:53 | path | semmle.label | path | +| other-fs-libraries.js:42:53:42:56 | path | semmle.label | path | +| other-fs-libraries.js:49:7:49:48 | path | semmle.label | path | +| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:49:14:49:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:49:14:49:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:49:24:49:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:51:19:51:22 | path | semmle.label | path | +| other-fs-libraries.js:52:24:52:27 | path | semmle.label | path | +| other-fs-libraries.js:54:36:54:39 | path | semmle.label | path | +| other-fs-libraries.js:55:36:55:39 | path | semmle.label | path | +| other-fs-libraries.js:57:46:57:49 | path | semmle.label | path | +| other-fs-libraries.js:59:39:59:42 | path | semmle.label | path | +| other-fs-libraries.js:62:43:62:46 | path | semmle.label | path | +| other-fs-libraries.js:63:51:63:54 | path | semmle.label | path | +| other-fs-libraries.js:68:7:68:48 | path | semmle.label | path | +| other-fs-libraries.js:68:14:68:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:68:14:68:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:68:14:68:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:68:24:68:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:70:19:70:22 | path | semmle.label | path | +| other-fs-libraries.js:71:10:71:13 | path | semmle.label | path | +| other-fs-libraries.js:72:15:72:18 | path | semmle.label | path | +| other-fs-libraries.js:73:8:73:11 | path | semmle.label | path | +| other-fs-libraries.js:75:15:75:15 | x | semmle.label | x | +| other-fs-libraries.js:76:19:76:19 | x | semmle.label | x | +| other-fs-libraries.js:81:7:81:48 | path | semmle.label | path | +| other-fs-libraries.js:81:14:81:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:81:14:81:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:81:14:81:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:81:24:81:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:83:16:83:19 | path | semmle.label | path | +| prettier.js:6:11:6:28 | p | semmle.label | p | +| prettier.js:6:13:6:13 | p | semmle.label | p | +| prettier.js:7:28:7:28 | p | semmle.label | p | +| prettier.js:11:44:11:44 | p | semmle.label | p | +| pupeteer.js:5:9:5:71 | tainted | semmle.label | tainted | +| pupeteer.js:5:19:5:71 | "dir/" ... t.data" | semmle.label | "dir/" ... t.data" | +| pupeteer.js:5:28:5:53 | parseTo ... t).name | semmle.label | parseTo ... t).name | +| pupeteer.js:9:28:9:34 | tainted | semmle.label | tainted | +| pupeteer.js:13:37:13:43 | tainted | semmle.label | tainted | +| sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | semmle.label | req.par ... spaceId | +| sharedlib-repro.js:21:27:21:34 | filepath | semmle.label | filepath | +| sharedlib-repro.js:22:18:22:25 | filepath | semmle.label | filepath | +| tainted-access-paths.js:6:7:6:48 | path | semmle.label | path | +| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-access-paths.js:6:24:6:30 | req.url | semmle.label | req.url | +| tainted-access-paths.js:8:19:8:22 | path | semmle.label | path | +| tainted-access-paths.js:10:7:10:36 | obj | semmle.label | obj | +| tainted-access-paths.js:10:33:10:36 | path | semmle.label | path | +| tainted-access-paths.js:12:19:12:21 | obj | semmle.label | obj | +| tainted-access-paths.js:12:19:12:25 | obj.sub | semmle.label | obj.sub | +| tainted-access-paths.js:26:19:26:21 | obj | semmle.label | obj | +| tainted-access-paths.js:26:19:26:26 | obj.sub3 | semmle.label | obj.sub3 | +| tainted-access-paths.js:29:21:29:23 | obj | semmle.label | obj | +| tainted-access-paths.js:29:21:29:28 | obj.sub4 | semmle.label | obj.sub4 | +| tainted-access-paths.js:30:23:30:25 | obj | semmle.label | obj | +| tainted-access-paths.js:30:23:30:30 | obj.sub4 | semmle.label | obj.sub4 | +| tainted-access-paths.js:31:23:31:25 | obj | semmle.label | obj | +| tainted-access-paths.js:31:23:31:30 | obj.sub4 | semmle.label | obj.sub4 | +| tainted-access-paths.js:39:7:39:48 | path | semmle.label | path | +| tainted-access-paths.js:39:14:39:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-access-paths.js:39:14:39:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-access-paths.js:39:14:39:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-access-paths.js:39:24:39:30 | req.url | semmle.label | req.url | +| tainted-access-paths.js:40:23:40:26 | path | semmle.label | path | +| tainted-access-paths.js:48:7:48:48 | path | semmle.label | path | +| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-access-paths.js:48:24:48:30 | req.url | semmle.label | req.url | +| tainted-access-paths.js:49:10:49:13 | path | semmle.label | path | +| tainted-promise-steps.js:6:7:6:48 | path | semmle.label | path | +| tainted-promise-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-promise-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-promise-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-promise-steps.js:6:24:6:30 | req.url | semmle.label | req.url | +| tainted-promise-steps.js:7:10:7:30 | Promise ... e(path) [PromiseValue] | semmle.label | Promise ... e(path) [PromiseValue] | +| tainted-promise-steps.js:7:26:7:29 | path | semmle.label | path | +| tainted-promise-steps.js:10:23:10:33 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | +| tainted-promise-steps.js:11:19:11:35 | await pathPromise | semmle.label | await pathPromise | +| tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | +| tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | +| tainted-promise-steps.js:12:20:12:23 | path | semmle.label | path | +| tainted-promise-steps.js:12:44:12:47 | path | semmle.label | path | +| tainted-require.js:6:19:6:37 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:11:29:11:47 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:13:11:13:29 | req.param("module") | semmle.label | req.param("module") | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | +| tainted-sendFile.js:21:37:21:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:22:34:22:45 | req.params.x | semmle.label | req.params.x | +| tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | +| tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-string-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-string-steps.js:6:24:6:30 | req.url | semmle.label | req.url | +| tainted-string-steps.js:8:18:8:21 | path | semmle.label | path | +| tainted-string-steps.js:8:18:8:34 | path.substring(4) | semmle.label | path.substring(4) | +| tainted-string-steps.js:9:18:9:21 | path | semmle.label | path | +| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | semmle.label | path.substring(0, i) | +| tainted-string-steps.js:10:18:10:21 | path | semmle.label | path | +| tainted-string-steps.js:10:18:10:31 | path.substr(4) | semmle.label | path.substr(4) | +| tainted-string-steps.js:11:18:11:21 | path | semmle.label | path | +| tainted-string-steps.js:11:18:11:30 | path.slice(4) | semmle.label | path.slice(4) | +| tainted-string-steps.js:13:18:13:21 | path | semmle.label | path | +| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | semmle.label | path.concat(unknown) | +| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | semmle.label | unknown.concat(path) | +| tainted-string-steps.js:14:33:14:36 | path | semmle.label | path | +| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | semmle.label | unknown ... , path) | +| tainted-string-steps.js:15:42:15:45 | path | semmle.label | path | +| tainted-string-steps.js:17:18:17:21 | path | semmle.label | path | +| tainted-string-steps.js:17:18:17:28 | path.trim() | semmle.label | path.trim() | +| tainted-string-steps.js:18:18:18:21 | path | semmle.label | path | +| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | semmle.label | path.toLowerCase() | +| tainted-string-steps.js:22:18:22:21 | path | semmle.label | path | +| tainted-string-steps.js:22:18:22:32 | path.split('/') | semmle.label | path.split('/') | +| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | semmle.label | path.split('/')[i] | +| tainted-string-steps.js:23:18:23:21 | path | semmle.label | path | +| tainted-string-steps.js:23:18:23:33 | path.split(/\\//) | semmle.label | path.split(/\\//) | +| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | semmle.label | path.split(/\\//)[i] | +| tainted-string-steps.js:24:18:24:21 | path | semmle.label | path | +| tainted-string-steps.js:24:18:24:32 | path.split("?") | semmle.label | path.split("?") | +| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | semmle.label | path.split("?")[0] | +| tainted-string-steps.js:26:18:26:21 | path | semmle.label | path | +| tainted-string-steps.js:26:18:26:36 | path.split(unknown) | semmle.label | path.split(unknown) | +| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | semmle.label | path.sp ... hatever | +| tainted-string-steps.js:27:18:27:21 | path | semmle.label | path | +| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | semmle.label | path.split(unknown) | +| torrents.js:5:6:5:38 | name | semmle.label | name | +| torrents.js:5:13:5:38 | parseTo ... t).name | semmle.label | parseTo ... t).name | +| torrents.js:6:6:6:45 | loc | semmle.label | loc | +| torrents.js:6:12:6:45 | dir + " ... t.data" | semmle.label | dir + " ... t.data" | +| torrents.js:6:24:6:27 | name | semmle.label | name | +| torrents.js:7:25:7:27 | loc | semmle.label | loc | +| typescript.ts:9:7:9:48 | path | semmle.label | path | +| typescript.ts:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| typescript.ts:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| typescript.ts:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| typescript.ts:9:24:9:30 | req.url | semmle.label | req.url | +| typescript.ts:11:29:11:32 | path | semmle.label | path | +| typescript.ts:19:7:19:18 | path3 | semmle.label | path3 | +| typescript.ts:19:15:19:18 | path | semmle.label | path | +| typescript.ts:20:39:20:43 | path3 | semmle.label | path3 | +| typescript.ts:22:7:22:18 | path4 | semmle.label | path4 | +| typescript.ts:22:15:22:18 | path | semmle.label | path | +| typescript.ts:23:39:23:43 | path4 | semmle.label | path4 | +| typescript.ts:29:7:29:18 | path6 | semmle.label | path6 | +| typescript.ts:29:15:29:18 | path | semmle.label | path | +| typescript.ts:31:29:31:33 | path6 | semmle.label | path6 | +| views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | subpaths -#select -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:18:33:18:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:18:33:18:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:21:33:21:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:21:33:21:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:24:33:24:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:24:33:24:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:33:31:33:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:33:31:33:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:52:29:52:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:65:31:65:76 | require ... ).query | TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:65:63:65:69 | req.url | user-provided value | -| TaintedPath.js:66:31:66:74 | require ... ).query | TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:66:61:66:67 | req.url | user-provided value | -| TaintedPath.js:67:31:67:73 | require ... ).query | TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:67:60:67:66 | req.url | user-provided value | -| TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:75:48:75:60 | req.params[0] | user-provided value | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:89:45:89:52 | realpath | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:89:45:89:52 | realpath | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:122:23:122:26 | path | TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:122:23:122:26 | path | This path depends on a $@. | TaintedPath.js:120:23:120:29 | req.url | user-provided value | -| TaintedPath.js:128:19:128:22 | path | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:128:19:128:22 | path | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:132:19:132:33 | split.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:132:19:132:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:136:19:136:26 | split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:136:19:136:26 | split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:137:19:137:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:140:19:140:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:143:19:143:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:145:19:145:29 | split.pop() | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:145:19:145:29 | split.pop() | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:187:38:187:44 | req.url | user-provided value | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:188:51:188:57 | req.url | user-provided value | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:190:44:190:50 | req.url | user-provided value | -| TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | -| express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | -| handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | -| handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value | -| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:23:19:23:22 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:19:23:22 | path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:24:19:24:29 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:19:24:29 | './' + path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:25:19:25:38 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:36:19:36:22 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:19:36:22 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | -| normalizedPaths.js:41:21:41:24 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:21:41:24 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | -| normalizedPaths.js:59:19:59:22 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:19:59:22 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | -| normalizedPaths.js:63:19:63:38 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | -| normalizedPaths.js:68:21:68:24 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:21:68:24 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | -| normalizedPaths.js:78:22:78:25 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:22:78:25 | path | This path depends on a $@. | normalizedPaths.js:73:42:73:55 | req.query.path | user-provided value | -| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | -| normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | -| normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on a $@. | normalizedPaths.js:94:35:94:48 | req.query.path | user-provided value | -| normalizedPaths.js:119:19:119:22 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:19:119:22 | path | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | -| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | -| normalizedPaths.js:135:21:135:24 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:21:135:24 | path | This path depends on a $@. | normalizedPaths.js:130:35:130:48 | req.query.path | user-provided value | -| normalizedPaths.js:144:21:144:24 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:21:144:24 | path | This path depends on a $@. | normalizedPaths.js:139:48:139:61 | req.query.path | user-provided value | -| normalizedPaths.js:151:21:151:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:21:151:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | -| normalizedPaths.js:153:21:153:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:21:153:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | -| normalizedPaths.js:165:19:165:22 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:19:165:22 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | -| normalizedPaths.js:170:21:170:24 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:21:170:24 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | -| normalizedPaths.js:184:19:184:22 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:19:184:22 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:187:21:187:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:21:187:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:189:21:189:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:21:189:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:192:21:192:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:21:192:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:194:21:194:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:21:194:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:199:21:199:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:21:199:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:205:21:205:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:21:205:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:208:21:208:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:21:208:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:210:21:210:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:21:210:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:222:21:222:24 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:21:222:24 | path | This path depends on a $@. | normalizedPaths.js:214:35:214:48 | req.query.path | user-provided value | -| normalizedPaths.js:228:21:228:24 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:21:228:24 | path | This path depends on a $@. | normalizedPaths.js:226:35:226:48 | req.query.path | user-provided value | -| normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | -| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | -| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | -| normalizedPaths.js:256:19:256:22 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:256:19:256:22 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:270:21:270:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:278:21:278:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:278:21:278:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:286:21:286:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:286:21:286:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:296:21:296:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:296:21:296:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:304:18:304:21 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:304:18:304:21 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:309:19:309:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:309:19:309:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:313:19:313:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:313:19:313:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:316:19:316:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:316:19:316:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:325:19:325:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:325:19:325:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | -| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | -| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | -| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | -| normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | -| normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | -| normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | -| normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | -| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | normalizedPaths.js:407:45:407:55 | req.query.x | normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:407:45:407:55 | req.query.x | user-provided value | -| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | normalizedPaths.js:408:38:408:48 | req.query.x | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:408:38:408:48 | req.query.x | user-provided value | -| normalizedPaths.js:415:19:415:22 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:415:19:415:22 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | -| normalizedPaths.js:426:21:426:24 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:426:21:426:24 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | -| other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:14:27:14:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:14:27:14:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:16:34:16:37 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:16:34:16:37 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:17:35:17:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:17:35:17:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:19:56:19:59 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:19:56:19:59 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:24:35:24:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:24:35:24:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | -| other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | -| other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | -| other-fs-libraries.js:51:19:51:22 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:51:19:51:22 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:52:24:52:27 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:52:24:52:27 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:54:36:54:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:54:36:54:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:55:36:55:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:55:36:55:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:57:46:57:49 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:57:46:57:49 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:59:39:59:42 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:59:39:59:42 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:62:43:62:46 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:62:43:62:46 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:63:51:63:54 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:63:51:63:54 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:70:19:70:22 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:70:19:70:22 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:71:10:71:13 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:71:10:71:13 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:72:15:72:18 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:72:15:72:18 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:76:19:76:19 | x | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:76:19:76:19 | x | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:83:16:83:19 | path | other-fs-libraries.js:81:24:81:30 | req.url | other-fs-libraries.js:83:16:83:19 | path | This path depends on a $@. | other-fs-libraries.js:81:24:81:30 | req.url | user-provided value | -| prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | -| prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | -| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | -| pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | -| sharedlib-repro.js:22:18:22:25 | filepath | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | sharedlib-repro.js:22:18:22:25 | filepath | This path depends on a $@. | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | user-provided value | -| tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:29:21:29:28 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:29:21:29:28 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:40:23:40:26 | path | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:40:23:40:26 | path | This path depends on a $@. | tainted-access-paths.js:39:24:39:30 | req.url | user-provided value | -| tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on a $@. | tainted-access-paths.js:48:24:48:30 | req.url | user-provided value | -| tainted-promise-steps.js:11:19:11:35 | await pathPromise | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:11:19:11:35 | await pathPromise | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-promise-steps.js:12:44:12:47 | path | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:12:44:12:47 | path | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on a $@. | tainted-require.js:7:19:7:37 | req.param("module") | user-provided value | -| tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on a $@. | tainted-require.js:12:29:12:47 | req.param("module") | user-provided value | -| tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on a $@. | tainted-require.js:14:11:14:29 | req.param("module") | user-provided value | -| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | user-provided value | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:24:37:24:48 | req.params.x | user-provided value | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:25:34:25:45 | req.params.x | user-provided value | -| tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:11:18:11:30 | path.slice(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:11:18:11:30 | path.slice(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:15:18:15:46 | unknown ... , path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:17:18:17:28 | path.trim() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:17:18:17:28 | path.trim() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on a $@. | torrents.js:5:13:5:38 | parseTo ... t).name | user-provided value | -| typescript.ts:12:29:12:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:12:29:12:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:21:39:21:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:21:39:21:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:24:39:24:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:24:39:24:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:32:29:32:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:32:29:32:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on a $@. | views.js:1:43:1:55 | req.params[0] | user-provided value | +testFailures +| TaintedPath-es6.js:7:20:7:26 | req.url | Unexpected result: Source | +| TaintedPath.js:9:24:9:30 | req.url | Unexpected result: Source | +| TaintedPath.js:36:20:36:26 | req.url | Unexpected result: Source | +| TaintedPath.js:54:63:54:69 | req.url | Unexpected result: Source | +| TaintedPath.js:55:61:55:67 | req.url | Unexpected result: Source | +| TaintedPath.js:56:60:56:66 | req.url | Unexpected result: Source | +| TaintedPath.js:64:48:64:60 | req.params[0] | Unexpected result: Alert | +| TaintedPath.js:73:23:73:29 | req.url | Unexpected result: Source | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | Unexpected result: Alert | +| TaintedPath.js:78:45:78:52 | realpath | Unexpected result: Alert | +| TaintedPath.js:109:23:109:29 | req.url | Unexpected result: Source | +| TaintedPath.js:115:24:115:30 | req.url | Unexpected result: Source | +| TaintedPath.js:139:24:139:30 | req.url | Unexpected result: Source | +| TaintedPath.js:176:38:176:44 | req.url | Unexpected result: Source | +| TaintedPath.js:177:51:177:57 | req.url | Unexpected result: Source | +| TaintedPath.js:179:44:179:50 | req.url | Unexpected result: Source | +| TaintedPath.js:184:24:184:30 | req.url | Unexpected result: Source | +| TaintedPath.js:191:24:191:30 | req.url | Unexpected result: Source | +| TaintedPath.js:200:24:200:30 | req.url | Unexpected result: Source | +| examples/TaintedPath.js:8:28:8:34 | req.url | Unexpected result: Source | +| express.js:8:20:8:32 | req.query.bar | Unexpected result: Alert | +| handlebars.js:11:32:11:39 | filePath | Unexpected result: Alert | +| handlebars.js:15:25:15:32 | filePath | Unexpected result: Alert | +| handlebars.js:29:46:29:60 | req.params.path | Unexpected result: Source | +| handlebars.js:29:67:29:111 | // $ Al ... catFile | Missing result: Alert | +| handlebars.js:43:15:43:29 | req.params.path | Unexpected result: Source | +| handlebars.js:43:31:43:74 | // $ Al ... helper | Missing result: Alert | +| normalizedPaths.js:11:14:11:27 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:21:35:21:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:31:35:31:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:54:35:54:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:73:42:73:55 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:82:14:82:27 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:94:35:94:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:117:30:117:43 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:130:35:130:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:139:48:139:61 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:148:44:148:57 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:160:35:160:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:174:14:174:27 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:214:35:214:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:226:35:226:48 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:236:33:236:46 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:254:33:254:46 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:303:13:303:26 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:339:32:339:45 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:354:14:354:27 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:377:14:377:27 | req.query.path | Unexpected result: Source | +| normalizedPaths.js:385:35:385:45 | req.query.x | Unexpected result: Source | +| normalizedPaths.js:407:45:407:55 | req.query.x | Unexpected result: Source | +| normalizedPaths.js:408:38:408:48 | req.query.x | Unexpected result: Source | +| normalizedPaths.js:412:35:412:45 | req.query.x | Unexpected result: Source | +| other-fs-libraries.js:9:24:9:30 | req.url | Unexpected result: Source | +| other-fs-libraries.js:38:24:38:30 | req.url | Unexpected result: Source | +| other-fs-libraries.js:49:24:49:30 | req.url | Unexpected result: Source | +| other-fs-libraries.js:68:24:68:30 | req.url | Unexpected result: Source | +| other-fs-libraries.js:81:24:81:30 | req.url | Unexpected result: Source | +| prettier.js:6:13:6:13 | p | Unexpected result: Source | +| pupeteer.js:5:28:5:53 | parseTo ... t).name | Unexpected result: Source | +| pupeteer.js:9:28:9:34 | tainted | Unexpected result: Alert | +| pupeteer.js:13:37:13:43 | tainted | Unexpected result: Alert | +| sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | Unexpected result: Source | +| tainted-access-paths.js:6:24:6:30 | req.url | Unexpected result: Source | +| tainted-access-paths.js:39:24:39:30 | req.url | Unexpected result: Source | +| tainted-access-paths.js:48:24:48:30 | req.url | Unexpected result: Source | +| tainted-promise-steps.js:6:24:6:30 | req.url | Unexpected result: Source | +| tainted-sendFile.js:21:37:21:48 | req.params.x | Unexpected result: Source | +| tainted-sendFile.js:22:34:22:45 | req.params.x | Unexpected result: Source | +| tainted-string-steps.js:6:24:6:30 | req.url | Unexpected result: Source | +| torrents.js:5:13:5:38 | parseTo ... t).name | Unexpected result: Source | +| typescript.ts:9:24:9:30 | req.url | Unexpected result: Source | +| views.js:1:43:1:55 | req.params[0] | Unexpected result: Alert | From 01e1fc41dc2b2d6aa7e62fb1b5e963138648fc19 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:01:22 +0100 Subject: [PATCH 04/11] JS: Move some Alerts to their actual location --- .../Security/CWE-022/TaintedPath/handlebars.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js index 93255a7ab518..ca6c866175ea 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js @@ -8,11 +8,11 @@ const data = {}; function init() { hb.registerHelper("catFile", function catFile(filePath) { - return fs.readFileSync(filePath); // SINK (reads file) + return fs.readFileSync(filePath); // $ Alert }); hb.registerHelper("prependToLines", function prependToLines(prefix, filePath) { return fs - .readFileSync(filePath) + .readFileSync(filePath) // $ Alert .split("\n") .map((line) => prefix + line) .join("\n"); @@ -26,7 +26,7 @@ function init() { init(); app.get('/some/path1', function (req, res) { - res.send(data.compiledFileAccess({ path: req.params.path })); // $ Alert - template uses vulnerable catFile + res.send(data.compiledFileAccess({ path: req.params.path })); // template uses vulnerable catFile }); app.get('/some/path2', function (req, res) { @@ -40,7 +40,7 @@ app.get('/some/path3', function (req, res) { app.get('/some/path4', function (req, res) { res.send(data.compiledMixed({ prefix: ">>> ", - path: req.params.path // $ Alert - template uses vulnerable helper + path: req.params.path // template uses vulnerable helper })); }); From 0f33bf1735982aa5bfb20ce4b330b2f54249b4f6 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:01:36 +0100 Subject: [PATCH 05/11] JS: Add missing Alert expectations --- .../query-tests/Security/CWE-022/TaintedPath/TaintedPath.js | 6 +++--- .../query-tests/Security/CWE-022/TaintedPath/express.js | 2 +- .../query-tests/Security/CWE-022/TaintedPath/pupeteer.js | 4 ++-- .../test/query-tests/Security/CWE-022/TaintedPath/views.js | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index b598cbee74bf..cc36f38be2dc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -61,7 +61,7 @@ var server = http.createServer(function(req, res) { var express = require('express'); var application = express(); - var views_local = (req, res) => res.render(req.params[0]); + var views_local = (req, res) => res.render(req.params[0]); // $ Alert application.get('/views/*', views_local); var views_imported = require("./views"); @@ -72,10 +72,10 @@ var server = http.createServer(function(req, res) { var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(fs.realpathSync(path))); + res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert fs.realpath(path, function(err, realpath){ - res.write(fs.readFileSync(realpath)); + res.write(fs.readFileSync(realpath)); // $ Alert } ); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js index dad320e3abae..13c6ad082abe 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js @@ -5,5 +5,5 @@ let app = express(); app.use(fileUpload()); app.get("/some/path", function (req, res) { - req.files.foo.mv(req.query.bar); + req.files.foo.mv(req.query.bar); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js index 363b2f014c7a..37f8c348a0f6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js @@ -6,11 +6,11 @@ const parseTorrent = require('parse-torrent'); const browser = await puppeteer.launch(); const page = await browser.newPage(); - await page.pdf({ path: tainted, format: 'a4' }); + await page.pdf({ path: tainted, format: 'a4' }); // $ Alert const pages = await browser.pages(); for (let i = 0; i < something(); i++) { - pages[i].screenshot({ path: tainted }); + pages[i].screenshot({ path: tainted }); // $ Alert } await browser.close(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js index 37ba5b7ab0e3..111ecd10c5a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js @@ -1 +1 @@ -module.exports = (req, res) => res.render(req.params[0]); +module.exports = (req, res) => res.render(req.params[0]); // $ Alert From 915aa3d1345bc5d7fd561adce53a3856a8cd5079 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:02:02 +0100 Subject: [PATCH 06/11] JS: Add Source expectations --- .../CWE-022/TaintedPath/TaintedPath-es6.js | 2 +- .../CWE-022/TaintedPath/TaintedPath.js | 30 +++++------ .../TaintedPath/examples/TaintedPath.js | 2 +- .../CWE-022/TaintedPath/handlebars.js | 4 +- .../CWE-022/TaintedPath/normalizedPaths.js | 50 +++++++++---------- .../CWE-022/TaintedPath/other-fs-libraries.js | 10 ++-- .../Security/CWE-022/TaintedPath/prettier.js | 2 +- .../Security/CWE-022/TaintedPath/pupeteer.js | 2 +- .../CWE-022/TaintedPath/sharedlib-repro.js | 2 +- .../TaintedPath/tainted-access-paths.js | 6 +-- .../TaintedPath/tainted-promise-steps.js | 2 +- .../CWE-022/TaintedPath/tainted-sendFile.js | 4 +- .../TaintedPath/tainted-string-steps.js | 2 +- .../Security/CWE-022/TaintedPath/torrents.js | 2 +- .../CWE-022/TaintedPath/typescript.ts | 2 +- 15 files changed, 61 insertions(+), 61 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index 2c915a920b16..573302c33cc5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -4,7 +4,7 @@ import { parse } from 'url'; import { join } from 'path'; var server = createServer(function(req, res) { - let path = parse(req.url, true).query.path; + let path = parse(req.url, true).query.path; // $ Source res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index cc36f38be2dc..b5c619faf31a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -6,7 +6,7 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system @@ -33,7 +33,7 @@ var server = http.createServer(function(req, res) { path = sanitize(path); res.write(fs.readFileSync(path)); // OK - Path is sanitized - path = url.parse(req.url, true).query.path; + path = url.parse(req.url, true).query.path; // $ Source // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved @@ -51,9 +51,9 @@ var server = http.createServer(function(req, res) { var server = http.createServer(function(req, res) { // tests for a few uri-libraries - res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert - res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert - res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert Source + res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert Source + res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert Source }); (function(){ @@ -70,7 +70,7 @@ var server = http.createServer(function(req, res) { })(); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert fs.realpath(path, @@ -106,13 +106,13 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -136,7 +136,7 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); @@ -173,22 +173,22 @@ import normalizeUrl from 'normalize-url'; var server = http.createServer(function(req, res) { // tests for a few more uri-libraries const qs = require("qs"); - res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert - res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert + res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert Source + res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert Source const parseqs = require("parseqs"); - res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert + res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert Source }); const cp = require("child_process"); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source cp.execSync("foobar", {cwd: path}); // $ Alert cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); @@ -197,7 +197,7 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index a3e4028b0daa..568269866f5f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -5,7 +5,7 @@ const fs = require('fs'), const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { - let filePath = url.parse(req.url, true).query.path; + let filePath = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js index ca6c866175ea..ffbeb5a767ba 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js @@ -26,7 +26,7 @@ function init() { init(); app.get('/some/path1', function (req, res) { - res.send(data.compiledFileAccess({ path: req.params.path })); // template uses vulnerable catFile + res.send(data.compiledFileAccess({ path: req.params.path })); // $ Source - template uses vulnerable catFile }); app.get('/some/path2', function (req, res) { @@ -40,7 +40,7 @@ app.get('/some/path3', function (req, res) { app.get('/some/path4', function (req, res) { res.send(data.compiledMixed({ prefix: ">>> ", - path: req.params.path // template uses vulnerable helper + path: req.params.path // $ Source - template uses vulnerable helper })); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 2c251b8de379..9b3a3019cf4c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -8,7 +8,7 @@ var fs = require('fs'), let app = express(); app.get('/basic', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync('./' + path); // $ Alert @@ -18,7 +18,7 @@ app.get('/basic', (req, res) => { }); app.get('/normalize', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync('./' + path); // $ Alert @@ -28,7 +28,7 @@ app.get('/normalize', (req, res) => { }); app.get('/normalize-notAbsolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (pathModule.isAbsolute(path)) return; @@ -51,7 +51,7 @@ app.get('/normalize-notAbsolute', (req, res) => { }); app.get('/normalize-noInitialDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.startsWith("..")) return; @@ -70,7 +70,7 @@ app.get('/normalize-noInitialDotDot', (req, res) => { app.get('/prepend-normalize', (req, res) => { // Coerce to relative prior to normalization - let path = pathModule.normalize('./' + req.query.path); + let path = pathModule.normalize('./' + req.query.path); // $ Source if (!path.startsWith("..")) fs.readFileSync(path); @@ -79,7 +79,7 @@ app.get('/prepend-normalize', (req, res) => { }); app.get('/absolute', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source if (!pathModule.isAbsolute(path)) return; @@ -91,7 +91,7 @@ app.get('/absolute', (req, res) => { }); app.get('/normalized-absolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path)) return; @@ -114,7 +114,7 @@ app.get('/combined-check', (req, res) => { }); app.get('/realpath', (req, res) => { - let path = fs.realpathSync(req.query.path); + let path = fs.realpathSync(req.query.path); // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert @@ -127,7 +127,7 @@ app.get('/realpath', (req, res) => { }); app.get('/coerce-relative', (req, res) => { - let path = pathModule.join('.', req.query.path); + let path = pathModule.join('.', req.query.path); // $ Source if (!path.startsWith('..')) fs.readFileSync(path); @@ -136,7 +136,7 @@ app.get('/coerce-relative', (req, res) => { }); app.get('/coerce-absolute', (req, res) => { - let path = pathModule.join('/home/user/www', req.query.path); + let path = pathModule.join('/home/user/www', req.query.path); // $ Source if (path.startsWith('/home/user/www')) fs.readFileSync(path); @@ -145,7 +145,7 @@ app.get('/coerce-absolute', (req, res) => { }); app.get('/concat-after-normalization', (req, res) => { - let path = 'foo/' + pathModule.normalize(req.query.path); + let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source if (!path.startsWith('..')) fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check @@ -157,7 +157,7 @@ app.get('/concat-after-normalization', (req, res) => { }); app.get('/noDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.includes('..')) return; @@ -171,7 +171,7 @@ app.get('/noDotDot', (req, res) => { }); app.get('/join-regression', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source // Regression test for a specific corner case: // Some guard nodes sanitize both branches, but for a different set of flow labels. @@ -211,7 +211,7 @@ app.get('/join-regression', (req, res) => { }); app.get('/decode-after-normalization', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path) && !path.startsWith('..')) fs.readFileSync(path); @@ -223,7 +223,7 @@ app.get('/decode-after-normalization', (req, res) => { }); app.get('/replace', (req, res) => { - let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); + let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source if (!pathModule.isAbsolute(path)) { fs.readFileSync(path); // $ Alert @@ -233,7 +233,7 @@ app.get('/replace', (req, res) => { }); app.get('/resolve-path', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -251,7 +251,7 @@ app.get('/resolve-path', (req, res) => { }); app.get('/relative-startswith', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -300,7 +300,7 @@ app.get('/relative-startswith', (req, res) => { var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { fs.readFileSync(path); @@ -336,7 +336,7 @@ app.get('/pseudo-normalizations', (req, res) => { }); app.get('/yet-another-prefix', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -351,7 +351,7 @@ app.get('/yet-another-prefix', (req, res) => { var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -374,7 +374,7 @@ app.get('/yet-another-prefix2', (req, res) => { import slash from 'slash'; app.get('/slash-stuff', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -382,7 +382,7 @@ app.get('/slash-stuff', (req, res) => { }); app.get('/dotdot-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; fs.readFileSync(path); // $ Alert @@ -404,12 +404,12 @@ app.get('/dotdot-regexp', (req, res) => { }); app.get('/join-spread', (req, res) => { - fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert - fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert + fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert Source + fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert Source }); app.get('/dotdot-matchAll-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; fs.readFileSync(path); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 8d2bfe11feb7..3c137faa8c94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -6,7 +6,7 @@ var http = require("http"), originalFs = require("original-fs"); var server = http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert gracefulFs.readFileSync(path); // $ Alert @@ -35,7 +35,7 @@ function getFsModule(special) { var util = require("util"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source util.promisify(fs.readFileSync)(path); // $ Alert require("bluebird").promisify(fs.readFileSync)(path); // $ Alert @@ -46,7 +46,7 @@ http.createServer(function(req, res) { const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert asyncFS.readFileSync(path); // $ Alert @@ -65,7 +65,7 @@ http.createServer(function(req, res) { const mkdirp = require("mkdirp"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert mkdirp(path); // $ Alert @@ -78,7 +78,7 @@ function func(x) { const fsp = require("fs/promises"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index d3ee99d4974b..c198082b9932 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -3,7 +3,7 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { - const { p } = req.params; + const { p } = req.params; // $ Source prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js index 37f8c348a0f6..8b0a64f523c9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js @@ -2,7 +2,7 @@ const puppeteer = require('puppeteer'); const parseTorrent = require('parse-torrent'); (async () => { - let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; + let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; // $ Source const browser = await puppeteer.launch(); const page = await browser.newPage(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index fa19da302606..23c89ab5baec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -10,7 +10,7 @@ function getTree(req, res, options) { var workspaceId = req.params.workspaceId; var realfileRootPath = workspaceId; // getfileRoot(workspaceId); var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]); - withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); + withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); // $ Source } function getfileRoot(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index aaa6cfdc2407..ab5d3f008507 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -36,7 +36,7 @@ server.listen(); var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source nodefs.readFileSync(path); // $ Alert }); @@ -45,6 +45,6 @@ server2.listen(); const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index e18e3c7e8bb1..a21ae5a6f915 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source doRead(Promise.resolve(path)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index 21ae39b8b731..e18590cf693a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -18,8 +18,8 @@ app.get('/some/path/:x', function(req, res) { res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../ res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../ - res.sendFile(path.resolve('data', req.params.x)); // $ Alert - res.sendfile(path.join('data', req.params.x)); // $ Alert + res.sendFile(path.resolve('data', req.params.x)); // $ Alert Source + res.sendfile(path.join('data', req.params.x)); // $ Alert Source res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index d705be16b317..6f281013a63c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path.substring(i, j)); fs.readFileSync(path.substring(4)); // $ Alert fs.readFileSync(path.substring(0, i)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 097bcc1fa117..d3c74ed8493d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -2,7 +2,7 @@ const parseTorrent = require('parse-torrent'), fs = require('fs'); function getTorrentData(dir, torrent){ - let name = parseTorrent(torrent).name, + let name = parseTorrent(torrent).name, // $ Source loc = dir + "/" + name + ".torrent.data"; return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index 51549ea75658..a0d2a78b5d7b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -6,7 +6,7 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system From 9f01faacb3bf865db9e00cfe2e64cb0864271204 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:03:23 +0100 Subject: [PATCH 07/11] JS: Update expected output, with the test failures gone --- .../CWE-022/TaintedPath/TaintedPath.expected | 73 ------------------- 1 file changed, 73 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index bbae08085eb9..922512ee7624 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -1134,76 +1134,3 @@ nodes | typescript.ts:31:29:31:33 | path6 | semmle.label | path6 | | views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | subpaths -testFailures -| TaintedPath-es6.js:7:20:7:26 | req.url | Unexpected result: Source | -| TaintedPath.js:9:24:9:30 | req.url | Unexpected result: Source | -| TaintedPath.js:36:20:36:26 | req.url | Unexpected result: Source | -| TaintedPath.js:54:63:54:69 | req.url | Unexpected result: Source | -| TaintedPath.js:55:61:55:67 | req.url | Unexpected result: Source | -| TaintedPath.js:56:60:56:66 | req.url | Unexpected result: Source | -| TaintedPath.js:64:48:64:60 | req.params[0] | Unexpected result: Alert | -| TaintedPath.js:73:23:73:29 | req.url | Unexpected result: Source | -| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | Unexpected result: Alert | -| TaintedPath.js:78:45:78:52 | realpath | Unexpected result: Alert | -| TaintedPath.js:109:23:109:29 | req.url | Unexpected result: Source | -| TaintedPath.js:115:24:115:30 | req.url | Unexpected result: Source | -| TaintedPath.js:139:24:139:30 | req.url | Unexpected result: Source | -| TaintedPath.js:176:38:176:44 | req.url | Unexpected result: Source | -| TaintedPath.js:177:51:177:57 | req.url | Unexpected result: Source | -| TaintedPath.js:179:44:179:50 | req.url | Unexpected result: Source | -| TaintedPath.js:184:24:184:30 | req.url | Unexpected result: Source | -| TaintedPath.js:191:24:191:30 | req.url | Unexpected result: Source | -| TaintedPath.js:200:24:200:30 | req.url | Unexpected result: Source | -| examples/TaintedPath.js:8:28:8:34 | req.url | Unexpected result: Source | -| express.js:8:20:8:32 | req.query.bar | Unexpected result: Alert | -| handlebars.js:11:32:11:39 | filePath | Unexpected result: Alert | -| handlebars.js:15:25:15:32 | filePath | Unexpected result: Alert | -| handlebars.js:29:46:29:60 | req.params.path | Unexpected result: Source | -| handlebars.js:29:67:29:111 | // $ Al ... catFile | Missing result: Alert | -| handlebars.js:43:15:43:29 | req.params.path | Unexpected result: Source | -| handlebars.js:43:31:43:74 | // $ Al ... helper | Missing result: Alert | -| normalizedPaths.js:11:14:11:27 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:21:35:21:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:31:35:31:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:54:35:54:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:73:42:73:55 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:82:14:82:27 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:94:35:94:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:117:30:117:43 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:130:35:130:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:139:48:139:61 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:148:44:148:57 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:160:35:160:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:174:14:174:27 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:214:35:214:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:226:35:226:48 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:236:33:236:46 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:254:33:254:46 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:303:13:303:26 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:339:32:339:45 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:354:14:354:27 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:377:14:377:27 | req.query.path | Unexpected result: Source | -| normalizedPaths.js:385:35:385:45 | req.query.x | Unexpected result: Source | -| normalizedPaths.js:407:45:407:55 | req.query.x | Unexpected result: Source | -| normalizedPaths.js:408:38:408:48 | req.query.x | Unexpected result: Source | -| normalizedPaths.js:412:35:412:45 | req.query.x | Unexpected result: Source | -| other-fs-libraries.js:9:24:9:30 | req.url | Unexpected result: Source | -| other-fs-libraries.js:38:24:38:30 | req.url | Unexpected result: Source | -| other-fs-libraries.js:49:24:49:30 | req.url | Unexpected result: Source | -| other-fs-libraries.js:68:24:68:30 | req.url | Unexpected result: Source | -| other-fs-libraries.js:81:24:81:30 | req.url | Unexpected result: Source | -| prettier.js:6:13:6:13 | p | Unexpected result: Source | -| pupeteer.js:5:28:5:53 | parseTo ... t).name | Unexpected result: Source | -| pupeteer.js:9:28:9:34 | tainted | Unexpected result: Alert | -| pupeteer.js:13:37:13:43 | tainted | Unexpected result: Alert | -| sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | Unexpected result: Source | -| tainted-access-paths.js:6:24:6:30 | req.url | Unexpected result: Source | -| tainted-access-paths.js:39:24:39:30 | req.url | Unexpected result: Source | -| tainted-access-paths.js:48:24:48:30 | req.url | Unexpected result: Source | -| tainted-promise-steps.js:6:24:6:30 | req.url | Unexpected result: Source | -| tainted-sendFile.js:21:37:21:48 | req.params.x | Unexpected result: Source | -| tainted-sendFile.js:22:34:22:45 | req.params.x | Unexpected result: Source | -| tainted-string-steps.js:6:24:6:30 | req.url | Unexpected result: Source | -| torrents.js:5:13:5:38 | parseTo ... t).name | Unexpected result: Source | -| typescript.ts:9:24:9:30 | req.url | Unexpected result: Source | -| views.js:1:43:1:55 | req.params[0] | Unexpected result: Alert | From d349b510a19b8405204b32ff62fd59dc149a2039 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 30 Jan 2025 15:00:46 +0100 Subject: [PATCH 08/11] Test: Don't expect 'Source' tag when source and alert are on same line Previously the Source tag was required if the source and alert did not have the exact same location. This relaxes the restriction to being on the same line. Note that in order to be "on the same line" both start and end lines have to match. It's still possible for a given line to expect both Alert and Source tags, in case the source pairs up with another alert on a different line. --- .../util/test/InlineExpectationsTest.qll | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/shared/util/codeql/util/test/InlineExpectationsTest.qll b/shared/util/codeql/util/test/InlineExpectationsTest.qll index 8dde42b51678..2e60a3edd707 100644 --- a/shared/util/codeql/util/test/InlineExpectationsTest.qll +++ b/shared/util/codeql/util/test/InlineExpectationsTest.qll @@ -645,6 +645,29 @@ module TestPostProcessing { private import InlineExpectationsTest as InlineExpectationsTest private import InlineExpectationsTest::Make + bindingset[loc] + private predicate parseLocation( + string loc, string file, int startLine, int startColumn, int endLine, int endColumn + ) { + exists(string regexp | + regexp = "(.*):(-?\\d+):(-?\\d+):(-?\\d+):(-?\\d+)" and + file = loc.regexpCapture(regexp, 1) and + startLine = loc.regexpCapture(regexp, 2).toInt() and + startColumn = loc.regexpCapture(regexp, 3).toInt() and + endLine = loc.regexpCapture(regexp, 4).toInt() and + endColumn = loc.regexpCapture(regexp, 5).toInt() + ) + } + + /** Holds if the given location strings refer to the same lines, but possibly with different column numbers. */ + bindingset[loc1, loc2] + private predicate sameLineInfo(string loc1, string loc2) { + exists(string file, int line1, int line2 | + parseLocation(loc1, file, line1, _, line2, _) and + parseLocation(loc2, file, line1, _, line2, _) + ) + } + /** * Gets the tag to be used for the path-problem source at result row `row`. * @@ -653,8 +676,10 @@ module TestPostProcessing { */ private string getSourceTag(int row) { getQueryKind() = "path-problem" and - exists(string loc | queryResults(mainResultSet(), row, 2, loc) | - if queryResults(mainResultSet(), row, 0, loc) then result = "Alert" else result = "Source" + exists(string sourceLoc, string selectLoc | + queryResults(mainResultSet(), row, 0, selectLoc) and + queryResults(mainResultSet(), row, 2, sourceLoc) and + if sameLineInfo(selectLoc, sourceLoc) then result = "Alert" else result = "Source" ) } From c5545f0717e89a27610f057799de5ff71f0f78b0 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:04:51 +0100 Subject: [PATCH 09/11] JS: Remove same-line Source expectations --- .../Security/CWE-022/TaintedPath/TaintedPath.js | 12 ++++++------ .../Security/CWE-022/TaintedPath/normalizedPaths.js | 4 ++-- .../Security/CWE-022/TaintedPath/tainted-sendFile.js | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index b5c619faf31a..ba57e930f03f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -51,9 +51,9 @@ var server = http.createServer(function(req, res) { var server = http.createServer(function(req, res) { // tests for a few uri-libraries - res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert Source - res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert Source - res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert Source + res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert }); (function(){ @@ -173,10 +173,10 @@ import normalizeUrl from 'normalize-url'; var server = http.createServer(function(req, res) { // tests for a few more uri-libraries const qs = require("qs"); - res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert Source - res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert Source + res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert + res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert const parseqs = require("parseqs"); - res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert Source + res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert }); const cp = require("child_process"); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 9b3a3019cf4c..4365de77a40f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -404,8 +404,8 @@ app.get('/dotdot-regexp', (req, res) => { }); app.get('/join-spread', (req, res) => { - fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert Source - fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert Source + fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert + fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert }); app.get('/dotdot-matchAll-regexp', (req, res) => { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index e18590cf693a..21ae39b8b731 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -18,8 +18,8 @@ app.get('/some/path/:x', function(req, res) { res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../ res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../ - res.sendFile(path.resolve('data', req.params.x)); // $ Alert Source - res.sendfile(path.join('data', req.params.x)); // $ Alert Source + res.sendFile(path.resolve('data', req.params.x)); // $ Alert + res.sendfile(path.join('data', req.params.x)); // $ Alert res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' }); From 4c645aa86ae8af6bebf0e89a4d9d184f2810f375 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:34:05 +0100 Subject: [PATCH 10/11] JS: Update another test --- javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js index 40cb0148b573..4596dc7be398 100644 --- a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js +++ b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js @@ -13,7 +13,7 @@ express().post('/some/path', function (req, res) { // NOT OK: unguarded entity expansion libxmljs.parseXmlString(req.param("some-xml"), { noent: true }) // $ Alert // NOT OK: unguarded entity expansion - libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Source=files $ Alert=files + libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Alert // OK - no entity expansion libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: false }) From ecd418b631b5fa1d64806a28025d6fffa91871a4 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 31 Jan 2025 14:36:56 +0100 Subject: [PATCH 11/11] Rust: update a Rust test case --- .../security/CWE-312/test_logging.rs | 88 +++++++++---------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs index ab8013689906..970a9caf0ee5 100644 --- a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs +++ b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs @@ -39,51 +39,51 @@ impl std::fmt::Display for MyStruct2 { fn test_log(harmless: String, password: String, encrypted_password: String) { // logging macros - debug!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - error!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - info!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - trace!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - warn!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging] + debug!("message = {}", password); // $ Alert[rust/cleartext-logging] + error!("message = {}", password); // $ Alert[rust/cleartext-logging] + info!("message = {}", password); // $ Alert[rust/cleartext-logging] + trace!("message = {}", password); // $ Alert[rust/cleartext-logging] + warn!("message = {}", password); // $ Alert[rust/cleartext-logging] + log!(Level::Error, "message = {}", password); // $ Alert[rust/cleartext-logging] // debug! macro, various formatting debug!("message"); debug!("message = {}", harmless); - debug!("message = {}", password); // $ Source Alert[rust/cleartext-logging] + debug!("message = {}", password); // $ Alert[rust/cleartext-logging] debug!("message = {}", encrypted_password); - debug!("message = {} {}", harmless, password); // $ Source Alert[rust/cleartext-logging] + debug!("message = {} {}", harmless, password); // $ Alert[rust/cleartext-logging] debug!("message = {harmless}"); - debug!("message = {harmless} {}", password); // $ Source Alert[rust/cleartext-logging] - debug!("message = {password}"); // $ Source Alert[rust/cleartext-logging] - debug!("message = {password:?}"); // $ Source Alert[rust/cleartext-logging] + debug!("message = {harmless} {}", password); // $ Alert[rust/cleartext-logging] + debug!("message = {password}"); // $ Alert[rust/cleartext-logging] + debug!("message = {password:?}"); // $ Alert[rust/cleartext-logging] debug!(target: "target", "message = {}", harmless); - debug!(target: "target", "message = {}", password); // $ Source Alert[rust/cleartext-logging] - debug!(target: &password, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging] + debug!(target: "target", "message = {}", password); // $ Alert[rust/cleartext-logging] + debug!(target: &password, "message = {}", harmless); // $ Alert[rust/cleartext-logging] // log! macro, various formatting log!(Level::Error, "message = {}", harmless); - log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging] + log!(Level::Error, "message = {}", password); // $ Alert[rust/cleartext-logging] log!(target: "target", Level::Error, "message = {}", harmless); - log!(target: "target", Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging] - log!(target: &password, Level::Error, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging] + log!(target: "target", Level::Error, "message = {}", password); // $ Alert[rust/cleartext-logging] + log!(target: &password, Level::Error, "message = {}", harmless); // $ Alert[rust/cleartext-logging] // structured logging error!(value = 1; "message = {}", harmless); - error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(value = 1; "message = {}", password); // $ Alert[rust/cleartext-logging] error!(target: "target", value = 1; "message"); - error!(target: "target", value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] - error!(target: &password, value = 1; "message"); // $ Source Alert[rust/cleartext-logging] - error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(target: "target", value = 1; "message = {}", password); // $ Alert[rust/cleartext-logging] + error!(target: &password, value = 1; "message"); // $ Alert[rust/cleartext-logging] + error!(value = 1; "message = {}", password); // $ Alert[rust/cleartext-logging] error!(value = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging] error!(value:? = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging] let value1 = 1; error!(value1; "message = {}", harmless); - error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(value1; "message = {}", password); // $ Alert[rust/cleartext-logging] error!(target: "target", value1; "message"); - error!(target: "target", value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] - error!(target: &password, value1; "message"); // $ Source Alert[rust/cleartext-logging] - error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(target: "target", value1; "message = {}", password); // $ Alert[rust/cleartext-logging] + error!(target: &password, value1; "message"); // $ Alert[rust/cleartext-logging] + error!(value1; "message = {}", password); // $ Alert[rust/cleartext-logging] let value2 = password.as_str(); error!(value2; "message"); // $ MISSING: Alert[rust/cleartext-logging] @@ -115,7 +115,7 @@ fn test_log(harmless: String, password: String, encrypted_password: String) { } // logging with a call - trace!("message = {}", get_password()); // $ Source Alert[rust/cleartext-logging] + trace!("message = {}", get_password()); // $ Alert[rust/cleartext-logging] let str1 = "123456".to_string(); trace!("message = {}", &str1); // $ MISSING: Alert[rust/cleartext-logging] @@ -149,36 +149,36 @@ fn test_log(harmless: String, password: String, encrypted_password: String) { } fn test_std(password: String, i: i32, opt_i: Option) { - print!("message = {}\n", password); // $ Source Alert[rust/cleartext-logging] - println!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - eprint!("message = {}\n", password); // $ Source Alert[rust/cleartext-logging] - eprintln!("message = {}", password); // $ Source Alert[rust/cleartext-logging] + print!("message = {}\n", password); // $ Alert[rust/cleartext-logging] + println!("message = {}", password); // $ Alert[rust/cleartext-logging] + eprint!("message = {}\n", password); // $ Alert[rust/cleartext-logging] + eprintln!("message = {}", password); // $ Alert[rust/cleartext-logging] match i { - 1 => { panic!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 2 => { todo!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 3 => { unimplemented!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 4 => { unreachable!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 5 => { assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 6 => { assert_eq!(1, 2, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 7 => { assert_ne!(1, 1, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 8 => { debug_assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ Source Alert[rust/cleartext-logging] + 1 => { panic!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 2 => { todo!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 3 => { unimplemented!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 4 => { unreachable!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 5 => { assert!(false, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 6 => { assert_eq!(1, 2, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 7 => { assert_ne!(1, 1, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 8 => { debug_assert!(false, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ Alert[rust/cleartext-logging] _ => {} } std::io::stdout().lock().write_fmt(format_args!("message = {}\n", password)); // $ MISSING: Alert[rust/cleartext-logging] std::io::stderr().lock().write_fmt(format_args!("message = {}\n", password)); // $ MISSING: Alert[rust/cleartext-logging] - std::io::stdout().lock().write(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] - std::io::stdout().lock().write_all(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] + std::io::stdout().lock().write(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] + std::io::stdout().lock().write_all(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] let mut out = std::io::stdout().lock(); - out.write(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] + out.write(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] let mut err = std::io::stderr().lock(); - err.write(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] + err.write(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] } fn main() {